Quantcast
Channel: Latest Questions on Splunk Answers
Viewing all 13053 articles
Browse latest View live

the error in Splunk Reference App - PAS

0
0
I found a mistake in policy_violations.js. function updatePolicyViolations(donutSeriesView) { var dataSearch = mvc.Components.get('policy_violations_color_summary'); // Rerun search dataSearch.startSearch(); ***Error: Uncaught TypeError: Cannot read property 'startSearch' of undefined*** .... Anyone know how to fix this error?

reuse a result from previous search

0
0
Hi, I want to create a dashbord wtith same specifications, I want to make 2 searchs : 1- the first one (index='text' | count ) , will gives an result for exemple **result**=250 2- in the seconde one will be based on the result of the first one (index='text' type='cpu'| eventstats sum(nombre) as total | eval pourcentage=round((nombre/**result**)*100,2) | table EventType, nombre, pourcentage). Have you some ideas . Thank you all, have a nice day

Time_Prefix for nix-all-logs

0
0
Hi there.. I have a big problem with props.conf..I have logs from server with time format like this.. 0402 220121.414712...this means MMDD HHMMSS.QQQQQQ Need help with Regex for props.conf, respectively I need to convert this string into time. thanks for any help Nikola

DSPJRN export format

0
0
Hey All Have below as my DSPJRN export: The app doesn't seem to be parsing it proper, is showing timestamp as user. Below is it: TIME . . . . . . . . 04:30:15 04/02/15 04:30:15 PAGE 1 ENTRY SEQUENCE CODE TYPE TIMESTAMP JOB USER JOB PROGRAM PROGRAM LENGTH NUMBER NAME NAME NUMBER NAME LIBRARY 1,412 00000000000000000002 T CA 2015-02-25-00.50.55.922848 SCPF QSYS 0 QWCISCFR QSYS 1,366 00000000000000000003 T CO 2015-02-25-00.50.55.923488 SCPF QSYS 0 QWCISCFR QSYS 1,386 00000000000000000004 T OW 2015-02-25-00.50.55.927600 SCPF QSYS 0 QWCISCFR QSYS 1,412 00000000000000000005 T CA 2015-02-25-00.50.55.953392 SCPF QSYS 0 QWCISCFR QSYS 1,366 00000000000000000006 T CO 2015-02-25-00.50.55.957616 SCPF QSYS 0 QWCISCFR QSYS 1,412 00000000000000000007 T CA 2015-02-25-00.50.55.962464 SCPF QSYS 0 QWCISCFR QSYS 1,366 00000000000000000008 T CO 2015-02-25-00.50.55.962496 SCPF QSYS 0 QWCISCFR QSYS 1,412 00000000000000000009 T CA 2015-02-25-00.50.55.979712 SCPF QSYS 0 QWCISCFR QSYS 1,386 00000000000000000010 T OW 2015-02-25-00.50.55.979744 SCPF QSYS 0 QWCISCFR QSYS 1,366 00000000000000000011 T DO 2015-02-25-00.50.58.899136 SCPF QSYS 0 QWCISCFR QSYS

No IPS events

0
0
Hello, I set Cisco Security Suite and Splunk Add-on for Cisco ASA. I set connection parameters. In IPS logs I see messages description: User logged into HTTP server userName: cisco userAddress: 172.16.19.30 But in the dashbords it is empty!!! though alerts in IPS are.

i am unable to take graph for each event by start_time and end_time?

0
0
Hai i have log file as shown below: start_time=2015-04-02 10:41:54,end_time=2015-04-02 10:42:51,duration=57,event=JAVA start_time=2015-04-02 10:47:27,end_time=2015-04-02 10:48:41,duration=74,event=coherence start_time=2015-04-02 11:15:58,end_time=2015-04-02 11:16:11,duration=13,event=nosql with this data i want to show each event start_time and end_time.. Can anyone help Thank u

Splunkd not starting

0
0
My certificates expired recently and I did the procedures in this article : http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtogetthird-partycertificates#Next_steps . All the steps were successful and I manage to combine the requested files into one. I place it under Splunk_home\etc\auth\mycerts\ and restart splunk. Splunkweb is starting fine but splunkd is not. Can you advise me what I did wrong and how I can get this working? I am new to Splunk as I got the server from another colleague that resign.

