Friday, August 3, 2018

No indexes are shown for Roles in GUI after upgrade to 7.1.0

### SPL-156316, SPL-145546

Replace the $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_roles.xml" file on the search head with a version from any Splunk Enterprise 6.6.x release. Refresh the configuration on the search head by calling a debug refresh (http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh) using a supported web browser.

Splunk 7.1.0 and DMA acceleration backfill.

Splunk version 7.1.0 Datamodel backfill casue heavy load on indexer peers.
SPL-155560, SPL-155219

DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load.
acceleration.backfill_time needs to be set for all DMA searches in datamodels.conf. Otherwise the DMA will attempt to accelerate for "all time"

# list all apps using acceleration datamodel on your SH or deployment server (/etc/deployment-apps) run this:
grep --include="datamodels.conf" -R /opt/splunk/etc/apps/ -e "acceleration = true" -e "acceleration = 1"

Then create your changes in /local to prevent that it will be overwritten by upgrades. Also consider to lower the max concurrent from default 3 if your indexer is very busy. For every stanza with acceleration =1 create your config:

acceleration.backfill_time = -5d
acceleration.max_concurrent = 2

How many days back you chose to backfill depends on your environments performance, but it can never be more than  “acceleration.earliest_time”

# verify datamodel

At the SH under Settings – Data Model
List all apps and expand the the Data model that is active and check the status.


Friday, July 27, 2018

Splunk - Tips & trix

Search macro

In a query you often tend do refer to indexes like this "index=main sourcetype=syslog" and then you build this into a dashboard. When your creations grow and you need to change to another index this will be many places to edit your code.

Instead go to Settings > Advanced search > Search macro - edit/create your macro, place your index code there "index=main".

Now in your querys in any code refer to this macro instead like this:
`my_macro` sourcetype=syslog
Whenever you need to change index or add more index you only have this one place to edit the macro.

Blue Coat Proxy SG shortcuts

Under 'Statistics - Advanced' you'll find more then you need, here are a short sumary.

sysinfo & sysinfo-stat

# Sysinfo

# Core Images

# Access Logs

Check Point Cli Commands

Cli commands

Some good cli commands that are useful, I always forget the syntax so it's good to have them in one place.
### Cluster XL Debug
# Expert
clish -c "show routed cluster-state detailed"

# clish
show routed cluster-state detailed

##### VPN
### VPN encryption domain overlap
vpn overlap_encdom > temp.txt

### list tunnels
vpn tu tlist -p peer_ip

##### FW
### proxy arp and active local.arp
fw ctl arp -n

### CCC (good script (dangerous))
curl_cli | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc