We're planning to upgrade our environment to Splunk 7 but we have the Splunk App for ServiceNow and I noticed that even the latest release is not marked as compatible with Splunk 7.
Will there be a new release of the app that will be compatible with Splunk 7?
Or can anybody tell me what part of the app is not compatible? We are not using all the dashboards so maybe we will be able to upgrade to Splunk7 without impact...
Thank you!
↧
Will the "Splunk App for ServiceNow" be compatible with Splunk 7?
↧
Why is the Splunk dbconnect migration script not working when upgraded to version 3.1.2?
I am getting the following error while upgrading my existing splunk db connect version 2.3.1 to 3.1.2.
Any help is much appreciated.
Traceback (most recent call last):
File "d:\program files\splunk\etc\apps\splunk_app_db_connect\bin\app_migration.py", line 971,
in
check_inputs_conf_mi_input(service_with_ns, service)
File "d:\program files\splunk\etc\apps\splunk_app_db_connect\bin\app_migration.py", line 603,
in check_inputs_conf_mi_input
mode = an_input['mode']
File "d:\program files\splunk\etc\apps\splunk_app_db_connect\bin\splunk_sdk-1.5.0-py2.7.egg\sp
lunklib\client.py", line 920, in __getitem__
File "d:\program files\splunk\etc\apps\splunk_app_db_connect\bin\splunk_sdk-1.5.0-py2.7.egg\sp
lunklib\client.py", line 915, in __getattr__
AttributeError: mode
↧
↧
Why is the upgrade to Splunk Security Essentials 2.0 causing errors?
Recently I upgraded our search heads with Splunk Security Essentials v2.0. Now, when Splunk restarts, I see errors referencing Splunk Security Essentials. The error recommends running btool, and the results are:
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/app.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/collections.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/commands.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/distsearch.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/macros.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/transforms.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 5: otherAuto (value: 1).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 8: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 17: doneText (value: Start Exploring).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 18: doneURL (value: /app/Splunk_Security_Essentials/contents).
Invalid key in stanza [showcase_simple_search-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 45: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_first_seen_demo-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 72: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_standard_deviation-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 96: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
I talked to a Splunk engineer about this (I thought it was Splunk supported). and he said the following:
This message below indicates that it is malformed. Usually, this means there is some misspelling of the key or that line is deprecated
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf,
So, if this is indeed from something within the code, and Splunk wrote the code, but Splunk does not support the app, how does it get fixed?
↧
Upgrade Splunk Enterprise in Linux
Hi Team,
I am planning to upgrade Splunk Enterprise from version 6.5.2 to 7.0.3 in Linux Redhat and currently looking on this reference
[http://docs.splunk.com/Documentation/Splunk/7.1.0/installation/UpgradeonUNIX][1]
I am using tar file. And in step 5 in the link above, it says.
5. To upgrade and migrate, install the Splunk Enterprise package directly over your existing deployment.
If you use a .tar file, expand it into the same directory with the same ownership as your existing Splunk Enterprise instance.
This overwrites and replaces matching files but does not remove unique files.
tar xzf splunk-7.x.x-.tgz -C /splunk/parent/directory
My question is what do we mean by "/splunk/parent/directory"?
My current $SPLUNK_HOME is /opt/splunk.
Does this mean I will just use the command below:
tar -xzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt
OR this one
tar -xzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt/splunk
Thanks in advance.
[1]: http://docs.splunk.com/Documentation/Splunk/7.1.0/installation/UpgradeonUNIX
↧
How to upgrade dynatrace App?
hi All,
Am looking to upgrade Splunk Core to v7.0 and we are using dynatrace App v2.2.4 and planning to upgrade it to v2.4.0. But there is no documentation on how to upgrade dynatrace App. Can someone help me with the steps of how to upgrade the Appmon/Dynatarce App?
Thanks,
Sree
↧
↧
What are the best practices of upgrading Splunk enterprise version 6.5.3 to Splunk 7.0.1?
Upgrade Splunk from version 6.5.3 to Splunk 7.0.1, please suggest best practice and issues you may have noticed while doing it.
↧
Why is the embedded report not working after the upgrade to 7.0.3+?
Embed report was working well for a long time. (6+ months)
However, after upgrading to 7.0.3, it's not working anymore.
All the reports show the same error message "Report not available." and keep on refreshing.
To copy new iframe contents from Splunk GUI again, it works but old ones never work.
We have 30+ embed reports and have to copy one by one.
↧
Splunk Upgrade
Hi Team,
We have a Splunk distributed environment running on version 6.3.0 and we plan to upgrade to 7.0.0
Could you please help me the best way to upgrade Splunk? Do I need to upgrade to versions one by one i.e. 6.3.0 to 6.4.0 to 6.5.0 ....? Any document reference would be very helpful and much appreciated. All my servers are Linux based.
Thank you very much in advance.
↧
Why does Splunk keeps crashing after upgrade to Splunk 7.1?
-bash-4.1$ cat crash-2018-05-22-13:02:27.log
(Out of file descriptors!)
[build 2e75b3406c5b] 2018-05-22 13:02:27
This is the error that I am seeing
Search peer (server_name) has the following message: Bundle Replication: Problem replicating config (bundle) to search peer ' (Server IP):8089 ', HTTP response code 409 (HTTP/1.1 409 Conflict). Failed to untar the bundle="/opt/splunk/var/run/searchpeers/(server_name)-1527015758.bundle". This could be due Search Head attempting to upload the same bundle again after a timeout. Check for sendRcvTimeout message in splund.log, consider increasing it.
And this is the crash log:
File descriptors open:
0: /opt/splunk/var/log/splunk/crash-2018-05-22-13:02:27.log
1: /opt/splunk/var/log/splunk/splunkd_stdout.log
2: /opt/splunk/var/log/splunk/splunkd_stderr.log
3: /opt/splunk/var/log/splunk/splunkd.log
4: socket:[27180755]
5: socket:[27180756]
6: socket:[27180757]
7: socket:[27180761]
8: [eventpoll]
9: socket:[27180763]
10: [eventfd]
11: pipe:[27180765]
12: /opt/splunk/var/log/splunk/audit.log
13: /opt/splunk/var/log/splunk/license_usage.log
14: [eventfd]
15: [eventpoll]
16: /opt/splunk/share/splunk/mbtiles/splunk-tiles.mbtiles
17: [eventfd]
18: socket:[27191160]
19: [eventpoll]
20: [eventpoll]
21: [eventfd]
22: [eventpoll]
23: [eventfd]
24: /opt/splunk/var/log/splunk/conf.log
25: [eventfd]
26: [eventpoll]
27: [eventfd]
28: [eventpoll]
29: [eventfd]
30: pipe:[27180848]
31: [eventpoll]
32: [eventfd]
33: /opt/splunk/var/log/splunk/mongod.log
34: /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/btree_index.dat
35: [eventfd]
36: socket:[27180852]
37: [eventpoll]
38: /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/btree_records.dat
39: [eventfd]
40: [eventfd]
41: [eventpoll]
42: [eventfd]
43: [eventpoll]
44: [eventfd]
45: [eventfd]
46: [eventpoll]
47: [eventpoll]
48: [eventpoll]
49: [eventfd]
50: [eventfd]
51: [eventpoll]
52: [eventpoll]
53: [eventfd]
54: [eventpoll]
55: [eventfd]
56: pipe:[27180877]
57: socket:[27196966]
58: pipe:[27180878]
59: socket:[27183669]
60: socket:[27180902]
61: /opt/splunk/var/log/splunk/metrics.log
62: /opt/splunk/var/lib/splunk/persistentstorage/fschangemanager_state
63: [eventpoll]
64: [eventfd]
65: [eventpoll]
66: [eventfd]
67: [eventpoll]
68: [eventfd]
69: [eventpoll]
70: [eventfd]
71: socket:[27191201]
72: [eventpoll]
73: [eventpoll]
74: socket:[27197043]
75: pipe:[27181879]
76: pipe:[27181910]
77: /opt/splunk/share/splunk/mbtiles/splunk-tiles.mbtiles
78: socket:[27183769]
79: socket:[27183773]
80: socket:[27183625]
81: socket:[27210557]
82: [eventfd]
83: [eventfd]
84: [eventpoll]
85: [eventfd]
86: /opt/splunk/var/log/introspection/disk_objects.log
87: [eventfd]
88: [eventpoll]
89: pipe:[27181021]
90: [eventfd]
91: [eventpoll]
92: /opt/splunk/var/log/splunk/health.log
93: /opt/splunk/var/log/splunk/splunkd_access.log
94: [eventpoll]
95: pipe:[27181880]
96: [eventpoll]
97: socket:[27205883]
98: [eventfd]
99: pipe:[27181911]
100: /opt/splunk/var/log/introspection/http_event_collector_metrics.log
101: socket:[27187915]
102: socket:[27183631]
103: [eventfd]
104: socket:[27183627]
105: socket:[27191162]
106: /opt/splunk/var/log/splunk/splunkd_ui_access.log
107: [eventfd]
108: [eventpoll]
109: socket:[27191244]
110: socket:[27212042]
111: [eventfd]
112: socket:[27183629]
113: [eventpoll]
114: socket:[27200480]
115: socket:[27216864]
116: /opt/splunk/var/log/introspection/kvstore.log
117: /opt/splunk/var/log/splunk/splunkd_ui_access.log
118: socket:[27191203]
119: /opt/splunk/var/log/introspection/resource_usage.log
120: /opt/splunk/var/log/splunk/scheduler.log
121: pipe:[27183400]
122: pipe:[27183400]
123: [eventpoll]
124: [eventfd]
125: /opt/splunk/var/log/splunk/remote_searches.log
126: socket:[27191246]
127: [eventpoll]
128: socket:[27204214]
129: socket:[27187283]
130: socket:[27196968]
131: socket:[27200482]
132: socket:[27187917]
133: socket:[27189987]
134: socket:[27189988]
135: socket:[27189989]
136: socket:[27189990]
137: /opt/splunk/var/log/splunk/splunkd_access.log
138: /etc/cma.d/lpc.conf
139: [eventfd]
140: socket:[27216866]
141: [eventpoll]
142: socket:[27204385]
143: socket:[27204216]
144: socket:[27222271]
145: /opt/splunk/var/log/splunk/audit.log
146: socket:[27222191]
147: socket:[27217115]
148: socket:[27197045]
149: socket:[27211889]
150: /opt/splunk/var/log/splunk/scheduler.log
151: socket:[27204387]
153: socket:[27222273]
157: socket:[27205754]
158: socket:[27205972]
159: socket:[27205756]
160: socket:[27217117]
163: socket:[27205448]
166: socket:[27205510]
167: socket:[27205450]
169: socket:[27205555]
170: socket:[27205512]
171: socket:[27205618]
172: socket:[27205557]
173: socket:[27205885]
174: socket:[27205620]
175: socket:[27206050]
176: socket:[27205974]
178: socket:[27206027]
179: socket:[27206112]
180: socket:[27206052]
181: socket:[27210559]
182: socket:[27206114]
188: socket:[27211891]
189: socket:[27212044]
(Total 175)
Received fatal signal 6 (Aborted).
Cause:
Signal sent by PID 10152 running under UID 18002.
