Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About mikelanghorst
mikelanghorst
Motivator
Member since:
11-03-2010
08-29-2025
Community Statistics
| Posts | 286 |
| Solutions | 20 |
| Karma Given | 360 |
| Karma Received | 229 |
| Member Since | 11-03-2010 |
Activity Feed
- Got Karma for Re: What are the ports that I need to open?. 04-16-2025 05:18 AM
- Posted Re: Splunk 9.3+ Deployment on CIS Red Hat 9 level 1 image - No GUI on Deployment Architecture. 04-02-2025 03:34 PM
- Karma Re: Splunk 9.3+ Deployment on CIS Red Hat 9 level 1 image - No GUI for jwestbank. 04-02-2025 03:33 PM
- Got Karma for Re: What are the ports that I need to open?. 01-06-2025 02:51 AM
- Posted Re: Why is Powershell input not receiving data? on Getting Data In. 05-10-2022 02:21 PM
- Posted Why is Powershell input not receiving data? on Getting Data In. 05-10-2022 09:48 AM
- Got Karma for Re: What are the ports that I need to open?. 03-17-2022 07:11 AM
- Got Karma for Re: What are the ports that I need to open?. 08-18-2021 05:28 AM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 07-19-2021 09:48 AM
- Got Karma for Re: What are the ports that I need to open?. 07-28-2020 03:20 AM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 07-13-2020 10:52 PM
- Karma Re: Lookup File Editor in Search Head Cluster - "The requested lookup file does not exist" for LukeMurphey. 06-05-2020 12:49 AM
- Karma Re: New forwarder: An Admin password is required??? for xpac. 06-05-2020 12:49 AM
- Karma Re: Where to add certificate info for port 8089? for dwaddle. 06-05-2020 12:48 AM
- Karma Re: what could be the reason for some splunk sessions observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format)? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to upgrade Splunk forwarders from a deployment server installed on a separate VM? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: What are my options to specify the user to start splunk service as on linux for yannK. 06-05-2020 12:48 AM
- Karma Re: Community Supported apps - should they have an external repo for the community to assist in improving? for Damien_Dallimor. 06-05-2020 12:47 AM
- Karma Re: Filtering out 90% log events from indexing for dshpritz. 06-05-2020 12:47 AM
- Karma Re: Splunk installed failed to create splunk account on RHEL for grijhwani. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 2 |
01-02-2012
02:33 PM
1 Karma
The great part about using this, is that it will actually tell you the files if found under the monitor path, and the results of why it isn't indexing them if that's the case.
... View more
01-01-2012
09:34 PM
1 Karma
Talking with dwaddle in #splunk, he's suggested using LINE_BREAKER, and increasing TRUNCATE to a large number rather than BREAK_ONLY_BEFORE and MAX_EVENTS. Gonna give that a shot instead, but still wondering if/how other users are dealing with really large event sets such as this.
... View more
01-01-2012
08:58 PM
Quick check of the current offender, event count is about 30-35k lines...
What type of impact would setting MAX_EVENTS to like 40000 have on the indexers?
... View more
01-01-2012
08:43 PM
1 Karma
I've got a few log4j application logs that can get extremely long when my developers decide to dump out message payloads into the log. Similiar to a large stack trace it's a many line event, and can be several hundred lines (at least that, haven't counted exact numbers yet). I've had issues with these events being broken into multiple event when they shouldn't be. I've set BREAK_ONLY_BEFORE, and MAX_EVENTS = 3000, but I'm still seeing the events broken up.
Realistically at some point the extra data in this event is simply unnecessary, and shouldn't be even included as INFO level messages. Is there a way to simply dump the data after a certain length?
... View more
- Tags:
- line_breaker
- log4j
12-14-2011
05:15 PM
1 Karma
This looks to now be fixed with PDF Server version 1.3 that was recently updated.
... View more
11-14-2011
03:31 PM
When migrating from the older Splunk for Unix and Linux, are the searches and such compatible between them? Is there a preferred order to upgrade? Any issues when migrating to this new pair of apps instead of the single app?
... View more
11-14-2011
09:04 AM
It would be helpful to see your inputs.conf on the indexer and outputs.conf on the forwarder. You can obscure or modify any sensitive data.
What's the output of ./splunk list forward-server on the forwarder?
... View more
11-14-2011
09:00 AM
By "without luck" are you referring to your attempts to index the wtmp file data?
