Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nbowman
nbowman
Path Finder
Member since:
02-16-2012
03-28-2024
Community Statistics
| Posts | 27 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 8 |
| Member Since | 02-16-2012 |
Activity Feed
- Posted Re: Timestamp confusion in JSON data loaded via a Universal Forwarder on Getting Data In. 03-28-2024 01:04 AM
- Posted Re: When editing index names, why the VT4Splunk Config Error? on All Apps and Add-ons. 08-25-2023 01:48 PM
- Posted Re: VT4Splunk Config Error on All Apps and Add-ons. 08-24-2023 09:11 AM
- Posted When editing index names, why the VT4Splunk Config Error? on All Apps and Add-ons. 08-23-2023 02:17 PM
- Got Karma for FilesystemChangeWatcher - error getting attributes of path?. 02-22-2023 03:00 AM
- Posted Is it possible to have a standalone index on one site of a multisite cluster? on Deployment Architecture. 09-13-2022 12:18 PM
- Got Karma for Why has support been removed in 6.5.0 for universal forwarders on Windows 7, and is there a workaround?. 06-05-2020 12:48 AM
- Got Karma for FilesystemChangeWatcher - error getting attributes of path?. 06-05-2020 12:47 AM
- Got Karma for FilesystemChangeWatcher - error getting attributes of path?. 06-05-2020 12:47 AM
- Got Karma for FilesystemChangeWatcher - error getting attributes of path?. 06-05-2020 12:47 AM
- Got Karma for FilesystemChangeWatcher - error getting attributes of path?. 06-05-2020 12:47 AM
- Got Karma for FilesystemChangeWatcher - error getting attributes of path?. 06-05-2020 12:47 AM
- Posted Re: Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-20-2016 07:15 AM
- Posted Re: Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-19-2016 09:15 PM
- Posted Re: Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-19-2016 09:12 PM
- Posted Re: Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-19-2016 05:49 PM
- Posted Re: Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-19-2016 03:50 PM
- Posted Re: Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-19-2016 03:43 PM
- Posted Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-19-2016 03:36 PM
- Tagged Cisco eStreamer for Splunk: Why does Splunk keep reindexing monitored SourceFire eStreamer logs? on All Apps and Add-ons. 12-19-2016 03:36 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 6 |
03-28-2024
01:04 AM
@bpenny did you ever figure this out? I'm running into the exact same issue. I think the problem is that we're referencing a json path. If I move the timestamp to a top level json field in the event, it picks up the timestamp just fine.
... View more
08-25-2023
01:48 PM
Weird, I disabled that tick mark and made changes to the "Index name". Then hit save. Then reenabled it. Looks...like it worked. I'll do more testing.
... View more
08-24-2023
09:11 AM
I enabled debugging in the app, but it didn't help. The error is generated by vt_validator.py in the validate function. I'm not entirely sure which line in try is throwing the exception. def validate(self, _, data):
'''Validate method to perform action.'''
try:
self.vt_env = vt_environment.VirusTotalEnv(GetSessionKey().session_key)
enabled = data.get('virustotal_saved_searches_enabled', 1)
for name in self.saved_searches_names:
saved_search = self.vt_env.service.saved_searches[name]
saved_search.update(**{'is_scheduled': enabled}).refresh()
return True
except Exception: # pylint: disable=broad-except
self.put_msg('Unexpected error when Enabling/Disabling saved searches.')
logger.error('Unexpected error when Enabling/Disabling saved searches.')
return False
... View more
08-23-2023
02:17 PM
I'm running VT4Splunk 1.6.0 https://splunkbase.splunk.com/app/6654 It's deployed via the SH Cluster Deployer.
I'm trying to edit the index names, but get a generic error: "Unexpected error when Enabling/Disabling saved searches."
Any ideas?
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
09-13-2022
12:18 PM
I'm looking to setup a multisite indexer cluster. And due to GDPR, I'd like to have a non-replicated index on one of the sites. Is this possible?
