Quantcast
Channel: Latest Questions on Splunk Answers
Viewing all 13053 articles
Browse latest View live

metadata search in a macro doesnt seem to work

March 27, 2011, 3:46 pm
$
0
0

Hi, I am trying to put a metadata search into a macro, but having trouble making it work.

The macro is something like the following (there is more to it, but this will allow you to replicate):

| metadata type=hosts index=myindex

When i run the macro, I get an error "Error in 'metadata' command: This command must be the first command of a search."

I would seem that something is inserted in front of the pipe which is stopping the macro from running. I need it in a macro as i am calling it from a form which calls a number of different macro searches that i have set up as reports. Specifying the pipe outside of the macro is not an option.

Search

Multiple apps that receive on UDP/514 on a heavy forwarder

June 6, 2014, 10:27 am
$
0
0

I'm trying to prevent unnecessary sprawl in our current splunk environment and I want to funnel all udp:514 traffic from systems that cannot change port at point of departure to a heavy forwarder that will load balance across indexers. I'm running into some challenges in doing so based on how different splunk apps treat the port.

Cisco IOS: looks for sourcetype=syslog and transforms and writes the data to the ios index. Splunk app for Netapp Data OnTAP: needs udp:514's sourcetype to be ontap:syslog

How could I effectively have apps written to use syslog ports differently work together on the same heavy forwarder if they require the default sourcetype to be different at the point of arrival?

searchTemplate and searchPostProcess

June 5, 2014, 5:08 pm
$
0
0

Splunk version 5.0.3

I want the searchTemplate to auto start in the background, then user can select a user to query. When running the dashboard, the searchTemplate is run but the post process is not appended to the query.

<form>
  <label>bleung_dashboard_search</label>
  <description/>
  <searchTemplate>`audit_searchlocal` 
| convert num(total_run_time) 
| eval user = if(user="n/a", null(), user) 
| `audit_rexsearch` 
| eval is_scheduled = if(search_id LIKE "scheduler%", "yes", "no") 
| stats min(_time) as _time first(user) as user first(total_run_time) as total_run_time first(is_scheduled) as is_scheduled first(search) as search by search_id 
| search user=* 
| sort - total_run_time 
| fields - search_id
  </searchTemplate>
    <earliestTime>-24h</earliestTime>
    <latestTime>-1m</latestTime>

  <fieldset submitButton="true">
    <input type="dropdown" token="user">
      <label>Users</label>
      <choice value="admin">admin</choice>
      <choice value="bleung">bleung</choice>
    </input>
  </fieldset>
  <row>
      <table>
        <searchPostProcess>search user=$user$</searchPostProcess>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
  </row>
</form>

Cisco IPS Error [errno="" 8]

October 8, 2013, 12:31 pm
$
0
0

I have been attempting to setup the Cisco IPS app for Splunk 6. However I am getting the following error in the sdee_get.log:

INFO - Checking for exsisting SubscriptionID on host: <IPADDRESS>
INFO - No exsisting SubscriptionID for host: <IPADDRESS>
INFO - Attempting to connect to sensor: <IPADDRESS>
INFO - Successfully connected to: <IPADDRESS>
ERROR - Connecting to sensor - <IPADDRESS>: URLError: <urlopen error [Errno 8] _ssl.c:521: EOF occurred in violation of protocol>

where <ipaddress> is the IP address of the IPS. Does anyone have any thoughts into what the error is? Any help is greatly appreciated

VMWare app does not accept license

June 3, 2014, 11:57 pm
$
0
0

Hi

I have installed a VMWare license on my licensemaster, and my search head, and indexes are license slaves to that. The license is valid.

Now I have installed the two apps SA-VMW-Licensecheck and SA-Utils according to http://docs.splunk.com/Documentation/VMW/latest/Install/Componentreferencetable

But my searchhead keep bugging about "You have no license for Splunk App for VMWare, Contact sales for a license"

Anyone have an idea why ? And maybe a solution to the problem.

André

What field is being matched on?

June 6, 2014, 11:44 am
$
0
0

I'm running the below splunk search and am getting some confusing results.

sourcetype=access_combined POST | rex field=_raw "(?P<response_time>\d([0-9]{5,5}))" | stats count, min(response_time),max(response_time),avg(response_time),median(response_time),stdev(response_time) by host

Below are some of the returned results:

192.168.254.2|-|-|[06/Jun/2014:12:13:03 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2802350
192.168.254.2|-|-|[06/Jun/2014:12:13:03 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2473207
192.168.254.2|-|-|[06/Jun/2014:12:13:02 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3438605
192.168.254.2|-|-|[06/Jun/2014:12:12:46 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|5334750
192.168.254.2|-|-|[06/Jun/2014:12:12:44 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|13049640

Based on the rex I should only be getting results where the field is a 5 digit only character field. Looking at the results I'm not seeing any 5 character digit only fields. Last field is the apache response time in microseconds so that's what I'm going for. Only thing I can think of is it's somehow matching on the date field, but there are special characters in between so I'm not sure how that's possible.

