Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Gregski11
Gregski11
Contributor
Member since:
03-04-2021
a month ago
Community Statistics
| Posts | 145 |
| Solutions | 3 |
| Karma Given | 53 |
| Karma Received | 10 |
| Member Since | 03-04-2021 |
Activity Feed
- Posted Re: Deployment Server Upgrade 9.2.1 and Server Class on Deployment Architecture. 04-05-2024 08:49 AM
- Got Karma for Re: Why does Splunk upgrade to version 9.1.0.1 end prematurely?. 01-18-2024 01:07 AM
- Posted Can't Log In To Splunk Web After Forklift Upgrade on Installation. 10-23-2023 04:03 PM
- Got Karma for Re: Search peer has the following message: Failed to make bucket = searchable. 10-20-2023 01:34 AM
- Posted Re: Why does Splunk upgrade to version 9.1.0.1 end prematurely? on Installation. 10-17-2023 07:08 AM
- Posted Re: Why does Splunk upgrade to version 9.1.0.1 ends prematurely? on Installation. 08-01-2023 06:12 PM
- Posted Re: Rollback during Installation Windows 64 bit on Splunk Dev. 08-01-2023 06:10 PM
- Posted Re: Splunk upgrade to version 9.1.0.1 ends prematurely on Installation. 08-01-2023 05:47 PM
- Posted Re: Splunk upgrade to version 9.1.0.1 ends prematurely on Installation. 07-31-2023 01:22 PM
- Karma Re: Splunk upgrade to version 9.1.0.1 ends prematurely for PickleRick. 07-31-2023 12:46 PM
- Posted Why does Splunk upgrade to version 9.1.0.1 end prematurely? on Installation. 07-31-2023 11:55 AM
- Tagged Why does Splunk upgrade to version 9.1.0.1 end prematurely? on Installation. 07-31-2023 11:55 AM
- Got Karma for Re: This dashboard version is missing. Update the dashboard version in source. 06-23-2023 08:24 PM
- Karma Re: Is it possible to have alerts and reports assigned to nobody as owner? for isoutamo. 06-23-2023 01:59 PM
- Karma Re: Is it possible to have alerts and reports assigned to nobody as owner? for richgalloway. 06-22-2023 09:00 AM
- Posted Re: Is it possible to have alerts and reports assigned to nobody as owner? on Splunk Enterprise. 06-22-2023 08:57 AM
- Karma Re: Is it possible to have alerts and reports assigned to nobody as owner? for richgalloway. 06-22-2023 08:50 AM
- Posted Re: How to delete a bucket stuck in "fixup tasks - In Progress" server side? on Deployment Architecture. 06-22-2023 08:48 AM
- Posted Re: Large amount of buckets that need to be fixed after the upgrade? on Installation. 06-22-2023 08:42 AM
- Posted Re: Search peer has the following message: Failed to make bucket = searchable on Deployment Architecture. 06-22-2023 07:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-05-2024
08:49 AM
not sure about that, but we are having major issues after the upgrade to 9.2.1 with both of our Deployment Servers (running on Windows Server 2019) one server is only supposed to show us Servers and the other is only supposed to show us our Workstations but now they are comingled on both, this poses a major problem as apps meant for servers may end up being installed on the Workstations and vice versa we opened a Technical Support case on this a week ago and will let you know how it goes, so far their work arounds are not fixing anything for us
... View more
10-23-2023
04:03 PM
so after opening a case with Splunk tech support because we were unable to upgrade in place our Windows 2019 Servers from Splunk version 9.0.0 to 9.1.1 we were instructed to backup the ETC directory than uninstall Splunk and do a new install of 9.1.1 then copy the old ETC directory back over well we did just that except we also put it on new/different hardware and now we can't log in to Splunk Web, we get the login screen it takes our credentials and then we get the three dots of death ... any help / advice is tremendously appreciated
... View more
Labels
- Labels:
-
Windows
10-17-2023
07:08 AM
1 Karma
I don't like abandoned threads, so after hours and hours with Splunk Tech Support and having opened multiple cases on this issue I have something worth sharing. You may need to do Two things to get this to work / install: First Part 1. using the command line stop Splunk from running, so run SPLUNK STOP on Windows it may look somethign like this C:\Program Files\Splunk\bin>splunk stop 2. then run the install MSI with the LAUNCHSPLUNK=0 parameter (no it does not have to be all in caps, not on Windows anyways) C:\Software\Splunk>splunk-9.1.1-64e843ea36b1-x64-release.msi launchsplunk=0 Alright, that may get it installed, but afterwards you will notice it does not want to start, but that's ok, I will show you what to do to get it to start in the follow up post.