Crashing thread: GenerationGrabberThread
Registers:
RIP: [0x00007F8BF2848495] gsignal + 53 (libc.so.6 + 0x32495)
RDI: [0x00000000000027A8]
RSI: [0x0000000000004390]
RBP: [0x00007F8BF5F21D80]
RSP: [0x00007F8BD37FD538]
RAX: [0x0000000000000000]
RBX: [0x00007F8BF3DE0000]
RCX: [0xFFFFFFFFFFFFFFFF]
RDX: [0x0000000000000006]
R8: [0x00000000000003F8]
R9: [0xFEFEFEFEFEFEFEFF]
R10: [0x0000000000000008]
R11: [0x0000000000000202]
R12: [0x00007F8BF5E5DFAF]
R13: [0x00007F8BF6013600]
R14: [0x00007F8BD37FDDA0]
R15: [0x00007F8BD37FD840]
EFL: [0x0000000000000202]
TRAPNO: [0x0000000000000000]
ERR: [0x0000000000000000]
CSGSFS: [0x0000000000000033]
OLDMASK: [0x0000000000000000]
OS: Linux
Arch: x86-64
Backtrace (PIC build):
Linux / (servernamehere) / 2.6.32-696.28.1.el6.x86_64 / #1 SMP Thu Apr 26 04:27:41 EDT 2018 / x86_64
glibc version: 2.12
glibc release: stable
Last errno: 23
Threads running: 76
Runtime: 471.198094s
argv: [splunkd -p 8089 start]
Regex JIT disabled due to SELinux
using CLOCK_MONOTONIC
Thread: "GenerationGrabberThread", did_join=0, ready_to_run=Y, main_thread=N
First 8 bytes of Thread token @0x7f8be9613090:
00000000 00 f7 7f d3 8b 7f 00 00 |........|
00000008
x86 CPUID registers:
0: 0000000D 756E6547 6C65746E 49656E69
1: 000206D2 09040800 9E982203 1F8BFBFF
2: 76036301 00F0B5FF 00000000 00C10000
3: 00000000 00000000 00000000 00000000
4: 00000000 00000000 00000000 00000000
5: 00000000 00000000 00000000 00000000
6: 00000077 00000002 00000009 00000000
7: 00000000 00000000 00000000 00000000
8: 00000000 00000000 00000000 00000000
9: 00000000 00000000 00000000 00000000
A: 07300401 0000007F 00000000 00000000
B: 00000000 00000000 000000CD 00000009
C: 00000000 00000000 00000000 00000000
D: 00000000 00000000 00000000 00000000
80000000: 80000008 00000000 00000000 00000000
80000001: 00000000 00000000 00000001 28100800
80000002: 65746E49 2952286C 6F655820 2952286E
80000003: 55504320 2D354520 37383632 33762057
80000004: 33204020 4730312E 00007A48 00000000
80000005: 00000000 00000000 00000000 00000000
80000006: 00000000 00000000 01006040 00000000
80000007: 00000000 00000000 00000000 00000100
80000008: 00003028 00000000 00000000 00000000
terminating...
-bash-4.1$
↧
↧
Do Splunk Enterprise security upgrades result in a new AWS AMI being released?
My team is considering running Splunk Enterprise on EC2, and wants to understand the operational load we'll incur due to regular security upgrades.
Rather than go through the various manual steps each upgrade recommends, we were considering taking advantage of EC2's ASG, spinning up replacement capacity using the latest Splunk AMI and spinning down old capacity once the replacements are up. For this to work, each Splunk security upgrade should result in a new Splunk AMI being published.
1. Are new AMIs being published on all Splunk security upgrades, or only on major version upgrades?
1.1 If new AMIs are being published on all Splunk security upgrades, is there any delay between the vulnerability and fix being published and the new AMI being released?
1.2 If new AMIs are not being published on all Splunk security upgrades, then what happens on a fresh install of the Splunk AMI on an EC2 instance? Do all recent security patches need to be applied manually?
↧
My Splunk Performance is Significantly Worse in my Upgraded Version to 7.1.1
so I upgraded my Splunk version from 6.3.3 to 7.1.1, put it on a new server, split out the volumes on my server and the performance in my new environment is significant worse than my current production. The cpu is pegged out (100% resource consumption)
I cannot get my dashboards to load in my new environment.
We are on windows and do not have anything blocking the on-access scans but we did not have that in place in our current production environment either, so I don't understand why the performance is so much worse in our new environment.
We loaded a lot of data into our system the past few days from re ingesting data (passed our daily limit) - not sure if that could be related.
Any help or places to investigate first would be appreciated- thank you!
↧
Steps in mind to perform license upgrade in splunk
We are currently running on a splunk licenses of 30Gb we are going to purchase an additional 30 GB of license, please suggest some steps to deliver a smooth upgrade.
↧
Why i am getting error : msg="A script exited abnormally" input="./bin/instrumentation.py"
Hi All,
Every minute I receive the error :
msg="A script exited abnormally" input="./bin/instrumentation.py" stanza="default" status="exited with code 114"
I get this error after upgrading to splunk 7.1.1
Thanks
M&A
↧
↧
Has anyone automated UF upgrade on Linux servers?
hi All,
We have nearly 500 UF's in our environment on Linux hosts. We are planning to upgrade our environment can some help me if anyone has automated the process of upgrading UF on Linux Hosts ?
