I would suggest not to make any changes. remove the app completely. Have the latest install of the app reinstalled. Configure normally with a username and password for influxdb side. And verify if the log file shows up with details. Once you have log file working should be easier to troubleshoot with modifications. ... View more

hi Cuyose, You will find the log at $SPLUNK_HOME/var/log/splunk/influxdbmod.log ... fyi I have not yet added native support to unauthenticated writes to influxdb. The app without any modification will expect a username and password for influxdb. ... View more

This has now been added... will work from v1.7. Provide the info as https:port (Eg. https:8089) in the influx_configs tab under protcol:port ... View more

hi Sandeep, Very reasonable ask. Have not been checking answers for a while. Will add shortly and update.. ... View more

There is no log file to delete … your data has been indexed. To get rid of duplicate data from index… you can run a search to identify the duplicate events and pipe it to |delete command. https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Delete ... View more

Hi Deepak, yes internal indexes can give you information about the architecture ... but it gets easier with apps like S.o.S ... View more

hi, check out tokens which gives the options to include fields from your search result. That said it is usually easier just to get it from SPLUNK_ARG_8 as is being suggested if you are using a script anyway. ... View more

hi, I think this might have more to do with your system resources than with Splunk. Typically each of your saved search executing at the same time will consume a CPU core. Once your CPUs are maxed your searches will queue up and impact the performance. ... View more

make sure the spunk user configuring the app has appropriate access... check out https://answers.splunk.com/answers/441007/how-to-assign-access-to-users-for-influxdb-connect-1.html ... View more

are you an admin on Splunk? ... View more

Correct. The current app supports only an auth enabled (Set to "true") scenario. I do agree adding capability to support unauthenticated exports will make it more extendable. This will need some code changes. I can include this in the next release. For now, if you have access on the influxdb side, enabling user authentication is the cleaner way to resolve the issue. Another option would be make some changes on the back-end lib file (if you have access to the splunk searchhead). Edit line 71 on splunk_to_influxdb.py (located in you splunkroot->etc->apps->influxdb_connect->lib) change it form posturl = 'http://%s:%s/write?db=%s&precision=ms&p=%s&u=%s' % (infdbhost,infdbport,infdbdb,infdbaccs,infdbuser) to posturl = 'http://%s:%s/write?db=%s&precision=ms' % (infdbhost,infdbport,infdbdb) Note that this is not a clean way of doing this (you are essentially ignoring the user and passwd defined on splunk side) .... but I think it should work for now for you to export data out of splunk into influxdb. ... View more

When you cluster splunk you typically will have more things to consider than you would in the current state. Clustering itself will require some amount of planning (even with just 2 peer nodes and a cluster master). So assuming service interruption is acceptable ... to me the easier option (relatively speaking) appears to be finishing off the upgrade first and plan and do cluster deployment later.... So I am coming from the perspective that you need to pick one of these 2 choices immediately. ... View more

True. Thanks for correcting 🙂 ... View more

Hi gozulin, stopping one indexer should make the forwarders send to the other indexers, cluster or no cluster, am I right? yes As per clustering, you would need a minimum of 3 indexers. Just by the info provided above, I don't think you can cluster above 2 mentioned indexers for HA. So you cannot avoid disruption of service (searches would have incomplete data) during the upgrade... but as you mentioned above you are not loosing any inbound data. If you have a new server available for indexer ... then yes cluster first and upgrade one server at a time so you have no service disruption. If service disruption in not a big deal... it's cleaner/easier to upgrade first and cluster 🙂 ... View more

Some good info here.. ... View more

Hi, Python SDK for Splunk does not have a JSON parser. You will need to write your own. If you would just like to see the results then skip the ResultsReader. You can try something like: kwargs_export = {"search_mode": "normal", "output_mode":"json"} searchquery_export = "search index=auto" exportsearch_results = self.splunk_instance.jobs.export(searchquery_export, **kwargs_export) print exportsearch_results.read() ... View more

Hi, If you are looking for an "out of splunk" solution... you will need some server side scripting. You can use XMLHttpRequest Object in your client script. Check out the basic tutorial here.. ... View more

Hi... yes. The app is built to go on the Search Head. Let me know if you have any issues with the deployment. Thanks, Yash ... View more

hi, You will have to use "%s" ... you can refer here for details. Eg: | eval Processedtime=strptime(_time,"%s") | table _time,Processedtime ... View more

Hi perlish, it will be difficult to pinpoint the issue with just the above info. What do you see in the python.log? $SPLUNK_HOME/var/log/splunk/python.log Is any email going out of your splunk server (for other alerts)? ... View more

Sure.. I have the following in my commands.conf (located in SPLUNK_HOME/etc/apps/MYAPP/local) [tkntest] type = python filename = tkntst.py supports_getinfo = false supports_rawargs = true passauth = true enableheader = true outputheader = true requires_srinfo = true support_multivalues = true tkntst.py (located in SPLUNK_HOME/etc/apps/MYAPP/bin) import sys, os, logging, csv from logging.handlers import TimedRotatingFileHandler splkhome = os.environ['SPLUNK_HOME'] splvar = os.path.join(splkhome, 'var', 'log', 'splunk', 'sctest.log') ### Set Logging log = logging.getLogger('tkntst') log.setLevel(logging.INFO) formatter = logging.Formatter('%(asctime)s [%(levelname)s] %(message)s') handler = logging.handlers.TimedRotatingFileHandler(splvar,when="d",interval=1,backupCount=1) handler.setFormatter(formatter) log.addHandler(handler) try: log.info('Search commnd initiated') csvf = sys.stdin.readline().strip() csvf = csvf.replace("infoPath:", "") log.info('Successfully received csvf from Splunk %s' % csvf) with open(csvf) as hfile: reader = csv.DictReader(hfile) for row in reader: tkn = row['_auth_token'] log.info('Successfully received token from Splunk %s' % tkn) except Exception, e: log.error('Unable to get session %s' % str(e)) sys.exit() Ran in search (MYAPP) "|tkntest" tail /xxx/xxx/splunk/var/log/splunk/sctest.log 2016-03-01 16:58:31,932 [INFO] Search commnd initiated 2016-03-01 16:58:31,932 [INFO] Successfully received csvf from /xxx/xxx/splunk/var/run/splunk/dispatch/1456869511.102/eternSearchResultsInfo.csv 2016-03-01 16:58:31,933 [INFO] Successfully received token from Splunk Ps^29NN_8U3WSwXdlt897cDV8bsOwxsXfN9Tqv9ATql77OONJS6S6gGI9lq3vNSW5Szwc6ltPNjFhg9HADwwpGS72CMJFTqcktxgS^8t9mrbtYoKE1T7KN Also since you have the splunklib... checkout this answer ... seems much simpler ... View more

ahh.. I did quick test and looks like for search commands stdin only holds the location of csv file with the requested headers. I was able to get the token by reading the csv file.. csvf = sys.stdin.readline().strip() csvf = csvf.replace("infoPath:", "") with open(csvf) as hfile: reader = csv.DictReader(hfile) for row in reader: tkn = row['_auth_token'] As mentioned above if the sessionkey might be urlencoded in which case you will need to decode before passing it to client connect. Hope this works out .. ... View more