... View more
08-01-2023
06:12 PM
looks like people were having the same problem six years ago https://community.splunk.com/t5/Building-for-the-Splunk-Platform/Rollback-during-Installation-Windows-64-bit/m-p/335020/highlight/false#M4994
... View more
08-01-2023
06:10 PM
same problem six years later attempting to upgrade from version 9.0.0 to 9.1.1 on half of our servers it upgraded fine on the other half it chokes Rollback: StopSplunkServiceDef MSI (s) (B4:98) [22:00:59:416]: Executing op: ActionStart(Name=StopSplunkServiceDef,,) Rollback: RestartSplunkService MSI (s) (B4:98) [22:00:59:416]: Executing op: ActionStart(Name=RestartSplunkService,,) MSI (s) (B4:98) [22:00:59:416]: Executing op: CustomActionRollback(Action=RestartSplunkService,ActionType=1281,Source=BinaryData,Target=StartSplunkServiceCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;SplunkSvcName=Splunkd;LaunchSplunk=1;FailCA=) MSI (s) (B4:BC) [22:00:59:478]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIDCBF.tmp, Entrypoint: StartSplunkServiceCA StartSplunkService: Warning: Invalid property ignored: FailCA=. StartSplunkService: Info: Properties: splunkHome: C:\Program Files\Splunk, svcName: Splunkd, launch splunk: 1. StartSplunkService: Info: Enter. StartSplunkService: Info: service Splunkd already exists StartSplunkService: Info: Leave. StartSplunkService: Info: Enter. Args: "C:\Program Files\Splunk\bin\splunk.exe", start --answer-yes --no-prompt --accept-license --auto-ports StartSplunkService: Info: SystemPath is: C:\Windows\system32\ StartSplunkService: Info: Execute string: C:\Windows\system32\cmd.exe /c ""C:\Program Files\Splunk\bin\splunk.exe" start --answer-yes --no-prompt --accept-license --auto-ports >> "C:\Users\ADMINI~1\AppData\Local\Temp\splunk.log" 2>&1" StartSplunkService: Info: WaitForSingleObject returned : 0x0 StartSplunkService: Info: Exit code for process : 0x1 StartSplunkService: Info: Leave. StartSplunkService: Error: ExecCmd failed: 0x1. StartSplunkService: Error 0x80004005: Cannot start splunkd service. CustomAction RestartSplunkService returned actual error code 1603 but will be translated to success due to continue marking Rollback: Updating component registration
... View more
08-01-2023
05:47 PM
Rollback: StopSplunkServiceDef MSI (s) (B4:98) [22:00:59:416]: Executing op: ActionStart(Name=StopSplunkServiceDef,,) Rollback: RestartSplunkService MSI (s) (B4:98) [22:00:59:416]: Executing op: ActionStart(Name=RestartSplunkService,,) MSI (s) (B4:98) [22:00:59:416]: Executing op: CustomActionRollback(Action=RestartSplunkService,ActionType=1281,Source=BinaryData,Target=StartSplunkServiceCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;SplunkSvcName=Splunkd;LaunchSplunk=1;FailCA=) MSI (s) (B4:BC) [22:00:59:478]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIDCBF.tmp, Entrypoint: StartSplunkServiceCA StartSplunkService: Warning: Invalid property ignored: FailCA=. StartSplunkService: Info: Properties: splunkHome: C:\Program Files\Splunk, svcName: Splunkd, launch splunk: 1. StartSplunkService: Info: Enter. StartSplunkService: Info: service Splunkd already exists StartSplunkService: Info: Leave. StartSplunkService: Info: Enter. Args: "C:\Program Files\Splunk\bin\splunk.exe", start --answer-yes --no-prompt --accept-license --auto-ports StartSplunkService: Info: SystemPath is: C:\Windows\system32\ StartSplunkService: Info: Execute string: C:\Windows\system32\cmd.exe /c ""C:\Program Files\Splunk\bin\splunk.exe" start --answer-yes --no-prompt --accept-license --auto-ports >> "C:\Users\ADMINI~1\AppData\Local\Temp\splunk.log" 2>&1" StartSplunkService: Info: WaitForSingleObject returned : 0x0 StartSplunkService: Info: Exit code for process : 0x1 StartSplunkService: Info: Leave. StartSplunkService: Error: ExecCmd failed: 0x1. StartSplunkService: Error 0x80004005: Cannot start splunkd service. CustomAction RestartSplunkService returned actual error code 1603 but will be translated to success due to continue marking Rollback: Updating component registration
... View more
07-31-2023
01:22 PM