Thanks,
Sree
↧
Why am I getting errors after upgrading Splunk IT Service Intelligence on my search head cluster?
I encountered problem with ITSI each time I tries to upgrade or install a new deployment.
- upgrading ITSI on version 2.6 on a search-head cluster, to 3.1
- installing a new 3.0.0 or 3.1.2 on a search-head cluster.
Each time I push the ITSI bits from the deployer and wait for the sh rolling restart.
Usually when a problem occurs, the symptoms are : ITSI panels not loading, permissions issues, and nothing in my configure > services and teams even for my admin user.
Looking in the logs, I see in
index=_internal source=*itsi_migration.log*
that one of the shpeer tried to start the install/migration but failed because of permissions of "teams" missing.
I checked, there are no teams in my ITSI (in the manager or in the kvstore collection)
I also see errors on some peers about sh captain not ready.
example :
2018-06-04 15:29:22,979 INFO [itsi.migration] [itsi_migration] [run_migration] [23748] Enable UI
Exception: Failed to import Team settings. ITSI will not work properly until the Team settings are imported. See [http://docs.splunk.com/Documentation/ITSI/3.0.1/Configure/Installationandconfigurationconsiderationsandissues#Run_script_to_set_the_default_team_to_Global this documentation page] for instructions on how to resolve this issue.
raise Exception(error_msg)
File "S:\splunk\etc\apps\SA-ITOA\lib\itsi\upgrade\itsi_migration.py", line 3269, in run_migration
Traceback (most recent call last):
2018-06-04 15:29:22,976 ERROR [itsi.migration] [itsi_migration] [run_migration] [23748] Migration failed from version:None, to version:3.1.2
↧
Splunk Win2008R2 Upgrade 6.5 to 7.1
Hello !
We have installed Splunk 6.5.1 on a Windows 2008 R2 two years ago. We'd like to upgrade it to 7.1.
According to the well-furnished documentation, we can upgrade without intermediate version.
However, being on a Windows 2008 R2 will be problematic as the cipher suites won't be supported (according to Splunk/7.1.2/Installation/AboutupgradingREADTHISFIRST).
As far as I've understood, Splunk/7.1.2/Security/AboutTLSencryptionandciphersuites implies that I should change the files alert_actions.conf and ldap.conf as they are the only ones where Windows 2008 is quoted.
First of all, have I understood this properly ?
Then, I've searched those files on our Splunk and there are a lot of them. I don't know which one (or ones) I should modify.
Can you please tell me which files I should change with those SSL parameters ?
And finally, is there specific points I should be aware of when upgrading ? Documentation seems pretty clear about that but I always prefer to hear that from experimented people.
Please forgive me for my lack of skill on this product and my not-so-fluant english.
Thank you in advance for your help.
Best regards,
Quentin
↧
How to upgrade an app through UI
I want to upgrade an app through deployer and apply bundle cluster .Can I update particular app through the UI of deployer and then apply bundle cluster?
↧
↧
Upgrade Virtual Machines Enterprise 6.5.4 to 7.1.2
Splunk Enterprise 6.5.4
Clustered environment
3 Search heads
3 Indexers
1 Heavy Forwarder (with DB Connect)
1 License Manager (wouldn't this be the Cluster Master?)
1 Distribution Server
These are Virtual Machines on VMWare. I Want to upgrade to 7.1.2. I have been told that the data (including indexes) is not changed for an upgrade with these versions involved. So if I snapshot the Splunk VM's can't I just restore the machines from snapshots as my backout procedure should I run into any problems?
Thanks for any info anyone has on this.
Thanks
Gary
↧
When is it necessary to upgrade universal forwarders?
We are planning to upgrade our splunk instances and we are wondering if its necessary for the forwarders as well? if not, then when?
both are running in Splunk 7.0 and environment is distributed, clustered indexers.
↧
Upgrade perpetual license to No-enforcement license
We would like to upgrade our current six years old perpetual license to no-enforcement license but our support contract is long expired. Is there any way to do that without buying a support contract?
↧