Sometimes the fix is right there in the documentation itself: https://docs.splunk.com/Documentation/AddOns/released/AWS/Troubleshooting I fixed the issue by updating splunk-launch.conf file and adding the custom PORT for Management. The latest version of Aws add on doesn't work with custom management port. It only works on 8089.
... View more
We faced a similar issue while upgrading to 6.0.2. It turned out not because of FIPS, but due to the upgrade the SSL Cert was expired Below logs are from mongod.log and not splunkd.log: <TIMESTAMP> I CONTROL [signalProcessingThread] shutting down with code:0 <TIMESTAMP> W CONTROL [main] net.ssl.sslCipherConfig is deprecated. It will be removed in a future release. <TIMESTAMP> F NETWORK [main] The provided SSL certificate is expired or not yet valid. <TIMESTAMP> F - [main] Fatal Assertion 28652 at src/mongo/util/net/ssl_manager.cpp 1157 Fix to above is to rename the server.pem to server.pem.old and restart splunk and rerun the installation. We were able to reach mongod.log because of KV Store error messages coming up in the SH. Hope this helps someone spending 3-4 hours to fix such a trivial upgrade issue.
... View more
hey eliasit, can you suggest some inputs in integrating the splunk_app_stream to get the dns logs, seems its not fetching the data from dns servers when I tried installing splfwdrs in dns server via deployment server.
... View more
Have you checked the ownership of directories: under $SPLUNK_HOME/var/run/dispatch. it might be the case that ownership is root and you are running splunk as splunk user. This can happen when a user runs splunk as root by mistake and then later on runs as splunk. This is what happened in our case.
... View more
Apparently I ran into an issue specifically as my Prod Splunk infra is running on 6.4.0 and Lower environment on 6.5.
6.5 had only this much and it worked perfectly:
[mySourcetype]
INDEXED_EXTRACTIONS = json
KV_MODE = none
For 6.4 I had to follow what Gary has recommended. Many thanks to him for sharing his experience.
Here is my props. Mind you, if you are a beginner, you would love to know that Indexer is where you want to update this props as event breaking is a parsing step.
[mySourcetype]
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = (){\"searchString
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
... View more
After trying everything with reschedule i had to let go of it and as suggested by you Kamal_jagga i used what you have written as final solution to use cron_schedule instead of reschedule
... View more
Would be wise to add
index="_internal"
Also, this search returns both GET and POST events for all dashboards. In my opinion you should only count POST events for dashboards.
... View more
Thank you @dominiquevocat. This fixed my problem, never realized the preview in the header, my code now has this (in case it helps anyone else) to prevent the script running twice:
stdin_wrapper = Reader(sys.stdin)
buf, settings = read_input(stdin_wrapper, has_header = True)
if settings['preview'] == '1' or settings['preview'] == 1:
sys.exit()
events = csv.DictReader(buf)
... View more