ok, did just that and here is a section from the install log where things go south and setup begins rolling back MSI (s) (FC:F4) [12:47:17:625]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF1EF.tmp, Entrypoint: StopSplunkServiceDefCA MSI (s) (FC:68) [12:47:17:625]: Generating random cookie. MSI (s) (FC:68) [12:47:17:625]: Created Custom Action Server with PID 2452 (0x994). MSI (s) (FC:70) [12:47:17:719]: Running as a service. MSI (s) (FC:70) [12:47:17:719]: Hello, I'm your 64bit Elevated Non-remapped custom action server. StopSplunkServiceDef: Warning: Invalid property ignored: FailCA=. StopSplunkServiceDef: Info: Properties: splunkHome: C:\Program Files\Splunk, svcName: Splunkd. StopSplunkServiceDef: Info: Enter. StopSplunkServiceDef: Info: service Splunkd already exists StopSplunkServiceDef: Info: Leave. MSI (s) (FC:F4) [12:47:17:734]: Executing op: ActionStart(Name=ReinstallRegmonDrv,,) Action 12:47:17: ReinstallRegmonDrv. MSI (s) (FC:F4) [12:47:17:734]: Executing op: CustomActionSchedule(Action=ReinstallRegmonDrv,ActionType=1281,Source=BinaryData,Target=InstallRegmonDrvCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;FailCA=) MSI (s) (FC:F4) [12:47:17:750]: Executing op: ActionStart(Name=UninstallNetmonDrv,,) Action 12:47:17: UninstallNetmonDrv. MSI (s) (FC:F4) [12:47:17:750]: Executing op: CustomActionSchedule(Action=UninstallNetmonDrv,ActionType=3073,Source=BinaryData,Target=UninstallNetmonDrvCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;FailCA=) MSI (s) (FC:14) [12:47:17:812]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF2AB.tmp, Entrypoint: UninstallNetmonDrvCA UninstallNetmonDrv: Warning: Invalid property ignored: FailCA=. UninstallNetmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splknetdrv.inf. UninstallNetmonDrv: Info: Enter. UninstallNetmonDrv: Info: Service: splknetdrv, state: 1. UninstallNetmonDrv: Info: splknetdrv service does not exists. UninstallNetmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\Splunk\bin\splknetdrv.inf UninstallNetmonDrv: Info: SystemPath is: C:\Windows\system32\ UninstallNetmonDrv: Info: Execute string: C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\Splunk\bin\splknetdrv.inf >> "C:\Users\MUSZYN~1\AppData\Local\Temp\splunk.log" 2>&1" UninstallNetmonDrv: Info: WaitForSingleObject returned : 0x0 UninstallNetmonDrv: Info: Exit code for process : 0x0 UninstallNetmonDrv: Info: Leave. MSI (s) (FC:F4) [12:47:18:390]: Executing op: ActionStart(Name=ReinstallNohandleDrv,,) Action 12:47:18: ReinstallNohandleDrv. MSI (s) (FC:F4) [12:47:18:390]: Executing op: CustomActionSchedule(Action=ReinstallNohandleDrv,ActionType=1281,Source=BinaryData,Target=InstallNohandleDrvCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;FailCA=) MSI (s) (FC:F4) [12:47:18:390]: Executing op: ActionStart(Name=UninstallRegmonDrv,,) Action 12:47:18: UninstallRegmonDrv. MSI (s) (FC:F4) [12:47:18:406]: Executing op: CustomActionSchedule(Action=UninstallRegmonDrv,ActionType=3073,Source=BinaryData,Target=UninstallRegmonDrvCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;FailCA=) MSI (s) (FC:50) [12:47:18:453]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF53D.tmp, Entrypoint: UninstallRegmonDrvCA UninstallRegmonDrv: Warning: Invalid property ignored: FailCA=. UninstallRegmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splunkdrv.inf. UninstallRegmonDrv: Info: Enter. UninstallRegmonDrv: Info: Service: splunkdrv, state: 1. UninstallRegmonDrv: Info: splunkdrv service does not exists. UninstallRegmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\Splunk\bin\splunkdrv.inf UninstallRegmonDrv: Info: SystemPath is: C:\Windows\system32\ UninstallRegmonDrv: Info: Execute string: C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\Splunk\bin\splunkdrv.inf >> "C:\Users\MUSZYN~1\AppData\Local\Temp\splunk.log" 2>&1" UninstallRegmonDrv: Info: WaitForSingleObject returned : 0x0 UninstallRegmonDrv: Info: Exit code for process : 0x0 UninstallRegmonDrv: Info: Leave. MSI (s) (FC:F4) [12:47:19:031]: Executing op: ActionStart(Name=ReinstallNetmonDrv,,) Action 12:47:19: ReinstallNetmonDrv. MSI (s) (FC:F4) [12:47:19:047]: Executing op: CustomActionSchedule(Action=ReinstallNetmonDrv,ActionType=1281,Source=BinaryData,Target=InstallNetmonDrvCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;FailCA=) MSI (s) (FC:F4) [12:47:19:047]: Executing op: ActionStart(Name=UninstallNohandleDrv,,) Action 12:47:19: UninstallNohandleDrv. MSI (s) (FC:F4) [12:47:19:047]: Executing op: CustomActionSchedule(Action=UninstallNohandleDrv,ActionType=3073,Source=BinaryData,Target=UninstallNohandleDrvCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;FailCA=) MSI (s) (FC:88) [12:47:19:094]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF7BE.tmp, Entrypoint: UninstallNohandleDrvCA UninstallNohandleDrv: Warning: Invalid property ignored: FailCA=. UninstallNohandleDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf. UninstallNohandleDrv: Info: Enter. UninstallNohandleDrv: Info: Service: SplunkMonitorNoHandle, state: 1. UninstallNohandleDrv: Info: SplunkMonitorNoHandle service does not exists. UninstallNohandleDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf UninstallNohandleDrv: Info: SystemPath is: C:\Windows\system32\ UninstallNohandleDrv: Info: Execute string: C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf >> "C:\Users\MUSZYN~1\AppData\Local\Temp\splunk.log" 2>&1" UninstallNohandleDrv: Info: WaitForSingleObject returned : 0x0 UninstallNohandleDrv: Info: Exit code for process : 0x0 UninstallNohandleDrv: Info: Leave. MSI (s) (FC:F4) [12:47:19:703]: Executing op: ActionStart(Name=RemoveFiles,Description=Removing files,Template=File: [1], Directory: [9]) Action 12:47:19: RemoveFiles. Removing files MSI (s) (FC:F4) [12:47:19:703]: Executing op: ProgressTotal(Total=17609,Type=1,ByteEquivalent=175000) MSI (s) (FC:F4) [12:47:19:703]: Executing op: SetTargetFolder(Folder=C:\ProgramData\Splunk Enterprise\)
... View more
07-31-2023
11:55 AM
trying to upgrade our Windows Server 2019 based Splunk version 9.0.0 to 9.1.0.1 and it's randomly failing on 50% or half of our 12 servers in our lab the error below is from one of our non clustered Search Heads, others which are identical installed fine, we got the same error on our index Cluster Master Splunk Enterprise Setup Wizard ended prematurely Splunk Enterprise Setup Wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup Wizard again. Click the Fiinish button to exit the Setup Wizard. Setup cannot copy the following files: Splknetdrv.sys SplunkMonitorNoHandleDrv.sys SplunkDrv.sys
... View more
Labels
- Labels:
-
Windows
06-22-2023
08:57 AM
thank you Rich for taking the time to comment, I agree with you however please check your own config as what I see is that Splunk runs it's own apps as Nobody, for example these: Splunk_Security_Essentials SplunkAppForWebAnalytics Splunk_ML_Toolkit Splunk_TA_microsoft-cloudservices Splunk_TA_microsoft-sqlserver splunk_instrumentation search splunk_monitoring_console sideview_utils simple_xml_examples splunk_archiver
... View more
06-22-2023
08:48 AM
same issue here 5 years later in 2023 on version 9.0.0 on a Windows platform, no clue what causes these random issues, we always put Splunk in maintenance mode when patching or doing any sort of maintenance, we do have an Index Cluster and it's a PIA
... View more
06-22-2023
08:42 AM
I don't understand the point of this link, it literally just takes us to the online Managing Indexers and Clusters of Indexers manual Use maintenance mode section
... View more
06-22-2023
07:55 AM
1 Karma
I realize this is an old thread but rather than starting a new one for the exact same issue I want to use this to show some history, it is 2023 now and we are on version 9.0.0 on a Windows platform and are still getting this same exact error I have opened a technical support case with Splunk and hope to provide you with updates, troubleshooting tips and hopefully a proper solution for this issue Note: in my case I found the "missing" buckets on the Index Cluster Master UI under Settings \ Index clustering \ Bucket Status \ Fix Up Tasks section
... View more
06-19-2023
10:32 AM
