Hello,
Prior to version 6.6. I had a scheduled search with criteria to send emails when there was more than 0 events returned. I supposed that made it an alert, but it was also embedded. We are running v6.6.2 and I cannot now edit the alert because I cannot remove the embed. I cannot disable, delete, do anything because I cannot remove the embed. This seems to be an oversight in the v6.6 alert/report changes. I've worked with my admin to review permissions, but we can't locate the controlling permission. BTW the admin cannot remove embedding either. Anyone run into this?
↧
Upgraded to 6.6.2 -- Why can't I unembed or edit this alert?
↧
we have upgraded enterprise security from 4.5.2 to 4.7.1. After upgrade ES- Security Intelligence dashboard are not populated the data?
we have upgraded enterprise security from 4.5.2 to 4.7.1. After upgrade ES- Security Intelligence dashboard are not populated the data?
How to troubleshoot.
↧
↧
Upgrade to Splunk 6.6.2 and dahboard background color changed to white
Hi to All,
I upgraded Splunk by 6.4 to 6.6.2, all dashboards are OK excepting for one that has changed background colour from black to white, what can I check to re-set dashboard colour to black?
Thanks,
Andrea
↧
Splunk DB Connect -- Upgrading v3.1.0 to v3.1.1 failed
Hi, I have tried to update both directly through the web and download the *.tgz file and update through file
Updating through web gave me 500 error and updating through file gave me this error:
There was an error processing the upload. In handler 'localapps': Error installing application: Failed to copy C:\Splk\var\run\splunk\bundle_tmp\400ca3da34b01e09\splunk_app_db_connect to C:\Splk\etc\apps\splunk_app_db_connect. Error occurred while renaming .tmp file to destination file error="The process cannot access the file because it is being used by another process." src="C:\Splk\var\run\splunk\bundle_tmp\400ca3da34b01e09\splunk_app_db_connect\jars\server.jar" dest="C:\Splk\etc\apps\splunk_app_db_connect\jars\server.jar"
I'm using Splunk 6.5.3 if that matters
↧
Splunk not starting after upgrade (6.6.1 > 7.0.0)
Hi, i just updated from 6.6.1 to latest version(7) and now i'am stuck with splunk not starting web interface:
# ./splunk restart
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
..................................... [ OK ]
Stopping splunk helpers...
[ OK ]
Done.
Splunk> Map. Reduce. Recycle.
Checking prerequisites...
Checking http port [10.244.161.7:8000]: open
Checking mgmt port [10.244.161.7:8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [10.244.161.7:8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket checkfwd eqalis_network_sample firewall history itau main mwg_audit os ossec perfmon snort_cardholder snort_servidores sos sos_summary_daily summary summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes syslog tp_win_sec tp_win_servers windows wineventlog
Done
Bypassing local license checks since this instance is configured with a remote license master.
Checking filesystem compatibility... Done
Checking conf files for problems...
Improper stanza [dhcpd_server_dhcprelease] in /opt/splunk/etc/apps/unix/default/tags.conf, line 30
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7.0.0-c8a78efdd40f-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[ OK ]
Waiting for web server at https://10.244.161.7:8000 to be available............................................................................................................................................................................................................................................................................................................
WARNING: web interface does not seem to be available!
What can be causing it ?
↧
↧
Splunk DB Connect: Can I run 2 versions on the same server to avoid migrating database inputs to an upgrade? (v2.3.0 and v3)
I am currently running DbConnect version 2.3.0 and I would like to upgrade to DbConnect version 3. My issue is that I have maybe 40 database inputs and various other uses of DbConnect that would make a migration difficult. What I would like to do is install both versions on the same server and slowly migrate and test one input at a time.
Is it possible to run DbConnect version 2 and version 3 on the same server?
↧
What is the recommended version of the universal forwarder?
Hi Folks,
We have various kind of Splunk universal forwarder version(4.3.1, 5.0.1, 6.1.1 ) on our environment and we are planing to upgrade the old version to new splunk recommended version , is there any recommendation version for universal forwarder for keep the forwarder stable.
Thanks,
Sridhar
↧
Can I stop Splunk, take a VM snapshot, upgrade Splunk, then revert to the snapshot after the upgrade?
We have 6 splunk servers
1 SH
1 enterprise security
1 license + cluster master
2 Indexers
1 deployment server
I will be stopping Splunk services and take a snapshot of all VMs and then perform the upgrade if anything goes wrong during the upgrade I am planning to revert to snapshots, is this the best practice or will reverting to snapshot break anything?
↧
Splunk Health Check Overview: How do you install this app?
We have upgraded Splunk. Now we want a sanity to the client. How can we install from Splunkbase the Splunk Health Check Overview app?
↧
↧
Upgrade of a Search Head Cluster (v6.4.2 > 7.0.0) - Can I do a rolling upgrade?
Hi at all,
I have to upgrade a Search Head Cluster from version 6.4.2 to 7.0.0 and I have a doubt:
in https://docs.splunk.com/Documentation/Splunk/7.0.0/DistSearch/UpgradeaSHC there's written:> Starting with version 6.5, you can perform a rolling upgrade. This allows the cluster to continue operating during the upgrade. To use the rolling upgrade process, you must be upgrading from version 6.4 or later.
It's not so clear for me if I can perform a rolling upgrade from 6.4.2 to 7.0.0 or I must before upgrade from 6.4.2 to 6.5 (not rolling upgrade) and after I can perform the rolling upgrade to 7.0.0.
Anyone has already performed this upgrade?
bye.
Giuseppe
↧
Splunk App for Dropbox for Business: error message from indexer after recent Splunk upgrade
Splunk App for Dropbox has been working very well since it was installed more than a year ago.