... View more
Labels
- Labels:
-
indexer clustering
12-20-2016
07:15 AM
I wish I could have solved the actual issue, but in the interest of time I was forced to wipe the Splunk instance and start over again. Now things are working as expected.
... View more
12-19-2016
09:15 PM
This gives me more info that doesn't seem to be congruent with the btprobe info.
/services/splunk/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
<s:key name="/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482202447">
<s:dict>
<s:key name="file position">150083</s:key>
<s:key name="file size">150083</s:key>
<s:key name="parent">$SPLUNK_HOME/etc/apps/eStreamer/log</s:key>
<s:key name="percent">100.00</s:key>
<s:key name="type">open file</s:key>
</s:dict>
</s:key>
... View more
12-19-2016
09:12 PM
It's an eStreamer rotate...so I'm not entirely sure what it is doing in the background 😞
I do know that the modtime for the files aren't being updated, so I think that is why they keep getting fully reindexed:
# /services/splunk/bin/splunk cmd btprobe -d /services/splunk/var/lib/splunk/fishbucket/splunk_private_db/ --file /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482202447
Using logging configuration at /services/splunk/etc/log-cmdline.cfg.
key=0x40ebb995eb99a09d scrc=0x0 sptr=0 fcrc=0x8b093ad81b0a8ee3 flen=0 mdtm=0 wrtm=1482205094
# /services/splunk/bin/splunk cmd btprobe -d /services/splunk/var/lib/splunk/fishbucket/splunk_private_db/ -k 0x40ebb995eb99a09d --validate
validation result: OK
key=0x40ebb995eb99a09d scrc=0x0 sptr=0 fcrc=0x8b093ad81b0a8ee3 flen=0 mdtm=0 wrtm=1482205094
... View more
12-19-2016
05:49 PM
I hope you're right.
New events are still being reindexed over and over...
... View more
12-19-2016
03:50 PM
Additional DEBUG:
12-19-2016 18:48:23.465 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:48:23.465 -0500 DEBUG WatchedFile - Preserving seekptr and initcrc.
12-19-2016 18:48:23.465 -0500 DEBUG WatchedFile - seeking /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486 to off=10757
12-19-2016 18:48:23.465 -0500 DEBUG WatchedFile - Reached EOF: fname=/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486 fishstate=key=0x5c24e5d7fe922fe4 sptr=10757 scrc=0x0 fnamecrc=0x3a9e53c7b25f00db modtime=1482189616
12-19-2016 18:48:23.467 -0500 DEBUG WatchedFile - Storing pending metadata for file=/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486, sourcetype=eStreamer, charset=UTF-8
12-19-2016 18:48:23.467 -0500 DEBUG WatchedFile - setting trailing nulls to false via 'true' or 'false' from conf'
12-19-2016 18:48:23.467 -0500 DEBUG WatchedFile - Creating new pipeline input channel with channel id: 258.
12-19-2016 18:48:23.467 -0500 DEBUG WatchedFile - Attempting to load indexed extractions config from conf=source::/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486|host::llsd-llan1|eStreamer|258 ...
12-19-2016 18:48:23.467 -0500 DEBUG WatchedFile - Loading state from fishbucket.
12-19-2016 18:48:23.467 -0500 DEBUG WatchedFile - /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486 requested modtime-based check.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - initcrc has changed to: 0x3a9e53c7b25f00db.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Comparing current & stored modtime.
12-19-2016 18:48:23.468 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - seeking /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486 to off=0
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Reading for plain initCrc...
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - initcrc changed to 0x5c24e5d7fe922fe4 since file grew past initCrcLen.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Applying pending meta data
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Clearing pending metadata
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Reached EOF: fname=/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486 fishstate=key=0x5c24e5d7fe922fe4 sptr=10757 scrc=0x0 fnamecrc=0x3a9e53c7b25f00db modtime=1482189616
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Loading state from fishbucket.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284 requested modtime-based check.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - initcrc has changed to: 0x22cf35f531d75c34.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Comparing current & stored modtime.
12-19-2016 18:48:23.468 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - Preserving seekptr and initcrc.
