Service Now worked with Splunk to write an app and a modular input that works well. I've used it in the past: https://splunkbase.splunk.com/apps/#/search/service%20now/ ... View more

you don't even need syslog-ng if you're using Splunk, just install a heavy forwarder and listen on the relevant ports. To organize your data feeds, just use props.conf and transforms.conf to send data to the approriate indexes and sourcetypes. Here's an example from my environment, and we're retiring syslog and replacing it with Splunk. inputs.conf [udp://514] connection_host = dns index = network_syslog sourcetype = syslog_pool disabled = 0 transforms.conf [prime_index] SOURCE_KEY = MetaData:Host REGEX = (myhost05\.|myFireWall02|10.10.10.126) FORMAT = network DEST_KEY = _MetaData:Index [prime_sourcetype] SOURCE_KEY = MetaData:Host REGEX = (myhost05\.|myFireWall02|10.10.10.126) FORMAT = sourcetype::wips_events DEST_KEY = MetaData:Sourcetype props.conf [source::udp:514] TRANSFORMS-syslog_handling = prime_index,prime_sourcetype With these settings, my splunk HF is listening on UDP port 514, and any data that matches the hostname of 'myhost05, myFireWall02 and 10.10.10.126 are all being sent to the network index with the sourcetype wips_events You may need to open UDP 514 in iptables, but it looks like that might already be done. ... View more

that's a much more complicated question than you think it is. field extraction is a long process in splunk using regex, and datamodel loading requires even creation, and then tagging. the 'unknown' value is equivalent to 'null', which you may not even want to load into your data model. for instance, to generically load F5 data into the 'network' data model you'd have to create an event eventtypes.conf [f5_event] search = index=network sourcetype=f5 Then tag it with 'network'. The above example assumes A LOT of other things are in place. data models usually search for tags ... View more

if you're accessing splunk on port 8000, you are running splunkweb on port 8000. unless you deliberately turn it off in web.conf, splunkweb starts with Splunk. in order to find out for sure, you would have to run intrusion tests on splunkweb, following the criteria of your specific vulnerability. ... View more

Thank you sir! I just wanted to make sure. I though I had to generate my own, but I was hoping for something easy like this. ... View more

@rkilen, @jwiedow, is there a way to add the host name to this cert with this command? ... View more

I take it you can't use a .rpm on solaris right? ... View more

All of these settings need to be on your indexer. It will make no difference if you put them on your search head. ... View more

Unfortunately, this is not an easy question to answer, as there's not a single query that can pull everything up that's in your environment. As for integrating more things with Splunk, that is part of the administrative function of the platform, and usually requires more information. my suggestion is to read the documentation that was suggested in the answer by ChrisG. If you want a visual then set your time range for 24 hours and use these two queries: index=* sourcetype=* | stats count by sourcetype index=* sourcetype=* | stats count by source This will give you the data sets, and the sources that are in your splunk environment. You'll also quickly realize why the answer to this question is not as easy as 1 query. ... View more

yeah, I caught that. It woks fine, it's just pretty slow on my search head is all. Thanks for the help! ... View more

I tried this, and it does work. The only catch is that my search is exceptionally slow due to the |mv commands I suspect. more tinkering.... ... View more

You will likely need some training my friend. I suggest the administration course. Check here: https://www.splunk.com/view/SP-CAAAAH9?ac=News_Feb09_EDU the only folders that override /$SPLUNK_HOME/etc/apps/ are $SPLUNK_HOME/etc/system/ also, there should never be a reason to touch /etc/system/default. bad things can happen if you mess up there and there's no fall back. you changed the right one in /etc/system/local. Always make changes there. if you have conflicting configurations, it's common that there's something in /etc/system/local. folder priority is a pretty dense topic with splunk, and depends heavily on your architecture. Also... if you manipulated your forwarder manually, you may want to check others for a deploymentclient.conf file somewhere either in /etc/system/apps/ OR in /etc/system/local. If you're using a DS, there is a default configuration ANY windows forwarder will pull down as soon as it connects. ... View more

yeah, so you'll need to find the right RegEx match to filter out what you need. I use .* or .+ in my extractions, but for some reason, during pre-indexing Splunk doesn't like those big wildcards. ... View more

is it filtering out all of those events? ... View more

using a few assumptions, i'm going to guess that 10.83.180.135 is your indexer? (port 9997 is the default data port) If that's the case, there's a connectivity issue between the two machines. Try telnet tests / ssh tests and resolve as a standard connectivity issue. ... View more

Yes they can. It would be a standard [monitor:///var/log/messages] stanza. You'd have the seperate the data at the indexers using data routing / filtering techniques if you wanted standard host level /var/log/messages data on a different index. http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad ... View more

You can forward local logs to your indexer from a UF, but if you want to listen on other ports, you'll need a heavy forwarder. It's always good to have a heavy forwarder in an environment for these types of things, or any other modular data inputs that you may need to use, like AWS or something. That way, you can assure the incoming data stream is following your standardized outputs.conf for you whole environment. If you want, you can open up the UDP port on one of your indexers, or even on a search head, yes, however direct to the indexer is generally not used. If you have a cluster, then all of your data is in one spot, and it lacks any cluster mappings for it's buckets. if you added an outputs.conf to your search head, and opened the listening port there, you would be able to do it, though the resources of the box would take a slight hit for doing the extra data forwarding. ... View more

As a test, remove the ".* " and everything after it from your regexes and see if that works. ... View more

[set_null_1] REGEX=EventCode=4663.*readdata DEST_KEY=queue FORMAT=nullQueue [set_null_2] REGEX=EventCode=4663.*listdirectory DEST_KEY=queue FORMAT=nullQueue try two seperate stanza's and call them out in props. Sometimes regex is funky with the ".*" and "|" matches in preindexing. ... View more

Try this regex instead. (EventCode=4663*.readdata|EventCode=4663.*listdirectory) ... View more

anything surrourneded by $ in splunk is called a token . These are used to pass information to and from searches, so the value isn't actually there until after the search executes. You're trying to convert a value that isn't there yet in the search job, which is probably why it's failing. The only fields that will be present are the ones in the root search itself, and in the search pipeline, the tokens aren't added until after the 'location' of the data has already been populated. This goes for pretty much all tokens. ... View more