Splunk for Unix and Linux does have inputs and the necessary script to input this data.
http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux is for splunk servers and
http://splunk-base.splunk.com/apps/33800/splunk-for-unix-and-linux-technology-add-on if you prefer for your Universal Forwarders (if applicable).
... View more
10-31-2011
02:19 PM
I'd start with looking at the forwarder.pem file with vi and openssl first.
With vi, it should be readable text with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" blocks. Next use openssl and inspect the data returned:
openssl x509 -inform PEM -in -text -noout
... View more
10-31-2011
11:21 AM
Do those indexes exist locally on the searchhead? I'm pretty sure it only looks to the locally configured indexes. You can create them even if there will be no data sent to these indexes on the search head.
... View more
10-25-2011
02:43 PM
Yea, need to remember when I post based on an app that it's not really apparrent other than by the small tag link.
... View more
10-25-2011
01:54 PM
This is in regards to the Field Extractor App, posting from the Ask Developer link on the application's page.
I'm familiar with the normal process, but was trying to accomplish the same with this app. http://splunk-base.splunk.com/apps/22291/field-extractor
... View more
10-25-2011
11:28 AM
1 Karma
I'm trying to use the Field Extractor, with scoping set to sourcetype. This being a dropdown, I can't type the sourcetype into the box. However the sourcetypes found in this drop-down list isn't complete.
Is there some setting that can be modified to allow this dropdown list to contain more entries, or can it be modified to allow me to type the sourcetype name in?
... View more
10-25-2011
10:15 AM
1 Karma
I'm in the same boat, use very little windows so far. Splunk would need to run as a Domain user, not Local System for this to work.
... View more
10-12-2011
11:36 PM
Echalex, was that setting set at the global level, or at all?
... View more
10-11-2011
08:37 AM
3 Karma
On your deployment server's serverclass.conf, do you have restartSplunkd=True? If so, is it at the global level or in the app stanza? It sounds like it's updating the app properly but not restarting splunkd.
... View more
09-29-2011
01:45 PM
1 Karma
tags.conf is read at search time, when I add tags via the config file they are available immediately.
... View more
09-27-2011
05:12 PM
1 Karma
Yep, I had used the "All-Time" when performing a |delete operation. So the data I was seeing later was there from before changing the whitelist.
... View more
09-27-2011
04:27 PM
2 Karma
I added a directory to monitor, with whitelist = log$
Later after seeing a file I didn't want to include was also being written, I modified this whitelist = startup.log. The other file that doesn't match is still being read, even with the splunkd process being restarted twice.
Here's my current monitor stanza:
[monitor:///app/actional/logs]
whitelist=startup\.log$
sourcetype=actional_startup
index=temp_syslog
disabled = 0
If I look at the TailingProcessor via the REST api, it confirms that the other files are not matching the whitelist:
/app/actional/logs/ActionalIntermediary_20110927_083150_283.log
parent /app/actional/logs
type Did not match whitelist 'startup.log$'.
However, searching:
index=temp_syslog source=/app/actional/logs/* NOT source=/app/actional/logs/startup.log does return events from this host matching that ActionalIntermediary log that the TailingProcessor says does not match.
Ideas on what could be wrong?
... View more
09-26-2011
11:41 AM
Oh, and if it helped, please mark this as answered. There should be a check mark for the answer available for the person that submitted the question.
... View more
09-26-2011
11:40 AM
dlynum - Take a look at the "Splunk for Unix and Linux" app available on SplunkBase. This would pickup the standard /var/logs and such. It also includes some scripted inputs you may find helpful. http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux
... View more
09-26-2011
11:23 AM
1 Karma
Do you have anything configured to monitor on the CentOS server? With a default install a Universal Forwarder only monitors the $SPLUNK_HOME/var/log/splunk directory.
On the forwarder, what does "$SPLUNK_HOME/bin/splunk list monitor" report?
... View more
09-26-2011
11:18 AM
I find the best way to diagnose file inputs is to use the REST endpoint:
https://forwarder:port/services/admin/inputstatus/TailingProcessor%3AFileStatus
It will show the files seen by the configured monitors and their current status. If the file is already read, not matching a whitelist, matching a blacklist, etc.
... View more
09-19-2011
03:08 PM
1 Karma
After creating the search, you can go to Manager -> Searches and Reports and find the report you have saved. Click on the permissions link, then uncheck the view & write then save.
... View more