12-19-2016 18:48:23.468 -0500 DEBUG WatchedFile - seeking /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284 to off=22567
12-19-2016 18:48:23.469 -0500 DEBUG WatchedFile - Reached EOF: fname=/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284 fishstate=key=0xa2d8a35900bb8f3f sptr=22567 scrc=0x0 fnamecrc=0x22cf35f531d75c34 modtime=1482189473
12-19-2016 18:48:23.470 -0500 DEBUG WatchedFile - Storing pending metadata for file=/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284, sourcetype=eStreamer, charset=UTF-8
12-19-2016 18:48:23.470 -0500 DEBUG WatchedFile - setting trailing nulls to false via 'true' or 'false' from conf'
12-19-2016 18:48:23.470 -0500 DEBUG WatchedFile - Creating new pipeline input channel with channel id: 259.
12-19-2016 18:48:23.470 -0500 DEBUG WatchedFile - Attempting to load indexed extractions config from conf=source::/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284|host::llsd-llan1|eStreamer|259 ...
12-19-2016 18:48:23.470 -0500 DEBUG WatchedFile - Loading state from fishbucket.
12-19-2016 18:48:23.470 -0500 DEBUG WatchedFile - /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284 requested modtime-based check.
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - initcrc has changed to: 0x22cf35f531d75c34.
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - Comparing current & stored modtime.
12-19-2016 18:48:23.471 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - seeking /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284 to off=0
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - Reading for plain initCrc...
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - initcrc changed to 0xa2d8a35900bb8f3f since file grew past initCrcLen.
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - Applying pending meta data
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - Clearing pending metadata
12-19-2016 18:48:23.471 -0500 DEBUG WatchedFile - Reached EOF: fname=/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284 fishstate=key=0xa2d8a35900bb8f3f sptr=22567 scrc=0x0 fnamecrc=0x22cf35f531d75c34 modtime=1482189473
12-19-2016 18:48:23.472 -0500 DEBUG WatchedFile - Loading state from fishbucket.
12-19-2016 18:48:23.472 -0500 DEBUG WatchedFile - /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776 requested modtime-based check.
12-19-2016 18:48:23.472 -0500 DEBUG WatchedFile - initcrc has changed to: 0x713da102c673468a.
12-19-2016 18:48:23.472 -0500 DEBUG WatchedFile - Comparing current & stored modtime.
12-19-2016 18:48:23.472 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776'.
... View more
12-19-2016
03:43 PM
I've disabled that as well, since I saw the notes in inputs.conf documentation. It doesn't help. The files still get reindexed.
... View more
12-19-2016
03:36 PM
I am having an issue with Splunk reindexing eStreamer log files OVER AND OVER.
12-19-2016 18:21:36.277 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:21:36.279 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:21:36.280 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:21:36.282 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:21:36.282 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776'.
12-19-2016 18:21:36.284 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776'.
12-19-2016 18:21:36.285 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482187531'.
12-19-2016 18:21:36.287 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482187531'.
12-19-2016 18:21:37.803 -0500 INFO WatchedFile - Modtime is newer than stored, will reread file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:37.803 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:37.805 -0500 INFO WatchedFile - Modtime is newer than stored, will reread file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:37.805 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:39.281 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:21:39.283 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:21:39.284 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:21:39.285 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:21:39.286 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776'.
12-19-2016 18:21:39.288 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776'.
12-19-2016 18:21:39.288 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482187531'.
12-19-2016 18:21:39.290 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482187531'.
12-19-2016 18:21:40.806 -0500 INFO WatchedFile - Modtime is newer than stored, will reread file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:40.807 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:40.808 -0500 INFO WatchedFile - Modtime is newer than stored, will reread file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:40.809 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:42.283 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:21:42.285 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:21:42.286 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:21:42.288 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189284'.
12-19-2016 18:21:42.288 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776'.
12-19-2016 18:21:42.291 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482188776'.
12-19-2016 18:21:42.291 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482187531'.
12-19-2016 18:21:42.294 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482187531'.
