Set the Host Field to the value of a column in a DB Connect input

September 12, 2014, 3:24 pm

≪ Previous: Dynamic drilldown - set default token value

One of my database inputs has a column named Server which contains the hostname for whichever machine an app is running on. It would be nice if the host field could map to whatever value is in that column at the time it is brought in, but I haven't found a way to do that.

There's some other questions about how to do something similar with other input types (files, via parsing), but I haven't seen one that I've been able to get working for a database input.

I suppose I could create a new input for each machine that will show up in there (custom query) and then set the static Host Field value to it's hostname but right now I'd rather just have one input.

↧

Delete DB Connect indexed data

September 12, 2014, 2:38 pm

≫ Next: Enterprise Security app error while upgrading

≪ Previous: Set the Host Field to the value of a column in a DB Connect input

I'm new to Splunk. Most of our logs are in databases. In testing out DB Connect I added some inputs and removed them later. However, the data that was indexed shows up in searches and I'd like to remove that also. Is there a command to do this? I would use splunk remove index <name> but i don't know the name of the index. There doesn't seem to be a command to remove data by source, or I haven't found it. There is other indexed data that I want to leave in place.

So how do I remove the indexes and data for those specific DB Connect inputs that were removed?

↧

Enterprise Security app error while upgrading

April 3, 2014, 1:07 am

≫ Next: DBConnect Java Error After Starting Splunk

≪ Previous: Delete DB Connect indexed data

Received the error while upgrading the ESS app from 2.4 to 3.0.1. Below is the error, "ERROR - step:upgrade|Filesize would require ZIP64 extensions"

We are using Splunk 6 and upgraded from 5.0.4 very recently.

Please help regarding ESS upgrade.

↧

DBConnect Java Error After Starting Splunk

September 12, 2014, 5:34 pm

≫ Next: How to create scatter graph correlating two data sources of transactions and average CPU usage?

≪ Previous: Enterprise Security app error while upgrading

Has anybody see this error in the jbridge log after starting start? The process is in a loop and just keeps restarting. This node is part of search pool and is the only node in which DBconnect isn't working. I have already re-installed java and removed any entries related to this host in distributed.conf

2014-09-12 19:27:22,334 ERROR Java process returned error code 1! Error: Initializing Splunk context... Environment: SplunkEnvironment{SPLUNK_HOME=/home/splunk/splunk,SPLUNK_DB=/home/splunk/splunk/var/lib/splunk} Configuring Log4j... [Fatal Error] :1:1: Premature end of file. Exception in thread "main" com.splunk.config.SplunkConfigurationException: Error creating PersistentValueStore type xstream: com.thoughtworks.xstream.io.StreamException: : Premature end of file. at com.splunk.persistence.PersistentValueStoreFactory.createStoreInstance(PersistentValueStoreFactory.java:119) at com.splunk.persistence.PersistentValueStoreFactory.createStore(PersistentValueStoreFactory.java:71) at com.splunk.persistence.PersistentValueStoreFactory.createGlobalStore(PersistentValueStoreFactory.java:51) at com.splunk.env.SplunkContext.initialize(SplunkContext.java:108) at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34) Caused by: com.thoughtworks.xstream.io.StreamException: : Premature end of file. at com.thoughtworks.xstream.io.xml.DomDriver.createReader(DomDriver.java:105) at com.thoughtworks.xstream.io.xml.DomDriver.createReader(DomDriver.java:81) at com.thoughtworks.xstream.XStream.fromXML(XStream.java:904) at com.splunk.persistence.impl.XStreamStore.loadState(XStreamStore.java:113) at com.splunk.persistence.impl.XStreamStore.<init>(XStreamStore.java:49) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at com.splunk.util.Utils$Reflection.instantiate(Utils.java:880) at com.splunk.persistence.PersistentValueStoreFactory.createStoreInstance(PersistentValueStoreFactory.java:117) ... 4 more Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Premature end of file. at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257) at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:347) at com.thoughtworks.xstream.io.xml.DomDriver.createReader(DomDriver.java:98) ... 14 more 2014-09-12 19:27:22,334 ERROR Command output: None

↧

How to create scatter graph correlating two data sources of transactions and average CPU usage?

September 9, 2014, 7:18 pm

≫ Next: [DB Connect] "The Java Bridge server is not running" MySql

≪ Previous: DBConnect Java Error After Starting Splunk

Hi Splunkers,

I have two data sources. In the first i have the number of transactions executed grouped by hours. In the second i have the average cpu usage for the same transactions in the same time. I need do correlate the number of transactions with the average cpu usage in a scatter graph (x,y). Is it possible?

