About malmoore

malmoore · ‎07-22-2014

Hi, Like RPM, pkgadd expects you to use it to install/update files and packages consistently. If you used pkgadd to install the product initially, you should continue to use it to install updates. To answer your question about new installation, it really depends on what you want. pkgadd allows for smoother updates as long as you have access to updated .pkg files. I personally would use a tarball because it gives me more control over the installation process. But then, I'm old school and that route is significantly less automated. 😉

malmoore · ‎06-17-2014

SA-nix is located inside the "install" directory of the Splunk App for Unix and Linux installation package ( splunk_app_for_nix\install ).

malmoore · ‎05-22-2014

Hi, What user did you initially install Splunk as? Check Event Viewer to see what errors the Splunk installer generated. Best practices require that you uninstall and install Splunk with an administrator-level account at all times. If you can give some more context as to your current situation, perhaps I can help further.

malmoore · ‎05-20-2014

This likely is a bug (MSAPP-2633) that has been fixed and will be addressed in an update soon. While I cannot give details on when a release is planned, I can advise that we are aware of it. Thank you for your patience.

malmoore · ‎05-19-2014

You still need to install the add-ons that come with the app onto your Windows servers before they can collect data and send to the app. More information here: http://docs.splunk.com/Documentation/MSApp/1.0/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastructure

malmoore · ‎01-28-2014

This is actually a (minor, but tacky) bug in our installer. We shouldn't be using our docs to point people at hidden directories to do installs. We should either have the installer package available and visible in the DMG or make sure whatever we do display on the DMG links to the correct package file, wherever we decide to place it. I've filed a bug.

malmoore · ‎01-10-2014

Not if you add a 'blacklist' entry that contains the machines you don't want the app deployed on to the global stanza. Remember, filterType as whitelist means blacklisted items get excluded unconditionally.

malmoore · ‎12-04-2013

What exactly was wrong? I don't see a difference other than the stanza name.

malmoore · ‎12-04-2013

Hi, In order to get information from all of the databases, you need to install UF on all of the DAGs. The active DAG node has the databases mounted; the scripts are smart enough to determine this and will not cause issues on the passive nodes. With regards to using AD service accounts for the Exchange app, it's best to use the Local System account, because using AD service accounts is a fairly significant security risk. If you have to use an AD service account, that account must, at a minimum: Be a local administrator, and Be an Exchange administrator, and Have service rights to every Exchange mailbox. Hope this helps.

malmoore · ‎11-22-2013

We will have an official statement on this in the Splunk documentation shortly. I'll update this comment with appropriate URLs at the proper time.

malmoore · ‎10-17-2013

There is no direct upgrade path from version 4.6 of the Unix App to version 5.0. You should not attempt to install version 5.0 over 4.6. You can run both version 4.6 and 5.0 at the same time; Version 5.0 can be configured to read the data that Version 4.6 stored. How do I upgrade from a previous version?

malmoore · ‎09-18-2013

Not sure, sorry. I can't think of any way a GPO would remove users from a group without an intermediate script doing the actual group changes. We don't provide or ask you to install any scripts in these instructions. What appears to be the case here is a misstep in removing users from a group versus removing users from a GPO's security filter.

malmoore · ‎09-17-2013

Hi, Is it possible that you missed a step? This page does not say to remove Enterprise Admins or Domain Admins from any group policy object security filtering. It says to remove the Authenticated Users group to prevent the GPO from applying except for the Splunk user and Splunk computer accounts. Also, the GPO that the page asks you to build for the purposes of running Splunk as a domain user does not reduce rights, it increases them. This is another reason why we limit its application to only the Splunk user and computer accounts, and not any authenticated user. We have tested these user rights assignments with success and even run networks here with the GPO we ask customers to build. It seems as though we do not have the full story here. Can you please provide additional information about your setup?