12-19-2016 18:21:43.810 -0500 INFO WatchedFile - Modtime is newer than stored, will reread file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:43.810 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:43.812 -0500 INFO WatchedFile - Modtime is newer than stored, will reread file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:43.812 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189684'.
12-19-2016 18:21:45.286 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
12-19-2016 18:21:45.289 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/services/splunk/etc/apps/eStreamer/log/estreamer.log.1482189486'.
Has anyone ever run into this? My inputs.conf is unedited from the Cisco eStreamer for Splunk app.
# cat default/inputs.conf
# Unix/Linux inputs enabled by default
[script://./bin/client_check.py]
disabled = 0
source = eStreamer
sourcetype = client_check
index = estreamer
interval = 60
[monitor://$SPLUNK_HOME/etc/apps/eStreamer/log]
disabled = 0
source = eStreamer
sourcetype = eStreamer
index = estreamer
crcSalt = <SOURCE>
As far as I can tell, the mod times are updating...
# stat -c %x,%z,%n *
2016-12-19 18:13:07.746622111 -0500,2016-12-19 18:13:05.086528147 -0500,estreamer.log.1482188776
2016-12-19 18:18:05.669146138 -0500,2016-12-19 18:17:53.633720988 -0500,estreamer.log.1482189284
2016-12-19 18:20:24.216037498 -0500,2016-12-19 18:20:16.464764117 -0500,estreamer.log.1482189486
2016-12-19 18:39:48.360107852 -0500,2016-12-19 18:39:47.098063317 -0500,estreamer.log.1482189684
Edit 1:
I think eStreamer is keeping the file descriptor open, so mdtm and scrc never get written...
# /services/splunk/bin/splunk cmd btprobe -d /services/splunk/var/lib/splunk/fishbucket/splunk_private_db/ --file /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482202447
Using logging configuration at /services/splunk/etc/log-cmdline.cfg.
key=0x40ebb995eb99a09d scrc=0x0 sptr=0 fcrc=0x8b093ad81b0a8ee3 flen=0 mdtm=0 wrtm=1482205094
# /services/splunk/bin/splunk cmd btprobe -d /services/splunk/var/lib/splunk/fishbucket/splunk_private_db/ -k 0x40ebb995eb99a09d --validate
validation result: OK
key=0x40ebb995eb99a09d scrc=0x0 sptr=0 fcrc=0x8b093ad81b0a8ee3 flen=0 mdtm=0 wrtm=1482205094
# stat -c %x,%z,%n *.log*
2016-12-20 00:00:42.377623768 -0500,2016-12-20 00:00:41.943608425 -0500,estreamer.log.1482202447
# lsof | grep eStream
splunkd 2017 splunk 38u REG 253,0 150083 924551 /services/splunk/etc/apps/eStreamer/log/estreamer.log.1482202447
... View more
10-17-2016
09:14 AM
1 Karma
I'm looking to upgrade from 6.4.1 to 6.5, and I came across this:
Windows 7 x86-32 & x86_64: Free/Trial and Universal Forwarder support has been removed.
http://docs.splunk.com/Documentation/Splunk/6.5.0/ReleaseNotes/DeprecatedFeatures#Removed_platforms
Well, there goes my plans for 6.5, nearly all my Windows endpoints are Windows 7...
Anyone here make the jump to 6.5 with Windows 7 UF's?
... View more
05-13-2016
02:36 PM
Does anyone know of a way to dump a list of deployment clients that are forwarding via splunktcp-ssl? So I can focus my efforts on those first.
... View more
04-13-2016
01:08 PM
If I enabled in system/local with:
[WinEventLog://Security]
disabled = 0
Would the configs in Splunk_TA_windows/default/inputs.conf be applied?
[WinEventLog://Application]
disabled = 1-> 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
Or will he have to copy/paste all that into system/local?
... View more
04-13-2016
12:20 PM
I use my deployment server to deploy the Splunk Add-on for Microsoft Windows to Universal Forwarders.
