Sounds like you have a firewall blocking port 8089, either on the host or on your network, in front of the host. ... View more

Have you confirmed that there is no firewall in place on the Splunk host? Check which interface is listening on port 8089 (run netstat -an on the Splunk host)? Is it 0.0.0.0:8089? You can also try to telnet to port 8089 from the host that you're trying to run your Java app from, to see if you can connect that way. ... View more

Another option would be to request a developer license on the dev website: http://dev.splunk.com/ ... View more

You might want to give alwaysOpenFile = 1 a try. From the docs: http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Inputsconf alwaysOpenFile = [0|1] Opens a file to check whether it has already been indexed. Only useful for files that don't update modtime. Only needed when monitoring files on Windows, mostly for IIS logs. This flag should only be used as a last resort, as it increases load and slows down indexing. Defaults to 0. ... View more

Do you have Splunk listening on port 514? If so, the first stanza in props.conf should force the sourcetype of snort on just the snort logs from the input. ... View more

Yep, you're right. I just changed them around. ... View more

Add the following to your configuration files for pfsense: ------- transforms.conf ###### snort ###### [force_sourcetype_for_snort] DEST_KEY = MetaData:Sourcetype REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+[^\s]+\s+snort\[\d+\]\: FORMAT = sourcetype::snort [category_for_snort] REGEX = Classification\:\s+([^\]]+) FORMAT = category::"$1" [dest_ip_for_snort] REGEX = \-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) FORMAT = dest_ip::$1 [dest_port_for_snort] REGEX = \-\>\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+) FORMAT = dest_port::$1 [pid_for_snort] REGEX = snort\[(\d+) FORMAT = pid::$1 [severity_id_for_snort] REGEX = Priority\:\s+(\d+) FORMAT = severity_id::$1 [signature_for_snort] REGEX = snort\[\d+\]\:\s+\[[^\]]+\]\s+(.*?)(\s+\[Classification|\[Priority) FORMAT = signature::"$1" [signature_id_for_snort] REGEX = snort\[\d+\]\:\s+\[([^\]]+) FORMAT = signature_id::"$1" [src_ip_for_snort] REGEX = \{\w+\}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) FORMAT = src_ip::$1 [src_port_for_snort] REGEX = \{\w+\}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+) FORMAT = src_port::$1 [transport_for_snort] REGEX = \{([^\}]+) FORMAT = transport::$1 ------- props.conf [source::udp:514] # --- May need to change this source, depending on how you're collecting the data TRANSFORMS-force_sourcetype_for_snort = force_sourcetype_for_snort [snort] SHOULD_LINEMERGE=false REPORT-category_for_snort = category_for_snort REPORT-dest_ip_for_snort = dest_ip_for_snort REPORT-dest_port_for_snort = dest_port_for_snort REPORT-pid_for_snort = pid_for_snort REPORT-0severity_id_for_snort = severity_id_for_snort REPORT-signature_for_snort = signature_for_snort REPORT-signature_id_for_snort = signature_id_for_snort REPORT-src_ip_for_snort = src_ip_for_snort REPORT-src_port_for_snort = src_port_for_snort REPORT-transport_for_snort = transport_for_snort ... View more

Your dashboards must exist in another app, other than search then. You can determine which app by looking at the URL when you're viewing the dashboard in question. http:// :8000/en-US/app/ / ... View more

touche. I did say ONE option though 😉 ... View more

One option is to adjust your object-level auditing in Windows to a more appropriate level, if this is too verbose. ... View more

Dashboards are stored on your Splunk search head in xml format. You can find them in $SPLUNK_HOME/etc/apps/ /local/data/ui/views Note: If you have a default install and you haven't created your own apps, it's likely that your dashboards are in the search app. ... View more

As you've discovered, inputcsv is the correct answer here. If the csv file can only be generated on your local drive, you should write a script that takes the local file and uploads it to the proper location on the Splunk server. ... View more

There is no hard limit and it will require some testing to discover the breaking point. This question, looking for the same answer, basically says the same: http://splunk-base.splunk.com/answers/57806/is-there-a-limit-on-the-number-of-files-a-forwarder-can-monitor How are the files being written now? Are they in separate directories? Is there a naming convention? ... View more

It is possible to run multiple instances of Splunk forwarders. This is particularly easy on *nix systems. With this number of files, you may want to investigate this solution. ... View more

Here is an option, that is different from what you propose but potentially less complicated. There is an app on SplunkBase, called "Splunk Real-Time Output": http://splunk-base.splunk.com/apps/48082/splunk-real-time-output The app will allow you to create a search in Splunk, against the wireless controller data, that you are already collecting, and forward it via syslog (either UDP or TCP) to another device. This will eliminate the need to utilize vbscript and I suspect, be far easier to maintain. ... View more

You may want to try rebuilding the report acceleration summaries by going to Manager > Report Acceleration Summaries, clicking the Summary ID and then rebuild. As for the "Pending" state, what version of Splunk are you using? You may be hitting this bug, which was fixed in 5.0.2: "Status of a summary is always pending unless it's building. (SPL-56451)" ... View more

Have you considered bringing this all in, as a single event and then just piping it to multikv at search time? This will utilize the header as the field name and eliminate the overhead of processing this pre-index. ... View more

The best option is to install a universal forwarder on the server, where the logs are generated. The forwarder can send the logs to the indexer (your primary Splunk server). ... View more

This seems to be an encoding mismatch. These should provide some insight: http://docs.splunk.com/Documentation/Splunk/5.0.2/data/Configurecharactersetencoding http://wiki.splunk.com/Community:WindowsCharacterEncoding ... View more

Take a look at this doc, to help better understand configuration file precedence. http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Wheretofindtheconfigurationfiles ... View more

Here is another good example and shows how to return just the hostname or host IP to your outer search: http://splunk-base.splunk.com/answers/1212/can-a-subsearch-return-only-the-value-without-the-fieldname ... View more

Actually, you don't need to assign anything in the subsearch to a field to use it. The outer search will replace the bracketed portion with the results of the subsearch. Take a look at this for some examples: http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch ... View more

Technically two searches, with one as a subsearch: primary search [subsearch] subsearch = host that has triggered a snort alert (the hostname is returned for use in the primary search) primary search = search for connection in the NAT table for host returned by subsearch ... View more