malmoore · ‎07-22-2013

I will update the ticket I opened with your additional requests. While I can't guarantee or estimate a fix, I can say that your concerns will be noted. Thanks for your feedback. We actually have plans to include screenshots in the documentation. Responses like yours validate that need. Was there anything else you would have liked to see in the official manual?

malmoore · ‎07-22-2013

Hi, I've forwarded this report to the Windows team for triage and analysis. In the meantime, you said you were writing a user manual for AD admins to know what information the app provides. What specific things were you looking for in the official product documentation that you didn't see?

malmoore · ‎06-21-2013

Hi, There's no way to handle alert escalation out of the box. You could, however, edit the sendemail.py Python script that fires when an alert triggers to introduce/keep state and handle escalation logic. You would need to be versant in Python to do so. Cheers

malmoore · ‎06-07-2013

You can enable inputs in three ways officially: Via the CLI: http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration With configuration files: http://docs.splunk.com/Documentation/UnixApp/latest/User/InstalltheSplunkTechnicalAddonforUnixandLinux#Enable_data_and_scripted_inputs_in_the_TA Via the setup dialog As this is the Splunk TA for Unix and Linux, there's not really much to see, as it does not have more than a configuration UI in Splunk Web. You usually use the TA to forward *nix data to another instance which runs the Splunk App for Unix and Linux.

malmoore · ‎06-06-2013

If you could tell me where you found the documentation confusing, that would be most helpful. Remember also that you need to install the Splunk TA for Windows as well as the Splunk App for Active Directory helper TAs for the version of Windows Server that the domain controllers and DNS servers in your environment run. http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/Deploymentprocess#x3._Install_and_configure_universal_forwarders_on_AD_servers

malmoore · ‎06-05-2013

Hi kmsnyde, .tar.gz and .tgz are the exact same type of file. Your *nix system should have no trouble reading the file. You can install the TA using the same instructions.

malmoore · ‎05-08-2013

That is correct, %SPLUNK_HOME\etc\apps .

malmoore · ‎05-07-2013

Hi, Firstly, we noted some areas in the Splunk App for Active Directory docs which might lead to confusion and are addressing those issues. If you wouldn't mind noting any other areas you found confusing, that would be great. We really do appreciate the feedback. The upshot is, while the Splunk App for AD is a fairly complex application to install and configure, the only configuration file you need to edit in a standard Splunk App for Active Directory setup is ldap.conf, as described here. The quickest procedure for a "Nothing to Active Directory" setup would be: 1. Prepare your AD for data collection, as described here. 2. Download and place in an accessible location: full Splunk. the Windows version of the Splunk universal forwarder. the Splunk App for Active Directory. the SA-ldapsearch supporting add-on. the Splunk Technology Add-on for Windows. Sideview Utils v1.3.2 or later. 3. Install full Splunk on a server. This server becomes your central Splunk instance. 4. Configure the instance to be a receiving indexer. 5. Install the universal forwarder onto a domain controller. During the installation process, configure the forwarder to send data to the receiving indexer. 6. Unpack the Splunk App for Active Directory installation package. Within it, you'll find the Splunk App for Active Directory TAs (in Splunk_for_ActiveDirectory\appserver\addons ). 7. Move the appropriate TAs to %SPLUNK_HOME%\etc\apps on the domain controller, depending on which version of Windows it runs. You do not need to edit any configuration files. 8. Install the Splunk TA for Windows on the domain controller. 9. On the central Splunk instance, install: the Splunk App for Active Directory. the SA-ldapsearch supporting add-on. the Splunk Technology Add-on for Windows. Sideview Utils. 10. Edit ldap.conf in %SPLUNK_HOME%\etc\apps\SA-ldapsearch\local . 11. Restart all Splunk instances to ensure the changes take effect. This should give you a minimal, running Splunk App for Active Directory deployment. Specific steps are covered in detail in "How to deploy the Splunk App for Active Directory". If you have additional domain controllers in your AD environment and want data from them, repeat Steps 5, 7, and 8. Again, the Splunk App for Active Directory is a complex application to install, and requires an in-depth knowledge of both distributed Splunk and Active Directory. You might want to engage Professional Services for assistance if this procedure doesn't help. That said, we constantly review the documentation and thank you for assisting us in our efforts to improve it.

