AGM meeting minutes
Sunday, October 15, 2023
Friday, August 3, 2018
No indexes are shown for Roles in GUI after upgrade to 7.1.0
###
SPL-156316, SPL-145546
Workaround:
Replace the $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_roles.xml" file on the search head with a version from any Splunk Enterprise 6.6.x release. Refresh the configuration on the search head by calling a debug refresh (http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh) using a supported web browser.
Replace the $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_roles.xml" file on the search head with a version from any Splunk Enterprise 6.6.x release. Refresh the configuration on the search head by calling a debug refresh (http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh) using a supported web browser.
Splunk 7.1.0 and DMA acceleration backfill.
Splunk
version 7.1.0 Datamodel backfill casue heavy load on indexer peers.
SPL-155560,
SPL-155219
DMA
accelerating too much data when acceleration.backfill_time unset, resulting in
heavy indexer load.
Workaround:
acceleration.backfill_time
needs to be set for all DMA searches in datamodels.conf. Otherwise the DMA will
attempt to accelerate for "all time"
# list all
apps using acceleration datamodel on your SH or deployment server
(/etc/deployment-apps) run this:
grep
--include="datamodels.conf" -R /opt/splunk/etc/apps/ -e
"acceleration = true" -e "acceleration = 1"
Then create
your changes in /local to prevent that it will be overwritten by upgrades. Also
consider to lower the max concurrent from default 3 if your indexer is very
busy. For every stanza with acceleration =1 create your config:
/local/datamodels.conf
[stanza]
acceleration.backfill_time
= -5d
acceleration.max_concurrent
= 2
How many
days back you chose to backfill depends on your environments performance, but
it can never be more than “acceleration.earliest_time”
# verify
datamodel
At the SH
under Settings – Data Model
List all
apps and expand the the Data model that is active and check the status.
Friday, July 27, 2018
Splunk - Tips & trix
Search macro
In a query you often tend do refer to indexes like this "index=main sourcetype=syslog" and then you build this into a dashboard. When your creations grow and you need to change to another index this will be many places to edit your code.Instead go to Settings > Advanced search > Search macro - edit/create your macro, place your index code there "index=main".
Now in your querys in any code refer to this macro instead like this:
`my_macro` sourcetype=syslogWhenever you need to change index or add more index you only have this one place to edit the macro.
Blue Coat Proxy SG shortcuts
Under 'Statistics - Advanced' you'll find more then you need, here are a short sumary.
sysinfo & sysinfo-stat
# Sysinfo
# Core Images
# Access
Logs
Check Point Cli Commands
Cli commands
Some good cli commands that are useful, I always forget the syntax so it's good to have them in one place.
### Cluster
XL Debug
# Expert
clish -c
"show routed cluster-state detailed"
# clish
show routed
cluster-state detailed
##### VPN
### VPN
encryption domain overlap
vpn
overlap_encdom > temp.txt
### list tunnels
vpn tu tlist -p
peer_ip
##### FW
### proxy
arp and active local.arp
fw ctl arp
-n
### CCC
(good script (dangerous))
curl_cli http://dannyjung.de/ccc | zcat >
/usr/bin/ccc && chmod +x /usr/bin/ccc
Subscribe to:
Posts (Atom)