Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About christay
christay
New Member
Member since:
01-14-2019
11-30-2023
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 01-14-2019 |
Activity Feed
- Posted Query question between 2 indexes on Splunk Search. 07-06-2020 01:11 AM
- Posted Re: Query on stats value = 0 or null on Splunk Search. 07-23-2019 08:22 PM
- Posted Query on stats value = 0 or null on Splunk Search. 07-23-2019 02:46 AM
- Tagged Query on stats value = 0 or null on Splunk Search. 07-23-2019 02:46 AM
- Tagged Query on stats value = 0 or null on Splunk Search. 07-23-2019 02:46 AM
- Tagged Query on stats value = 0 or null on Splunk Search. 07-23-2019 02:46 AM
- Posted Splunk AWS S3 Bucket log ingestion issue when forwarding enable on All Apps and Add-ons. 05-28-2019 12:15 AM
- Tagged Splunk AWS S3 Bucket log ingestion issue when forwarding enable on All Apps and Add-ons. 05-28-2019 12:15 AM
- Tagged Splunk AWS S3 Bucket log ingestion issue when forwarding enable on All Apps and Add-ons. 05-28-2019 12:15 AM
- Posted Re: SPLUNK INDEX Discovery on Getting Data In. 05-14-2019 05:54 PM
- Posted SPLUNK INDEX Discovery on Getting Data In. 05-14-2019 01:08 PM
- Tagged SPLUNK INDEX Discovery on Getting Data In. 05-14-2019 01:08 PM
- Posted Re: Fortinet Fortigate log direct ingest into Splunk on Deployment Architecture. 05-08-2019 07:58 PM
- Posted Fortinet Fortigate log direct ingest into Splunk on Deployment Architecture. 05-07-2019 02:46 AM
- Tagged Fortinet Fortigate log direct ingest into Splunk on Deployment Architecture. 05-07-2019 02:46 AM
- Posted Re: Splunk not working after turning on SSL for forwarder and indexer communication on Security. 02-21-2019 07:08 PM
- Posted Re: Splunk not working after turning on SSL for forwarder and indexer communication on Security. 02-19-2019 12:07 AM
- Posted Re: Splunk not working after turning on SSL for forwarder and indexer communication on Security. 02-18-2019 11:39 PM
- Posted Re: Splunk not working after turning on SSL for forwarder and indexer communication on Security. 02-18-2019 07:14 AM
- Posted Splunk not working after turning on SSL for forwarder and indexer communication on Security. 02-16-2019 08:09 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-06-2020
01:11 AM
Hi Guys, Can i check how can i craft the query given the following condition. I have 2 indexes IndexA and IndexB with the following filed in each index. Example as follows : IndexA Field contains : srcIP = 10.10.10.10 cat = malicious IP 100% IndexB Field contains : TrueClientIP = 10.10.10.10 The objective of my query is to compare "TrueClientIP" under Index B against "srcIP" under IndexA and the condition that if the "cat" field under IndexA is tag under malicious IP it will return me the count . How can i craft the above query ? Thanks for the help.
... View more
Labels
- Labels:
-
other
07-23-2019
02:46 AM
Hi Guys,
I have a question here.
Example i have a query statement that check for event logs captured by all my servers(Say total i have 30) during the last 10 mins.
if i run the following query :
index=ind_audit_log (sourcetype=linux_secure OR sourcetype=linux_audit) | stats count by host
It only returns me 25 servers which has event logs being pipe to splunk. The rest of the servers(5 in total) that does not have event logs pipe to splunk was not being reflected in the above query.
How can i craft and run a query to sieve out those servers that does not have any event logs being pipe to my splunk so that i can create an alert to notify me to check on the servers.
Thanks!
... View more
05-28-2019
12:15 AM
Hi Guys,
We are using SPLUNK AWS TA to ingest logs from our AWS S3 bucket.
Everything was working fine until when i try to forward our splunk logs to our customer using the Forwarder configuration under Forwarding and Receiving.
Once i enabled the forwarding of my customer IP/Port xxx.xxx.xxx.xxx:9999, the AWS S3 bucket ingestion will stop working.
However, once i delete away the configuration above, everything starts working fine again.
Our environment has 2 x indexer under a cluser setup and the Splunk AWS TA apps was installed in one of our Indexer.
I can't seems to find any issue by going through the logs.
Can someone point to me what could be the likely issue here ?
Thanks!
... View more
- Tags:
- aws
- splunk-enterprise
05-14-2019
05:54 PM
I have changed the ownership of /var/log to splunk user, but the result is still the same.
The splunkd.log doesn't share much insight to the issue as well....
... View more
05-14-2019
01:08 PM
Hi Guys,
I have configured using index discovery for my forwarder which are forwarding my firewall logs.
I saw from my splunkd.log it seems like the connection to my indexer is successful however, i can't see any logs from my indexer dashboard.
x.x.x.x is my 1st index server
y.y.y.y is my 2nd index server
logs
05-15-2019 03:59:05.238 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.
05-15-2019 03:59:10.784 +0800 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...
05-15-2019 03:59:35.133 +0800 INFO TcpOutputProc - Closing stream for idx=x.x.x.x:9997
05-15-2019 03:59:35.133 +0800 INFO TcpOutputProc - Connected to idx=y.y.y.y:9997, pset=0, reuse=0. using ACK.
