The sourcetype below will get you the field extracts / aliases that will populate most of the dashboards (events, in-bound out-bound etc.) The dashboards that will not populate by default will be the bandwidth ones since it does not collect that data from the router source type. Let me know if you run into any issues getting the fields to properly extract / alias. ... View more

Noted, thank you for bringing that up. This is the reason why I set the default to disabled so that it would not eat up bandwidth. ... View more

Yes, you can install the Splunk Add-on for AWS on an on-prem server and have it pull the data down from AWS and then forward it to your indexers. You will only need an AWS account with programatic access along with the Access and Secret keys. ... View more

You need to add the Splunk Add-on for AWS to setup your credentials and inputs. You can either use your Access Key / Secret Key for the credentials, or you can grant your AMI access via an EC2 role. The second option is if you are running the AMI in your AWS deployment. The Add-on can be found here: https://splunkbase.splunk.com/app/1876/ ... View more

If you have the AMI in your AWS deployment, then you can attach an EC2 role to your AMI. Here are the steps to accomplish this: 1) Create the Splunk Policy using this documentation: http://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions Call it "SplunkPolicy" 2) Open IAM-> Click on Roles -> click on Create Role -> (Under AWS Service) click on EC2 then click on Next:Permissions 3) Search for your SplunkPolicy that you just created and select it using the checkbox; and click "Next:Review" 4) Name the role, "SplunkEC2Role" and click Create Role 5) Under the EC2 Instances dashboard, click on the Instances link. 6) Select your instance, then click Actions -> Instance Settings -> Attach/Replace IAM role and select the EC2 policy you just created. This will allow the Add-on to auto discover the policy and you should be able to use this role to start collecting data. ... View more

Try not using the self-signed cert with Splunk and see if that fixes your SSL issue from GCP. ... View more

Splunk Cloud offers 38 concurrent searches per the documentation: https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Service/SplunkCloudservice and look under "Splunk Cloud service limits and constraints" Please note, that this is a service and the concurrent search load might change with newer versions of the Splunk Cloud service offering. ... View more

Anytime, let me know if you have any issues setting it up. ... View more

The deployment server does not fix the cert issue on the F5. One of the features of the Firehose mechanism is that it will failover the events to an S3 bucket to ensure the events will eventually make it into Splunk. ... View more

I documented a fix for that on the wiki for the Home Monitor App on Github: wiki help Let me know if that works, otherwise I'll dig around and see how I can help you out. ... View more

I'm aware of this issue and have a fix lined up for the next version of the app. The plan is to use a simple script to get the public IP and display it. I'm planning to release the next version shortly. ... View more

Yes, I have that fixed in the next release of the app. For now, it's just looking at the logs to see the highest occurrence of a public IP. In the next release it uses a simple script to determine your public IP. ... View more

Can you consider this thread answered? ... View more

No worries, I'm glad it started to work. As for the other data that is being sent, you can eventually build your own dashboards and reports. They will not interfere with the existing dashboards and reports for the app. ... View more

The data coming from the _internal index shows that the input is up. The count shows that some data is coming in, now let’s make sure it is breaking and extracting data. Run these searches: Index=homemonitor sourcetype=asus | stays count by src_ip, src_port, dest_ip, dest_port ... View more

The bandwidth script does not currently work on Windows since I could not test the script on my Windows 10 box. If you have a script that works, I would be more than happy to add it to the app so that windows users can see their bandwidth tests as well. ... View more

It looks like you have : 1) Splunk accepting data on port 514 (Splunk search to make sure it's working, index=_internal sourcetype=splunkd udpin_connections* will show you that Splunk is listening and the metrics of the data flowing in on port 514. 2) Windows firewall allowing UDP 514 into your Splunk box. 3) What does index=homemonitor | stats count by sourcetype show you? If you are seeing sourcetype=syslog in your homemonitor index, then it's a simple transforms issue we can fix. Otherwise, if you have no other syslog data coming into your Windows box, just make the default sourcetype for UDP:514 be asus . ... View more

https://github.com/amiracle/homemonitor/wiki/Windows-10-and-Splunk-Enabling-syslog-UDP-514 I tested this on a Windows 10 Pro box in my Oracle Virtual Box setup, it worked. I setup a page that walks through setting up Splunk with the firewall. Can you tell me your Windows 10 version (Pro, S, EDU etc.)? Also, can you run "netstat -an" and see if UDP 0.0.0.0:514 * shows up? ... View more

My assumption is that Windows is not listening on port 514 or 1514 since Splunk is not authorized to open the ports. I’m going to play with my windows 10 Vm and try to get it to work. ... View more

In Splunk, you should add the second account using the arn for Account B "arn:aws:iam::ACCOUNTB:user/splunkcollectinguser" . Go to your Splunk Add-on for AWS, click on Configuration then click on the IAM Role tab and click the "Add" button. Give the name to this account and paste the ARN. Now, this account will be available for you to AssumeRole and collect data from Account B. ... View more

Still working on this internally. Hope to have a response soon. ... View more

According to our docs mentioned above: Note: "The Kinesis data input only supports gzip compression or plaintext data. It cannot ingest data with other encodings, nor can it ingest data with a mix of gzip and plaintext in the same input. Create separate Kinesis inputs for gzip data and plaintext data." So it looks like we do not have a way to read encrypted Kinesis streams with the current Add-on. ... View more

To quote a fellow Splunker, “Kam I am.” ... View more