Inputs.conf password encryption

June 6, 2014, 1:10 pm
$
0
0

When I restart Splunk(6.0) on my Linux forwarder the password in the inputs.conf file remains in clear text. The password in my outputs.conf and server.conf files encrypts. Any thought?

Regular expression for a pattern

June 6, 2014, 11:48 am
$
0
0

Hi we have some uri's as shown below which have 2 words (/verify/abrasives) before /ecatalog and 3 words and 4 words. I want to get the uri's only after /ecatalog

/verify/abrasives/ecatalog/N-bi1/Ntt-3M+Abrasives /verify/bearings/power-transmission/ecatalog/N-aoj /verify/abrasive-cut-on/power-saws-and-accessories/power-tools/ecatalog/N-caiZ1z0d6at

i have tried like this but it did not give me proper results. Any suggestions?

Base search | rex field=uri_path ".*?(?<custom>[^(?:/ecatalog)]+)"

Search

500 Internal Server Error

September 26, 2013, 9:43 am
$
0
0

Running latest 5.x on my search head and have noticed lately that more and more users are randomly getting a "500 Internal Server Error" when trying to access or edit saved searches.

alt text

What would cause this and how do I fix the issue so that users do not get the 500 error?

SEDCMD - replace a delimiter for portion of the event, but not for complete event.

June 6, 2014, 1:55 pm
$
0
0

I want to replace the commas with in the array value. I don't want to replace all commas, but only within the square brackets..i.e array member delimiter.

2014-06-05 05:03:53-07:00 retail_analytics INFO {"actionId":47533796,"clientIP":"127.0.0.1","actions":["Action1","Action2","Action3"],"user":"alia",location:"usa","pagesviews":["page1","page2"]}

What is the SED command syntax to do it?

transaction command not working?

June 6, 2014, 2:01 pm
$
0
0

I have a situation, scanning servicemix logs (Apache Fuse/ESB logs) wherein I have an identifier called "JOBID" ... If I do this:

sourcetype=servicemix JOBID=ABC123

I get all the events for that JOBID. If I, instead do:

sourcetype=servicemix | transaction JOBID maxevents=-1 | search JOBID=ABC123

I get nothing. If I do:

sourcetype=servicemix |transaction JOBID maxevents=-1 | search ABC123

I also get nothing.

If I do:

sourcetype=servicemix JOBID=ABC123 |transaction JOBID maxevents=-1

I get the transaction.

Suggestions?

Most Secure Cipher Collection to Use with Splunk

May 6, 2014, 8:48 pm
$
0
0

What would be the most "secure" cipher suite to use with Splunk. By most secure I mean, implements Perfect forward secrecy (DHS or ECDHE), a hashing algorithm that has not been cracked (SHA256+). Another consideration to take in mind is one that works with most browsers (so compatibility would be a factor).

Splunk 6.03 Ships with openssl 1.01g which comes with the following cipher suite (seems like a decent list to me):

$ openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:
AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK' |column -t

Has anyone speficied a set/collection of ciphers they allow using web.conf:

[settings]
cipherSuite = TLSv1

Advice, suggestions, context is welcomed.

Alerts and Headlines don't work on App for Unix

June 5, 2014, 3:58 pm
$
0
0

Hi,

I've followed all steps to configure the App for Unix and alerts as well. However, both alerts and Headlines are not working.

Regards, Rodrigo

scheduling best practices question

June 6, 2014, 12:43 pm
$
0
0

Yes, I read the http://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts document, but I'm still somewhat confused with regard to the following:

Coordinate the alert's search schedule with the search time range. This prevents situations where event data is accidentally evaluated twice by the search (because the search time range exceeds the search schedule, resulting in overlapping event data sets), or not evaluated at all (because the search time range is shorter than the search schedule).

Schedule your alerting searches with at least 60 seconds of delay. This practice is especially important in distributed search Splunk implementations where event data might not reach the indexer precisely at the moment when it is generated. A delay ensures that you are counting all of your events, not just the ones that were quickest to get indexed.

So is this basically telling me I should not do less than 6 minute searches (allowing for 60sec delay)? Essentially. I'd like to know if something occurred in the past 5minutes or would the following work?

earliest: -5m@m latest: now cron expression: /5 * * *

Creating a Splunk Alert off failed ssh pattern

June 6, 2014, 2:02 pm
$
0
0

Hi All...