However, recently we are seeing the following error messages from our Splunk indexers after recent Splunk upgrade.
"Unable to initialize modular input "dfb" defined inside the app "splunk-app-dropbox": Introspecting scheme=dfb: script running failed (exited with code 1)."
Has anyone encountered the same errors from the Dropbox App?
Splunk support team thinks this may be due to incompatibility - that this App is no longer supported in Splunk Cloud.
↧
Splunk upgraded 7.0.0, Message still show new version available.
Hi,
I have upgraded my Splunk to 7.0.0 from Linux terminal. Terminal shows version is not 7.0.0. Web interface->about also reflected 7.0.0 but there is still messages showing new version and new maintenance version are available. Is this a bug?
↧
What is the best approach for upgrading Splunk Enterprise?
What is the best approach for upgrading SPLUNK?
1 DP
1 SH
1 F
2 ID
running 6.5.1 on link rehl 6
download 6.63, copy to each device and then untar or is there an upgrade from the UI?
Do I need to worry about backing up custom stanzas?
Thanks!
↧
↧
Upgrade from distributed to clustered environment retaining configurations and data?
Hi ,
Is there a way to upgrade a distributed environment consisting of 1 x SH, 2 x IDX and a DS to a HA clustered env consisting of
3 x SH, 1 X Deployer, 3 X IDX and a Cluster Node ? (assume cluster node also LM)
with an aim to keep data already in the distributed indexes
is this possible and which steps should be carried out in what order ?
gratzi.
↧
Splunk universal forwarder upgrade from 4.3.x to 7.0
HI,
I'm looking for information about updating UFs from version 4.3.x to 7.0.
I checked Splunk docs (Forwarder Manual), but there are no version dependency requirements for the upgrade.
So the question: is supported (and safe) the one step upgrade from 4.3.x to 7.0? The conjecture that yes, can someone confirm it?
Regards,
István
↧
Upgrade of Palo Alto Networks App to 6.0.0
I'm using Splunk Enterprise 6.6.3.
I've used the Update link on the Apps dashboard of my master to perform the upgrade of Palo Alto Networks App to version 6.0.0 from 5.4.2
I've actually done this procedure a couple of times. After restarting the Splunk service the I see a banner displayed when I re-login saying . . . *'App "Palo Alto Networks" was installed successfully*
However, back at the main page the Palo Alto Networks App still shows the Update button below it.
/etc/apps/SplunkforPaloAltoNetworks/Readme.md shows App Version 6.0.0 so the files are in place. But if I open the App from the dashboard and click About at the bottom it shows 5.4.2
The add-on Splunk_TA_paloalto is upgraded to 6.0.0 too.
The issue is resolved but I had to completely remove and reinstall the app rather than upgrade
↧
Splunk DB Connect: Some columns of database tables are dropped after upgrade to 3.1.1
After upgrade from V2 to 3, data pulling of DBX is still working, however, I got warning in splunk/var/log/splunk/splunk_app_db_connect_server.log as
2017-11-28 15:23:43.838 -0600 [QuartzScheduler_Worker-9] WARN c.s.d.s.d.r.iterator.EventPayloadRecordIterator - input my-input contains binary columns, will be discarded. column name:GUID_STOCK,MATID,INSPID,BATCHID,DGUID_HU,QDOCID,QITMID,GUID_TO,SGUID_HU,RDOCID,RITMID
and all events miss those fields listed in the warning.
As matter of fact, these fields are not binary, they are just a little odd, IDs with many 0 paddings.
Any one had the similar issue as well? and how to resolve it?
Thanks.
↧
↧
Getting SAML error after upgrade to Splunk searchhead v. 7.0.0.1 "SAML config is invalid, Reconfigure it"
We upgraded our Splunk search head from version 6.5.3 to version 7.0.0.1 and cannot get to GUI interface: getting "Page not found!" error message (URL :
https://servername/en-US/?samlstatus=Invalid%20configuration.%20'idpSsoUrl'%20is%20missing.%20Invalid%20configuration.%20'entityId'%20is%20missing.)
splunkd.log has the following error: 0500 ERROR UserManagerPro - SAML config is invalid, Reconfigure it. and 0500 ERROR UserManagerPro - user="system" had no roles
We have used SAML successfully in previous version 6.5.3 , idpSsoUrl' is setup in authentication.conf file as well.
Will appreciate all advices on what can be the next step
↧
Getting SAML error after upgrade to Splunk v. 7.0.0.1 "SAML config is invalid, Reconfigure it"
We upgraded our Splunk search head from version 6.5.3 to version 7.0.0.1 and cannot get to GUI interface: getting "Page not found!" error message (URL :
https://servername/en-US/?samlstatus=Invalid%20configuration.%20'idpSsoUrl'%20is%20missing.%20Invalid%20configuration.%20'entityId'%20is%20missing.)
splunkd.log has the following error: 0500 ERROR UserManagerPro - SAML config is invalid, Reconfigure it. and 0500 ERROR UserManagerPro - user="system" had no roles
We have used SAML successfully in previous version 6.5.3 , idpSsoUrl' is setup in authentication.conf file as well.
Will appreciate all advices on what can be the next step
↧
Any gotchas in upgrading minor revision of OS of existing Splunk server?
Hi all,
This coming week I am going to be upgrading single box system from RHEL 7.0 to the newest 7.x version. I've never actually upgraded the OS of an existing Splunk install but with a minor revision I imagine it's pretty straight forward, right?
Shut down Splunk, upgrade, restart Splunk. Any gotchas I should be aware of? I have a test box I'll be running it on first but I figured I'd ask.
↧