E.g> cpu.csv time,cpu 00:00,0.3 01:00,025 02:00,0.50 03:00,0.87 04:00,090

transaction.csv
Time,transaction
00:00,50
01:00,60
02:00,70
03:00,87
04:00,25

Finally, I need create a prediction about that information, is it possible using scatter graph?

Cheers,

↧

[DB Connect] "The Java Bridge server is not running" MySql

September 12, 2014, 9:59 am

≫ Next: ERROR DispatchThread - Error reading runtime settings: File does not exist - Splunk 6.0 (upgraded)

≪ Previous: How to create scatter graph correlating two data sources of transactions and average CPU usage?

I have a problem with DB connect.

Everytime I restart Splunk the java bridge server doesn't restart cleanly. I loose the java bridge server for few hours (between 4h to 6h) and it come back alone during the night (at 11PM, 8PM,...).

I see DB Connect telling me kindly "The Java Bridge server is not running" from the "home" apps page and "The Java Bridge server seems not to be running..." on status page.

The "Reload" button seems doing nothing.

In .../dbx/local/ folder I enable the debug log in java.conf in adding the following to the file :

[logging]
level = DEBUG
file = dbx.log
console = false
logger.com.splunk.dbx = DEBUG

But I don't see any explicit log ... I can copy it if it can help.

When I want to run a query from the Search bar I get the following :

"Error in 'script': Getinfo probe failed for external search command 'dbquery'"

Query run in the search bar :

| dbquery "ucpdb-cp" "SELECT * FROM sessions WHERE FROM_UNIXTIME(initTime, '%Y-%m-%d') > '2014-01-01'" limit=1000

From the "Database Info" tab I get the following from the top red banner :

"External search command 'dbinfo' returned error code 47."

I try to clean the folder "$SPLUNK_DB/persistentstorage/dbx/global" and restart Splunk but nothing more.

If someone has an idea to continue my troubleshoot that would be great.

Thanks in advance,

↧

ERROR DispatchThread - Error reading runtime settings: File does not exist - Splunk 6.0 (upgraded)

October 4, 2013, 4:43 am

≫ Next: Regex - Capture group without duplicating value

≪ Previous: [DB Connect] "The Java Bridge server is not running" MySql

I upgraded from Splunk Enterprise 5.0.5 to 6.0 and this error is showing in logs. Is it anything to worry about ?

file : splunkd.log 10-04-2013 12:40:29.441 +0100 ERROR DispatchThread - Error reading runtime settings: File does not exist

↧

Regex - Capture group without duplicating value

September 12, 2014, 4:37 pm

≫ Next: How to search, extract and table fields from deployment object log events

≪ Previous: ERROR DispatchThread - Error reading runtime settings: File does not exist - Splunk 6.0 (upgraded)

This is my string

<search>1</search> <search>4</search> <search>2</search> <search>5</search> <search>3</search> <search>6</search>

I have the following rex command rex field=a_field "<search>(?<TESTING>(.?))</search>" This will only grab TESTING=1. I want to grab all the values.

Using the rex command rex field=a_field "<search>(?<TESTING>.*)</search>" will grab everything in-between, including the brackets and search string.

How would I make sure that I only grab the values between the bracketed strings?

↧

How to search, extract and table fields from deployment object log events

September 13, 2014, 1:52 am

≫ Next: input.conf path has numbers how do i capture this?

≪ Previous: Regex - Capture group without duplicating value

Currently, I get some deployment object log event like this

App1.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.start=20140911.0933.5920
App2.upload=success
App2.upload.time=13.708 sec
App3.start=20140911.0934.5920

How can I handle this structure to a row as the following result

↧

input.conf path has numbers how do i capture this?

September 13, 2014, 1:47 am

≫ Next: How to name monitoring stanza in inputs.conf to pick up Windows Applications and Services Logs?

≪ Previous: How to search, extract and table fields from deployment object log events

our log path looks like this

/var/www/webapp/application/logs/2014/09/13/03.log

where 2014 is the year, 09 is the month, 13 is the day, and 03 is the hour.

How can i capture this path pattern in input.conf so all auto generated starting with the year, month, day, hour are captured and the logs are sent to splunkstorm index?

↧

How to name monitoring stanza in inputs.conf to pick up Windows Applications and Services Logs?