malmoore · ‎04-22-2013

Hi, After further consultation with the engineers who develop the Windows TA, I need to amend my answer to your question. I apologize in advance for the inconvenience and confusion. It turns out that you do indeed need to install the Splunk TA for Windows onto the *nix indexers in the central Splunk App for Windows instance. While the TA does not collect Windows data on *nix servers, it does perform index-time field extractions on the incoming Windows data from universal forwarders. You won't see the Windows TA in your *nix indexer's Splunk Web app list because TAs by definition have no user interface.

malmoore · ‎03-28-2013

Hi Bkcarter (and sowings): We're updating the Unix app documentation to help reduce confusion and the presumption that Unix App users will automatically know where everything goes. The next version of the Unix App docs will have extensive information on how to deploy the app in distributed environments, cross-platform compatibility, and more. This version will initially get deployment location info. While we can't possibly document every potential use case for these apps and add-ons, your feedback helps us ensure that the most relevant ones have representation.

malmoore · ‎03-26-2013

So even if I have: only one app to deliver configured my deployment clients to connect to this DS placed my app in $SPLUNK_HOME/etc/deployment-apps you're saying I still need to edit serverclass.conf to include at least the [global] stanza and [serverClass:blah:app:my-app] ? It would seem to me that, with the defaults, I should not have to make changes to serverclass.conf in this specific scenario where I have one app, all clients should get that app, and the app is on the deployment server. Appreciate the guidance on this.

malmoore · ‎03-25-2013

Hi, Let's say I have a large network of computers with universal forwarders installed on them. Let's also say that they will all run the same app on their universal forwarders. Let's additionally say I have a deployment server. Will a deployment server by default deploy any apps installed in $SPLUNK_HOME/etc/deployment-apps? For example, if I configure the universal forwarders to all point to the deployment server, and then configure and place my app into $SPLUNK_HOME/etc/deployment-apps on my deployment server, must I also edit serverclass.conf before the deployment server will begin to deploy apps to the universal forwarders?

Posts	192
Solutions	21
Karma Given	11
Karma Received	164
Member Since	‎10-06-2010

Online Status	Offline
Date Last Visited	‎09-10-2020 04:31 PM

Multiline events ingested by Splunk at different t...

I installed the Splunk Enterprise version 7.2 tria...

What software package dependencies are there for S...

Deployment server: Edit of serverclass.conf requir...

When will Splunk support Mac OS X 10.8 Mountain Li...

Does enabling Splunk Free force all incoming data ...

Re: Solaris 11 x86: upgrade Splunk Enterprise from...

Re: Where to find SA-nix

Re: splunk installation error

Re: Splunk App for Windows Infrastructure - dashbo...

Re: Splunk app for windows infrastructure not show...

Re: OSX Forwarder install documentation wrong?

Re: Per-app machineTypesFilter broken in servercla...

Re: Performance Monitoring not working on windows ...

Re: Splunk App for Exchange

Re: On RH 6 and Splunk 6 my searches are consuming...

Re: App Removal ?

Re: Splunk Docs Locked me out of my DC

Re: Splunk Docs Locked me out of my DC

Re: Splunk App for AD has wrong title for a DNS Re...

Re: Splunk App for AD has wrong title for a DNS Re...

Re: Alert Escalation?

Re: Splunk TA for *nix installation

Re: TA for Windows AD

Re: How to install Splunk TA for Unix on a Univers...

Re: From Nothing to Active Directory

Re: From Nothing to Active Directory

Re: Splunk App for Windows on *nix indexer/search ...

Re: Where to install an app?

Re: Deployment server: Edit of serverclass.conf re...

Deployment server: Edit of serverclass.conf requir...

Join the Conversation