Processing of inputs.conf

0
0
Is inputs.conf processed in a linear manner? And once a file falls into a given monitor stanza, does it then stop processing through the inputs.conf? For instance, say I have 2 monitor stanzas. The first one monitors /data/foo/myFolder/* and the second one monitors /data/foo/*. I want to assign different sourcetypes to each of these stanzas. Will files in /data/foo/myFolder/ get assigned the correct sourcetype since the files technically fall into both stanzas?

How to delete all indexed data and reindex from all the forwarders in our environment?

0
0
We're still building out our Splunk environment (pre-implementation) and have been forwarding data from lots of different data sources. We're still working on correctly defining sourcetypes via inputs.conf. Once we have inputs.conf fully defined, I plan to delete all indexed data using the `./splunk clean eventdata –index` command. I then want to reindex all the data from all the forwarders. Do I need to do anything to make this happen (once the data has been deleted from the indexes)? Do I need to add crcSalt = to each stanza in inputs.conf? Do I also need to run the './splunk clean all' command on each forwarder to clear out the _fishbucket? Thanks.

Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?

0
0
I'm a total splunk newbie, and I inherited a splunk server running on Red Hat Enterprise Linux 5. The other day, I did a reboot of the system. Since then, I can only view the current day's data when I run a search. The version of splunk is 5.0.9. Build 213964 Platform linux x86_64. The splunkd service is running as root, but when I look in `/opt/splunk/var/lib/splunk`, I see that all the files except for the ones ending in .dat are owned by splunk:splunk. The .dat files are owned by root:root. Should they all be owned by root?

Is is possible to integrate a d3.js chart with simple xml using the html and script tags in the form and panel elements of simple xml

0
0
Basically I have a number of dashboards developed in simple xml. I want to add custom d3.js visualizations to these dashboards for some of the panels. I do not want to convert the page to an HTML page as that would make it harder to use. While django bindings is an option, I want to know if its possible to add custom HTML and JS to simple xml to create d3 visualizations. Something like this:
## add custom html code ## and render it though custom JS ##
I have seen that many html tags do not work this way and there is limited functionality available. Was hoping some one could point to a working example if its possible to implement.

Mobile Access Server: Why can't I just access the Search & Reporting app within the Splunk Mobile App?

0
0
I have the Mobile Access Server up and running. I am able to log in and view dashboards and reports. I have a basic question and maybe I am missing something, but why can't I just access the Search app within the Mobile app? Why am I only able to access a dashboard or report? I was able to built a pseudo Search dashboard by creating a panel, adding a time picker and adding a text field. This seems silly. If anything I will continue to use the responsive nature of the regular web app. Thanks

While installing the Mobile Access Server, why is Mongo throwing "error number 14" when trying to start the service?

0
0
Hello I'm trying to install Splunk Mobile Server on my Stand Alone Splunk server, but once it is unzipped, trying to start the service I get this error: /opt/mserver# sh server.sh start starting data service... it might take up to couple minutes /opt/mserver/server/node_modules/co/index.js:292 throw err; ^ Error: data service failed to startup, output:about to fork child process, waiting until server is ready for connections. forked process: 6505 ERROR: child process failed, exited with error number 14 at MongoDaemon.start (/opt/mserver/server/lib/bundlemgr/mongo_linux.js:16:13) at GeneratorFunctionPrototype.next (native) at next (/opt/mserver/server/node_modules/co/index.js:74:21) at /opt/mserver/server/node_modules/co/index.js:93:18 at Immediate._onImmediate (/opt/mserver/server/node_modules/co/index.js:52:14) at processImmediate [as _immediateCallback] (timers.js:374:17) Any Ideas what could be happening? Context Server Ubuntu Trusty Updated Splunk Enterprise 6.2 Updated Mserver downloaded: mserver-linux-release-2.0.1.tgz Regards

If I have universal forwarders on Windows machines that are not on a domain (or a domain I don't control), can I still forward WinEventLog://Security?

0
0
If I have forwarders on Windows machines that are not on any domain (some on domains I don't control), can I still forward WinEventLog://Security? Right now I am having problems with these non-domain Windows servers actually sending data. They connect to the deployment server on 8089 and the 9997 destination port, but just don't send data. I have looked at the forwarder logs and they have errors about binding with a domain controller. I got rid of these errors by including a line in the inputs.conf file on the forwarders. It took care of the DC bind errors, but didn't fix the data sending problem: [WinEventLog://Security] disabled = 0 index = wineventlog start_from = oldest evt_resolve_ad_obj = 0 What am I doing wrong? Or, how do I get non-domain Windows universal forwarders to send data? Thanks.

