About jenipherc

jenipherc · ‎02-10-2021

Although these two different approaches yield the same results; the underlying mechanism is different that using "stats" could push too much data to the search head(s) and results in an auto finalized search due to search disk quota. mvexpand is a distributed streaming command (done at indexing layer) whereas stats is transforming commands (done at search head layer). https://docs.splunk.com/Documentation/Splunk/8.1.2/Search/Typesofcommands

jenipherc · ‎10-18-2018

By the way, those messages posted above is from web_service.log

jenipherc · ‎06-29-2018

If the Cylance app sharing is private, that means when you search the sourcetype=device in Search and Reporting, it will not use some of the settings defined in the Cylance app. Therefore, AUTO_KV_JSON=true and KV_MODE=auto which are the default settings for search-time extractions will be used in Search and Reporting app, causing the json data to be extracted again "search time" in addition to the Indexed-time extraction defined in INDEXED_EXTRACTIONS = json. In order to fix it, change the Cylance app sharing to Global so that AUTO_KV_JSON = false and KV_MODE = none will be used when you search that outside of Cylance app. The double extraction shouldn't occur.

jenipherc · ‎06-29-2018

This is the search I did in both apps: “index=cylance_protect sourcetype=device” And I have this in my props.conf for this device sourcetype. props.conf .../etc/apps/cylance_protect/default/props.conf AUTO_KV_JSON = false .../etc/apps/cylance_protect/default/props.conf INDEXED_EXTRACTIONS = json .../etc/apps/cylance_protect/default/props.conf KV_MODE = none Currently, the Cylance app sharing is private. Could you help me understand why, and how to fix it?

jenipherc · ‎08-04-2017

I have this TA installed "TA-Symantec-EP-Syslog". And I always have this problems in at the beginning of each month that this query will not give me certain fields that I am expecting. sourcetype=symantec:ep:risk:syslog Some fields that I noticed that are missing are : action, Category_Type, and Computer_Name . I think this happens because the day in the timestamp is single digit rather than double digit. For example, an event starts like this might not have all fields extracted: Aug 4 11:35:10 but an event starts like this Jul 31 19:35:38 would have all fields extract. (They're tab delimited ) II was tracing the props.conf and transforms.conf for this sourcetype in this TA, I couldn't figure out where the timestamp was parsed. Anyone who might have experienced this before could share how you fixed it? Thank you.

jenipherc · ‎06-09-2017

One of the easiest ways to identify that you have this problem is by looking at the max_age of those Windows events in Splunk's metrics.log. index=_internal host=<forwarder> source=*metrics.log* group=per_sourcetype_thruput |timechart avg(max_age) by series useother=f If you find all wineventlog:* have large avg(max_age) on your forwarder, you have adjusted the following on forwarder: -evt_resolve_ad_obj is set to 0 in inputs.conf -maxKbps is set to 0 in limits.conf and there is still a lag. Consider update tcpSendBufSz suggested below.

jenipherc · ‎01-12-2017

I found my answer to those questions I asked.

jenipherc · ‎01-12-2017

What if we have a license master? Or I guess I can just take the enterprise lic file and put it in the license folder and restart? Splunk Light has a different UI layout, so based on what you said, will the UI also got upgraded after applying license?

jenipherc · ‎12-29-2016

I downvoted this post because i don't think reinstallation is the best solution to this problem. most business won't be able to do this.

jenipherc · ‎11-09-2016

Wow. This is such an old article that deserved a belated response. I wonder where you put your inputs.conf and outputs.conf because that matters. Use btool to get the final configuration that Splunk accepts, and also review this documentation for more info. https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Wheretofindtheconfigurationfiles

jenipherc · ‎09-30-2016

Not yet. We just found out this since the release of Chrome version 53.0.2785.x. In the mean time, please use this answer article as your reference.

jenipherc · ‎09-29-2016

Here are a few options you can choose from: 1. Downgrade Chrome to 52.0.x.x 2. Use other browsers such as Firefox or Safari 3. Resize the timeline and make the timeline area shorter if your timeline format is in "Full". Or you can switch it to "Compact". 4. Disable "Accelerated 2D" canvas in Chrome: a) In Chrome, go to chrome://flags/ b) Locate Accelerated 2D canvas c) Disable it. d) Relaunch Chrome. If you're a Windows or Mac user, and Splunk version is prior to 6.4.x. You will experience this in this Chrome version.

jenipherc · ‎08-18-2016

What if the log says Linux transparent hugetables support, enabled="always" defrag="never" ? Would it be still alright (in between bad and good?)

Posts	13
Solutions	1
Karma Given	21
Karma Received	14
Member Since	‎08-03-2016

Online Status	Offline
Date Last Visited	‎02-11-2021 12:51 PM

My Cylance json data is double extracted in Search...

Symantec Endpoint Protection syslog TA field extra...

Re: how to split the json array into multiple new ...

Re: Why won't SplunkWeb start after ES was upgrade...

Re: My Cylance json data is double extracted in Se...

My Cylance json data is double extracted in Search...

Symantec Endpoint Protection syslog TA field extra...

Re: Why is my Universal Forwarder showing extreme ...

Re: Is it possible to upgrade current Splunk Light...

Re: Is it possible to upgrade current Splunk Light...

Re: Splunkd daemon is not responding: ('The read o...

Re: tcp_routing route every thing?

Re: Is anyone else having timeline issues in Chrom...

Re: Is anyone else having timeline issues in Chrom...

Re: Splunk 6.x and Linux? not so fast?