Splunk_TA_windows/
├── default
│ └── inputs.conf #unchanged defaults
├── local
│ └── inputs.conf #edited
I enabled the Security log in local/inputs.conf, like:
[WinEventLog://Security]
disabled = 0
Everything works great. However, I have one user that wants to enable a few things. Let's say that he wants to:
[WinEventLog://Application]
disabled = 0
Where would he make that change? Wouldn't the deployment server overwrite Splunk_TA_windows/local/inputs.conf if he made the change there?
... View more
01-15-2016
06:36 AM
Hmm, I'm not seeing src_ip and src_nt_host.
These are the inputs that I have enabled:
###### OS Logs ######
[WinEventLog://Security]
disabled = 0
[WinEventLog://Application]
disabled = 0
[WinEventLog://System]
disabled = 0
###### Host monitoring ######
[WinHostMon://NetworkAdapter]
disabled = 0
###### Network monitoring ######
[WinNetMon://inbound]
disabled = 0
[WinNetMon://outbound]
disabled = 0
Any ideas?
... View more
01-15-2016
06:18 AM
Yea, I suppose that would somewhat work. I was hoping to use the Splunk for Windows App to get all network adapters information in full. IP and MAC and DNS, etc.
... View more
01-14-2016
08:18 AM
I would like to get the IP address of my Windows universal forwarders.
[WinHostMon://NetworkAdapter] doesn't give an IP, just MAC address.
[WinNetMon://inbound] and [WinNetMon://outbound] give an IP address, but it is also very noisy.
Does the Splunk Add-on for Microsoft Windows have a way to poll the UF IP using an interval?
... View more
01-05-2016
08:20 AM
Yes, that is an accurate summary.
Also, I have looked at Splunk's routing and filtering of data that you linked. It doesn't solve my problem because very often in my environment, sysadmins will install a Splunk Universal Forwarder on their systems but won't allow me access to them for purposes of configuration. So, I can't control hostnames. All I can do is point them to my deployment server. Filtering on sourcetype doesn't work either, because the sourcetypes will be the same.
... View more
01-04-2016
07:15 AM
It's not the same data. I want the default index to be set depending on the subnet that is used to check into the deployment server. That index holds the generic logs, like /var/log/secure and syslog, etc. And in one-off cases, like /var/log/finance.log would go to index=finance.
... View more
12-30-2015
10:57 AM
I considered this route, however, I want to maintain the flexibility of sending data to specific indexes. For example, if I have a nix box that has the Splunk_TA_nix app sending to index=div02 for the sysadmins; I might also want to send other data to index=finance for the finance people.
I'm getting the feeling that this might be a case of wanting my cake and eating it too lol
... View more
12-30-2015
10:06 AM
I wish it were that easy. In my case, when a Universal Forwarder checks in to my deployment server, it gets an inputs.conf with it's [default] index=. All data from that client, unless otherwise specified, goes there.
That way, I can give login's to sysadmins who represent each "div" and they won't have unnecessary access to another division's data.
... View more
12-30-2015
09:44 AM
I agree with this. However, I need to remove the index= attribute, not modify. And use another app to apply the [default] index=. Does that make sense?
... View more
12-30-2015
09:27 AM
I have an environment where I want to use apps like Splunk for Nix, but have the logs go to different indexes.
Splunk_TA_nix/default/inputs.conf:
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
index=os
disabled = 1
I don't want the default inputs.conf to have index=os. I want to set the index in another app and be able to upgrade the app without messing with the default inputs.conf of Splunk for Nix each time. For example...
serverclass.conf:
[serverClass:TEST1]
whitelist.0 = 1.1.1.1
[serverClass:TEST1:app:TEST1-IndexConfig]
[serverClass:TEST2]
whitelist.0 = 2.2.2.2
[serverClass:TEST2:app:TEST2-IndexConfig]
TEST1-IndexConfig default inputs.conf
[default]
index=test1
TEST2-IndexConfig default inputs.conf
[default]
index=test2
Am I going to be stuck commenting out all the "index=" in the defaults each time I want to upgrade the app? Or can I specify in the local confs to ignore the default conf attribute and respect the [default] in my other app?
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-28-2024
04:28 AM
|