would there ever be a scenario where its acceptable to have enabled alerts and or reports running which are not assigned to anybody ie owner = Nobody
... View more
Labels
- Labels:
-
administration
06-16-2023
08:51 AM
For example if there are two Search Heads and I go to Settings \ Searches, reports, and alerts on Search Head 1 and I list all the Alerts am I looking at all the Alerts in our Splunk Environment or only the ones running on this Search Head I'm asking cause we have so much stuff running that no one is looking at, that I want to start Disabling some Alerts in order to increase performance I know that one Search Head belongs to my group and the other one to another group of Splunk users so I want to turn off Alerts on our Search Head only and not for everyone I hope this makes sense, thank you
... View more
- Tags:
- alerts
Labels
- Labels:
-
configuration
06-12-2023
03:15 PM
so we have a Deployment Server with an application on there that already sends the three basic Windows Event logs (Application, Security, and System) to an Index say called EventLogs. Can we in the same app have the same three logs be sent to a second Index say called EventLogs2?
I know this may sound a bit crazy but this is just for troubleshooting and will be only implemented for a couple days.
the inputs.conf stanzas look something like this:
[WinEventLog://System] index=EventLogs disabled = false
[WinEventLog://System] index=EventLogs2 disabled = false
... View more
Labels
- Labels:
-
configuration
04-05-2023
11:22 PM
you are right I am sorry, before I post the full query I just want to say that this report used to work and we made no changes to the query or to the report and just this one field out of six stopped populating
... View more
04-05-2023
01:53 PM
We have a scheduled report that used to work, and now one of the six fields does not populate in the report, ie shows no values, however when we run the search just as a regular search all fields populate including that one the field is called SystemUpTime | eval SystemUpTime=tostring(SystemUpTime,"duration") | table host, SystemUpTime ]
... View more
Labels
- Labels:
-
using Splunk Enterprise
02-17-2023
11:02 AM
Paul you my friend are a Rock Star !!! that's exactly what I needed
... View more
02-16-2023
11:00 AM
On Splunk 9.0.0 on windows on one of our dedicated Deployment servers when we go to Settings \ Forwarder Management in the Web UI we get a nice list of Clients aka systems running the Universal Forwarder so far so good
My question is how can I see what Search is generating this result ie this list of machines? unlike some of the other screens there is no magnifying glass icon to click on to invoke the search pane
... View more
Labels
- Labels:
-
other
02-08-2023
01:32 PM
1 Karma
I ranned this and found some clues | rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app eai:acl.owner search | where match(search,"computers.csv")
... View more
02-08-2023
11:46 AM
thanks Rich I ran those searches in two separate Splunk environments (the lookup is working in one but not in the other) and got this error in both: No results found. Try expanding the time range. even after expanding the time range to 30 days I get nothing, plus I don't understand what you are having me do, could you explain please
... View more
02-08-2023
10:36 AM
I inherited a Splunk environment I was informed the other day that a computers.csv lookup is not generating any results, is there a way to find out what should be populating that file which is currently empty, I did find the App which houses the lookup csv
... View more
Labels
- Labels:
-
CSV
01-13-2023
04:11 PM
alright this one really bothers me because Splunk is saying we MUST have a branded product called Symantec Endpoint Protection enabled in order to configure Enterprise Security Think about it, do you even own this product?
... View more
01-13-2023
03:48 PM
I know stop it already, I get it: so we gonna double up on these
... View more
01-13-2023
03:00 PM
ah yup Error occurred attempting to enable SA-AuditAndDataProtection: .
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
Karma given to
