https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241472#M46839 <P>Y'all need to put more smileys in your posts to help us old geezers know you were joking. Geez. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Plus I am cleaning up a duplicate comment and am slightly rearranging the remaining, since they were responses to one another.</P> Fri, 18 Nov 2016 14:20:15 GMT Richfez 2016-11-18T14:20:15Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241464#M46831 <P>Hello all,</P> <P>I am trying to build a workflow for our new Splunk product and want to know what top three regular daily tasks you may do in Splunk Enterprise. This includes anything in regards to ES administration as well and maintenance tasks.</P> <P>If anyone has suggestions, I would certainly appreciate your feedback. This new environment has 5 indexers in a cluster, three search heads in a cluster and several heavy forwarders with a ton of data sent via forwarders. Comments anyone?</P> Thu, 17 Nov 2016 18:26:48 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241464#M46831 brian1_tate 2016-11-17T18:26:48Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241465#M46832 <P>@brian1_tate - When you say "ES" are you referring to the app "<A href="https://splunkbase.splunk.com/app/263/">Splunk Enterprise Security</A>"? Because that is usually what "ES" refers to. Please clarify, thank you!</P> Thu, 17 Nov 2016 18:46:19 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241465#M46832 aaraneta_splunk 2016-11-17T18:46:19Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241466#M46833 <P>That's correct but in general, I wanted to get people's feedback on what daily/weekly tasks they perform as I am transitioning from ArcSight to Splunk.</P> Thu, 17 Nov 2016 19:53:55 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241466#M46833 brian1_tate 2016-11-17T19:53:55Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241467#M46834 <P>Answer questions on why shouldn't we use ELK/open-source...</P> Thu, 17 Nov 2016 20:01:06 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241467#M46834 a212830 2016-11-17T20:01:06Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241468#M46835 <P>That's not relevant here. All I'm looking for is general procedural steps for those that use Splunk Enterprise with ES as a SIEM. I have those for ArcSight but after working with a larger Splunk environment, frankly the largest I have ever encountered - one would have them or develop them. So in this case, I am developing them based upon my own experiences and based upon those that others may use in day to day operations. </P> <P>If you just say, I use Splunk - best wishes in justification of your career...</P> Thu, 17 Nov 2016 22:59:13 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241468#M46835 brian1_tate 2016-11-17T22:59:13Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241469#M46836 <P>It's a joke. Lighten up Francis. </P> Fri, 18 Nov 2016 03:42:37 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241469#M46836 a212830 2016-11-18T03:42:37Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241470#M46837 <P>So, most of what I do is set up alerts to advise me about potential issues, for ES this has included:</P> <OL> <LI>Sources no longer sending data ( <CODE>| tstats max(_indextime) where ...</CODE> or similar is very useful here)</LI> <LI>Users exceeding there quota (disk quota, search quota), often this is harmless but sometimes I review the limits to see if they are appropriate.</LI> <LI>Check for badly written/long running searches via the monitoring console (this one is more a manual task for now).</LI> </OL> <P>There would be many other potential things on a daily basis, one thing I do try to do is review the error logs...</P> Fri, 18 Nov 2016 07:19:55 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241470#M46837 gjanders 2016-11-18T07:19:55Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241471#M46838 <P>Don't call me Francis . </P> <P><A href="https://www.youtube.com/watch?v=IMtvnAmfuf8">https://www.youtube.com/watch?v=IMtvnAmfuf8</A></P> Fri, 18 Nov 2016 14:13:20 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241471#M46838 klaxdal 2016-11-18T14:13:20Z https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241472#M46839 <P>Y'all need to put more smileys in your posts to help us old geezers know you were joking. Geez. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Plus I am cleaning up a duplicate comment and am slightly rearranging the remaining, since they were responses to one another.</P> Fri, 18 Nov 2016 14:20:15 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-Splunk-Ninjas-think-are-the-top-three-daily-Splunk-tasks/m-p/241472#M46839 Richfez 2016-11-18T14:20:15Z