Under each Splunk application there is a folder name d”README” … there are something behind it. It’s common sense that it’s just a documentation folder, it’s not critical, we can get rid of it. oh no, Splunk uses that folder to check the input parameters for your application. If you remove that folder, all your input modular will not work. Splunk does not show any error in the log. There are some files in this folder such as inputs.conf.spec. , Splunk read this file to know which script it should run when splunk starts. It took me 3 days to figure out this. one ofRead More →

When we upgraded to Splunk 8.2, this module is no longer working.Why ? Splunk 8.2 use python3 by default. This add-on is not compatible with python3 . How did we fix it? Logs ? it’s surprising that we don’t see any error in the log. After some research we found that: Splunk allows us to choose the python version by using the option python.version = python2In our case we edit this file /opt/splunk/etc/apps/[our_emc_app_name]/default/inputs.conf as below Restart splunk will fix the issue.Note: Don’t change the python version at server.conf , if you change the version at server.conf , that version will apply to the whole system,Read More →

When we connect to Oracle , beside the host/port , username/password , there is another important parameter is SID or Service_name . I’m not an Oracle expert but i think SID and Service_name , sometimes we are given a name but we are not sure if it’s SID or service_nameThis code below will use it as a SID: In the case below i believe a dns like this was created:dsn=cx_Oracle.makedsn(args.hostname, args.port, sevice_name=args.db_name) The code below will use it as an server_nameRead More →

www-data 4650 0.0 0.1 43428 4532 ? S 04:58 0:00 /usr/sbin/postdrop -r www-data 4855 0.0 0.1 43428 4528 ? S 05:02 0:00 /usr/sbin/postdrop -r www-data 6940 0.0 0.1 43428 4528 ? S 05:57 0:00 /usr/sbin/postdrop -r www-data 7251 0.0 0.1 43428 4528 ? S Nov09 0:00 /usr/sbin/postdrop -r www-data 14872 0.0 0.1 43428 4532 ? S 08:52 0:00 /usr/sbin/postdrop -r My challenge: I see a lot of error in apache error.log postdrop: warning: mail_queue_enter: create file maildrop/733089.31799: Permission denied postdrop: warning: mail_queue_enter: create file maildrop/240934.11141: Permission denied Let login as www-data: su -s /bin/bash /www Run it as www-data /usr/sbin/postdrop postdrop: warning: mail_queue_enter: create fileRead More →

We have some accounts such as postfix,apache .. these account has “nologin” shell, meaning you can’t sudo su – apache or “su – apache”. Sometimes we need to login to these account to run some commands to check some permission issues. The solution is: su -s /usr/bin/bash apache (as you can see in the command, we explicitly provide the shell instead of using the system default)Read More →

Downsampling: 1.8: you can have multiple retention per database. 2.0: one bucket , one retention. you need to downsample to a different bucket. Query: 1.8 : can only use FluxSQL 2.0: can use Flux and FluxSQL Continuous Query Continuous query is replaced with Task – you need to convert your InfluxSQL in Continuous query to Influx query and setup the task. Convert FLUXSQL to FLux query https://docs.influxdata.com/influxdb/v2.0/upgrade/v1-to-v2/migrate-cqs/ DownSampling data3 = from(bucket: “telegraf”) |> range(start: v.timeRangeStart, stop: v.timeRangeStop) |> filter(fn: (r) => (r._measurement =~ /system.*/)) data3 |> aggregateWindow(fn: mean, every: 1h) |> filter(fn: (r) => (exists r._value)) |> to(bucket: “telegraf_30min”, org: “MyHomeInflux”) Sampling is easy, don’tRead More →