How to limit the scope of SearchWhenChanged in simple XML to prevent other modules on my dashboard from being affected?

0
0
Hi, I have multiple modules in my dashboard. In one of the modules, I have a check box input panel which has to do a search when it is checked. When the value SearchWhenChanged set to true for that module, it impacts other module as well which i do not want. Is there a simple xml tag to limit the scope of this Search to the module specified.

How to configure splunk to forward search head cluster data to indexer layer and verify its working correctly?

0
0
I did have a previous post - "How to get search head cluster members to forward internal data to indexer cluster? - but don't think it is working correctly - yet. I am a bit confused by one item in the "Best practice: Forward search head data to the indexer layer (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Forwardsearchheaddata) documentation step 1. which states: 1. Make sure that all necessary indexes exist on the indexers. For example, the S.o.S app uses a scripted input that puts data into a custom index. If you install S.o.S on the search head, you need to also install the S.o.S Add-on on the indexers, to provide the indexers with the necessary index settings for the data the app generates. On the other hand, since _audit and _internal exist on indexers as well as search heads, you do not need to create separate versions of those indexes to hold the corresponding search head data. Now I do have S.O.S. configured (and running) on each of my search head cluster members, so do I also need to have S.O.S. installed on the indexers if what I want to have pushed down to the indexer layer from the search head is the _audit and _internal data? On the search head cluster member's outputs.conf (they have the same outputs.conf) I have the following in the [tcpout] maxQueueSize = auto forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection) forwardedindex.filter.disable = true indexAndForward = false autoLBFrequency = 30 blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLB = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 useACK = false blockWarnThreshold = 100 sslQuietShutdown = false defaultGroup = transtrophe_search_peers [syslog] type = udp priority = dropEventsOnQueueFull = -1 maxEventSize = 1024 [indexAndForward] index = false [tcpout:transtrophe_search_peers] server=ip-172-31-20-173:9997,ip-172-31-18-186:9997,ip-172-31-22-253:9997,ip-172-31-26-200:9997,ip-172-31-20-120:9997 autoLB = true

REGEX - Field Extraction - IP but no CIDr notations

0
0
Hello, I am trying to extract fields from a feed that I have, the automated field extractor is not working for me though. I want to tag the IP address at the very end of every line and call it 'src_ip'. However the automated tool picks up the two CIDr notations every time as well as the IP address at the end of the line. I am looking for Regex that will only pickup the IP address at the end of each line, and NOT the CIDr notations. 20150404 00:12 http://www.yahoo.com domain\user faddr=192.168.1.0/24 gaddr=192.168.1.0/24 192.168.1.68 20150404 00:12 http://www.yahoo.com domain\user faddr=192.168.1.0/24 gaddr=192.168.1.0/24 192.168.1.21 Would really appreciate somebody to provide me with the Regex it would be much appreciated. Many thanks

Adding javascript and CSS to generated HTML dialog?

0
0
I have created a XML dashboard and that works fine. I had splunk generate an HTML view of that dashboard so that I can add my own Javascript and CSS for a tree viewer. Now I'm working on the HTML that Splunk generated. My question is **"Where do i put the CSS and .js files on the filesystem and how do I reference the items in the HTML.** I have been using the path:
 $SPLUNK_HOME/etc/apps/-appname-/appserver/static.
1. What path do I add to the in the HTML to get the CSS? I have been trying:

 2. To get the javascript I tried adding entries to the "LIBRARY REQUIREMENTS" section in the HTML but I did not know what to use for the path in the require([]) arrays.

Same example HTML snippets would be great.
                       

bro fields aren't showing up

0
0
Any thoughts RE the new BRO TA isn't formatting the BRO fields in the files? Do I need to manually re-create them? None of these are coming in??? #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytesresp_pkts resp_ip_bytes tunnel_parents What am I doing wrong!!!! Thanks in advance!

creating index under the main

0
0
I want to hold the logs arriving by source
Viewing all 13053 articles
Browse latest View live




Latest Images