05-15-2019 03:59:40.785 +0800 INFO TailReader - ...continuing.
05-15-2019 03:59:45.785 +0800 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...
05-15-2019 04:00:08.725 +0800 INFO TailReader - ...continuing.
05-15-2019 04:01:00.462 +0800 INFO ArchiveProcessor - Handling file=/var/log/fortigate/fortigate.log-20190515.gz
05-15-2019 04:01:00.462 +0800 INFO ArchiveProcessor - new tailer already processed path=/var/log/fortigate/fortigate.log-20190515.gz
05-15-2019 04:01:04.850 +0800 INFO TcpOutputProc - Closing stream for idx=y.y.y.y:9997
05-15-2019 04:01:04.850 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.
05-15-2019 04:03:04.453 +0800 INFO TcpOutputProc - Closing stream for idx=x.x.x.x:9997
05-15-2019 04:03:04.453 +0800 INFO TcpOutputProc - Connected to idx=y.y.y.y::9997, pset=0, reuse=0. using ACK.
05-15-2019 04:04:04.270 +0800 INFO TcpOutputProc - Closing stream for idx=y.y.y.y:9997
05-15-2019 04:04:04.270 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.
The indexes over at the index servers are not updated with any latest event as well.
Any idea how i can troubleshoot on this issue ?
Thanks
... View more
- Tags:
- splunk-enterprise
05-08-2019
07:58 PM
Thanks for the advice, appreciate that.
... View more
05-07-2019
02:46 AM
Hi Guys,
Can i just check is it possible for me to direct ingest the Fortigate Fortinet logs in to my Splunk environment ?
Meaning without using Forwarder + syslog server (method), like the following guide for a standalone environment from fortinet :
https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-Splunk-Deployment-Guide.pdf
My current environment setup are as follows :
1 x Search Head/Node Master role Server.
2 x Cluster Indexer Server.
If direct ingest method is possible in my environment, how should i go about configuring it to ensure both my indexer have a replicated copy of the data that was ingested from Fortinet ?
Thanks in advance!
... View more
- Tags:
- splunk-enterprise
02-21-2019
07:08 PM
Hi ashajambagi,
Thanks for the suggestion. Finally found the error using btool due to conflicting configuration for SSL port 9997.
Somehow beside inputs.conf there's another one config residing under launcher also configure to use port 997 which is non SSL causing the issue i encountered.
... View more
02-19-2019
12:07 AM
Yup i did as per the documentation in ver 7.2.0.
Which is why i can't figure out which part has i gone wrong.....
... View more
02-18-2019
11:39 PM
Hi Vishal,
I have tested by moving my certs to :
/opt/splunk/etc/auth/certs for my indexer
and
/opt/splunkforwarder/etc/auth/certs for my forwarder
Still the same error reported above.
... View more
02-18-2019
07:14 AM
Hi Vishal,
I have configure based on the documents i got from splunk running ver 7.2.0.
input.config in one of my index server as follow :
[default]
host = SPLUNK01
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/system/local/certs/myIndexer.pem
sslPassword = hashxx
requireClientCert = false
output.config under my forwarder as follow :
[indexer_discovery:AWSINDEX]
pass4SymmKey = hashxxxx
master_uri = https://1.1.1.1:8089
[tcpout:splunkaws]
indexerDiscovery = AWSINDEX
useACK = true
autoLBFrequency = 30
forceTimebasedAutoLB = true
SSL Config Below
clientCert = /opt/splunkforwarder/etc/system/local/certs/myForwarder.pem
sslPassword = hashxxxx
[tcpout]
defaultGroup = splunkaws
... View more
02-16-2019
08:09 PM
Hi Guys,
We have the following environment set up : 2 x indexer and 1 x forwarder with 1 Master Node + Search Head.
We have configured to use indexer discovery and got it to work whereby the Forwarder are able to pass the logs over to the Indexer.
However, when we turn on the SSL, the logs are not forwarding over to the indexer anymore.
From the forwarder error logs, I saw the following error => "02-15-2019 09:09:35.768 +0000 ERROR TcpOutputProc - target=Indexer:9997 ssl=0 mismatch with ssl config in outputs.conf for server, skipping..."
Can advice what is wrong here?
... View more
01-27-2019
09:21 AM
Hi,
I am quite new to the Splunk setup, so as such, pardon my question here.
Given that, if i have a 2 x indexer setup in a Cluster, is it possible for me to shutdown 1 of the indexers ( Save cost as it's running on AWS) and still get the latest data replicated into the shutdown indexer from the active indexer ?
So, in the event that the primary active indexer is down, I can bring up the shutdown indexer to take over the role?
Is the above scenario possible ?
Or do I definitely have to have both the indexer instance online to get the latest data ingested ?
Thanks
... View more
01-27-2019
07:19 AM
Hi all, thanks for the input. I will relook into my design.
... View more
01-26-2019
11:27 AM
Hi I have the following setup :
1 x Node Master with 2 x indexer ( Clustering)
How can I configure to designate one of the indexer as my search head server.
Currently the default search head is pointing to my Node Master.
Thanks for the advice.
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-30-2023
08:19 AM
|