September 19, 2014, 11:45 am

≫ Next: Table of count of specific user action by unique user

≪ Previous: input.conf path has numbers how do i capture this?

Hello, I am trying to onboard an ActiveRoles server, however it doesn't seem that I'm configuring my inputs.conf appropriately. The 'full name' in Event Viewer properties for the server reads, "EDM Server", and the file path reads, `\Winevt\Logs\EDM Server.evtx.` any ideas on what I should name the monitoring stanza so I can pick up these logs? Thank you! PS: At the top of the Properties files it reads "Type: Administrative"- not sure if this matters.

↧

Table of count of specific user action by unique user

September 19, 2014, 12:04 pm

≫ Next: Can someone show an example of sending data through TCP to a Splunk server using the C# SDK?

≪ Previous: How to name monitoring stanza in inputs.conf to pick up Windows Applications and Services Logs?

I would like to create a table similar to the following: # Of Reports Created Users % >10 23 3 10 4 1 9 3 0 8 3 0 . . . 1 433 57 The search is only: sourcetype="xyz" host=MA* Mthd="CreateReport" So, want to know how many users created 1 report, 2 reports, ...., 10 reports, and more than 10.

↧

Can someone show an example of sending data through TCP to a Splunk server using the C# SDK?

September 19, 2014, 12:53 pm

≫ Next: Why is there no Raw Events export option when I have a search with stats command or returns a table?

≪ Previous: Table of count of specific user action by unique user

Could someone show an example of sending data through a TCP connection to a Splunk server using the C# sdk? There are examples for [python][1] and Java, but none for C#. I'm currently using the event streaming method with receiver.attach, but it's much too slow for my requirements. [1]: http://dev.splunk.com/view/python-sdk/SP-CAAAEE6

↧

Why is there no Raw Events export option when I have a search with stats command or returns a table?

September 19, 2014, 12:55 pm

≫ Next: How to reference csv subsearch results to exclude matching hostnames from main csv search results?

≪ Previous: Can someone show an example of sending data through TCP to a Splunk server using the C# SDK?

From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv however I do not see Raw Events when I have a search that has the stats command present or returns a table. Any idea how to get a round this?

↧

How to reference csv subsearch results to exclude matching hostnames from main csv search results?

September 19, 2014, 1:02 pm

≫ Next: JMS Messaging Modular Input: How to call a data input that uses SSL Splunk?

≪ Previous: Why is there no Raw Events export option when I have a search with stats command or returns a table?

Hello Splunkers, I am successfully searching two indexes from two separate .csv files. Both indexes contain a 'similar' set of hostnames. I am searching index A for a particular list of hostnames that I would like to reference so that I can exclude any matching hostnames from index B. Anything with the field where Purpose2 has the word 'farm' in it needs to be excluded from both lists. I will eventually be joining the hostnames lists between indexes as one single master list but I need to exclude the list from Index A from both. Here is the search that identifies the list of hostnames from index A: index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS hostname search for index B which successfully returns a list of hostnames: index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* | rename CN as hostname How do I get index B search to "see" and exclude the search from index A? Thank you very much for any assistance.

↧

JMS Messaging Modular Input: How to call a data input that uses SSL Splunk?

September 19, 2014, 1:17 pm

≫ Next: Can a universal forwarder run a script? If yes, is there a way to control when it runs?

≪ Previous: How to reference csv subsearch results to exclude matching hostnames from main csv search results?

We have installed the 'JMS Messaging Modular Input' application in Splunk 6.1. It works fine if the 'JNDI Provider URL' is non SSL such as: tcp://localhost:61617 When we change our broker to use SSL i.e. ssl://localhost:61617, Splunk throws an exception, since it cannot find the broker's certificate This is the exception: message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) message from "python C:\Splunk\etc\apps\jms_ta\bin\jms.py" at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) I really can't find any documentation in Splunk that explains how to import the broker's certificate into Splunk's environment. All I see is the instructions on how to set up SSL between Splunk's nodes. Has anyone been able work through this before or found a guide on how to set this up? Thank you in advance. -Juan

↧

Can a universal forwarder run a script? If yes, is there a way to control when it runs?

September 19, 2014, 2:14 pm

≫ Next: Rex not working for special characters

≪ Previous: JMS Messaging Modular Input: How to call a data input that uses SSL Splunk?

Hi, Can a UF run a script? If so, is there any way to control when it runs?