I am trying to figure out how to generate a alert if the same IP address fails SSH authentication on multiple sources (hosts).

Example Data

Jun  5 08:26:55 clunker-aus sshd[4087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=monitor
Jun  5 08:26:55 webserver-aus sshd[4089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root
Jun  5 08:26:55 server1 sshd[4090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root

How would I create an alert for a pattern matching this in lets say a 5 minute window against 3 or more hosts?

Thanks in advance =)

Search

NetApp not in Splunk Home

June 6, 2014, 4:02 pm
$
0
0

I am setting up a linux server with Splunk 6.0.4. I want to install "Splunk App for NetApp Data ONTAP". I followed the instructions for downloading and installing the app. After installing from file and restarting splunk, the app fails to appear in Splunk Home. When I tried to re-install from file I receive the error: "App with this name already exists."; yet still no app displayed in Splunk Home.

Anyone know how to fix this? Thanks.

Splunk - retrieve nth word in a string

June 6, 2014, 3:20 pm
$
0
0

Hi,

How can I retrieve nth word in a string using rex or other alternatives?

For example: "ABC BBC XYZ QAS"
"POP IMP RIL WER"

I want to extract XYZ and RIL here. Please note that they will always be the 3rd word but number of characters before them can vary.

Streamstats and resetting a running total

June 6, 2014, 1:27 pm
$
0
0

I'm using streamstats to calculate the running total for a value

... | streamstats sum(amount) as cumulativeAmount

But I need to reset the running total whenever a particular event is encountered and I can't seem to figure out how.

An example of the output I'm trying to achieve:

amount=10 cumulativeAmount=10
amount=12 cumulativeAmount=22
amount=4 cumulativeAmount=26
reset cumulativeAmount=0
amount=5 cumulativeAmount=5
reset cumulativeAmount=0
amount=8 cumulativeAmount=8
amount=11 cumulativeAmount=19

I've tried this:

... | eval cumulativeAmount=case(someCriteria, 0) | streamstats sum(amount) as cumulativeAmount

But streamstats overwrites the cumulativeAmount set by the eval. I've also tried something like:

... | streamstats sum(eval(case(someCriteria1, amount, someCriteria2, latest(cumulativeAmount)*-1))) as cumulativeAmount

But Splunk complains that latest isn't a function you can use inside a case. Any other way of doing this would be fine, doesn't need to be with streamstats. Any ideas?

500 Internal Error while user sso to Splunk

June 5, 2014, 3:48 pm
$
0
0

Splunk UI

500 Internal Server Error

Return to Splunk home page

An error occurred while rendering the page template. See web_service.log for more details

web_service.log

2014-06-07 00:28:41,836 ERROR   [53925cb9a639d2ad0] config:81 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/services/search/timeparser/tz
Traceback (most recent call last):
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 79, in getServerZoneInfo
    return times.getServerZoneinfo()
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/times.py", line 158, in getServerZoneinfo
    serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz')
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 483, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/services/search/timeparser/tz

2014-06-07 00:28:41,896 ERROR   [53925cb9a639d2ad0] __init__:281 - Mako failed to render: 
Traceback (most recent call last):
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/__init__.py", line 277, in render_template
    return templateInstance.render(**template_args)
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/mako/template.py", line 283, in render
    return runtime._render(self, self.callable_, args, data)
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/mako/runtime.py", line 575, in _render
    **_kwargs_for_callable(callable_, data))
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/mako/runtime.py", line 607, in _render_context
    _exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/mako/runtime.py", line 633, in _exec_template
    callable_(context, *args, **kwargs)
  File "/ngs/app/splunk_user/splunk/share/splunk/search_mrsparkle/templates/layout/base.html", line 10, in render_body
    <%self:render/>
  File "/ngs/app/splunk_user/splunk/share/splunk/search_mrsparkle/templates/layout/base.html", line 25, in render_render
    ##
  File "/ngs/app/splunk_user/splunk/share/splunk/search_mrsparkle/templates/layout/base.html", line 67, in render_pagedoc
    % else:
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 103, in getConfig
    args.update(_get_app_config(namespace))
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 48, in _get_app_config
    rawConfig = splunk.bundle.getConf('app', namespace=app)
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/bundle.py", line 39, in getConf
    serverResponse, serverContent = rest.simpleRequest(uri, getargs={'fillcontents':1}, sessionKey=sessionKey)
  File "/ngs/app/splunk_user/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 483, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/509693468/search/properties/app?fillcontents=1

splunk and cassandra

June 6, 2014, 5:53 pm
$
0
0

Hi,

Can Splunk monitor cassandra?

Viewing all 13053 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>