↧

Rex not working for special characters

September 19, 2014, 2:27 pm

≫ Next: Install and Upgrade of Splunk App for Windows Infrastructure 1.0.3 does not show Data for Active Directory (Ad) Views.

≪ Previous: Can a universal forwarder run a script? If yes, is there a way to control when it runs?

Hi Folks, I've worked out a regex to pull out group names from audit logs. It works for one field with no special characters, but in another, more elaborated field, my rex becomes confused. Example |rex "\w+ added to (?"EXTRACTION SHOULD BE HERE BUT SPLUNK.com FILTERS THE TAGS"\w+) in the \w+" "Member Bill added to Mail Admin in the Restricted Groups Policy PostOffice" works fine, but when it becomes more complex I am not sure how to have the rex query ignore all the special characters that may show up "Member Bill added to Mail Admin in the Restricted Groups Policy (SLASHES)K12\\DC5000Dallas [WEDT] Mail Admin" This turns up nothing. So basically I want to eliminate the slashes (that don't show up here oddly) and [] that get mixed in, just ignore after the group name extraction. Thanks in advance! Edit, splunk filters out the tags so the rex looks weird but I'm using the correct named extration

↧

Install and Upgrade of Splunk App for Windows Infrastructure 1.0.3 does not show Data for Active Directory (Ad) Views.

September 19, 2014, 3:03 pm

≫ Next: Why does the Transaction command for "All Time" not include all recent events?

≪ Previous: Rex not working for special characters

rebuilt my Splunk server (version 6.1.3) and installed the Universal Forwarders with the TA for Windows deployed on all my Domain controllers. I see data coming in from Windows Security Eventlog into the index "WinEventLog". The Splunk App for Windows Infrastructure (1.0.2) is installed. It does not see the data from that index. Or at least I do not think it does. I tried modifying the winevents.conf file to select the correct indexes but must be doing something wrong. Also when I do the detect in the setup for the Splunk App for Windows Infrastructure it does not detect anything except Group Policy and Organizational Units.

↧

Why does the Transaction command for "All Time" not include all recent events?

September 19, 2014, 3:16 pm

≫ Next: license issue : daily indexing volume exceeded

≪ Previous: Install and Upgrade of Splunk App for Windows Infrastructure 1.0.3 does not show Data for Active Directory (Ad) Views.

I have search lots of transaction questions and don't see any related to this question. I have a search that defines a common field across multiple events. This search displays lots of events consistently back to the 1st relevent event up through the current time for all time periods: - When it runs for the Last 24 hours time period, it lists 3838 events. - When it runs for the Last 7 Days time period, it lists 24,027 events from 9/5 – 9/12/14, including today’s events. - When it runs for the Week-to-Day time period, it lists 19,274 events from 9/7 – 9/12/14, including today’s events. - When it runs for the Month-to-Day time period, it lists 48,192 events from 9/1 – 9/12/14, including today’s events. - When it runs for the Last 30 Days time period, it lists 79,311 events from 8/22 – 9/12/14, including today’s events. - When it runs for the Previous Month, August, time period, it lists 31,156 events from 8/22 – 8/31/14, nothing before 8/22. - When it runs for the Year-to-Day time period, it lists 79,311+ events from 8/22 – 9/12/14, including today’s events. Take the same search and add the transaction command on that common field to create transactions that combines events with matching values of that common field: " ... | rex field=_raw "(?P CCID...) ..." | transaction CCID (The actual search doesn't display correctly here. The around the CCID don't display here but they are there.) - When it runs for the Last 24 hours time period, it shows 3605 events since yesterday at this time. - When it runs for the Yesterday time period, it shows 4883 events yesterday. - When it runs for the Week-to-date time period, it only shows data for the 1st 2 days of the Week-to-date period, nothing for yesterday or the Last 24 Hours. - The previous 2 commands demonstrate that there is data from yesterday and today which don’t show up in the Week-to-date period. - When it runs for the Month-to-Date time period, it only shows data for the 1st 2 days of the month and none of the data shown by the previous 3 commands, Week-to-Date, Yesterday and Last 24 Hours. - When it runs for the Year-to-Date or All Time time periods, it only shows data through August, none of the data shown for the previous 4 commands. Adding the transaction command appears to not include all of the more recent data for several time periods: Month-to-Date, Year-to-Date or All Time time periods, that is display by the last 24 Hour, Yesterday commands and the searches without the transaction command. This occures in both regular search windows and in dashboard panels. Is there a reason for this? It appears to not be correct. Thanks much for your help.

↧

Latest Images