Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About southeringtonp
southeringtonp
Motivator
Member since:
04-14-2010
04-08-2024
Community Statistics
| Posts | 455 |
| Solutions | 107 |
| Karma Given | 420 |
| Karma Received | 419 |
| Member Since | 04-14-2010 |
Activity Feed
- Got Karma for Re: How to set command line parameters that splunkd passes to mongod?. 10-19-2022 11:15 AM
- Got Karma for Re: admin password on command line. 03-09-2022 01:57 AM
- Got Karma for Re: Remove edit menu from a dashboard or form. 12-13-2021 09:54 AM
- Got Karma for Re: Using a scripted input's passAuth token for CLI access from the scripted input. 11-03-2021 01:55 PM
- Got Karma for Re: How to format _time field in results email?. 10-19-2021 11:40 AM
- Got Karma for Re: admin password on command line. 08-26-2021 08:24 AM
- Got Karma for Re: User-specific browser session timeout?. 08-24-2021 12:11 AM
- Got Karma for Re: How can I find out the length of a line in a log file?. 05-18-2021 08:05 PM
- Got Karma for Re: Can I switch my install method on Linux?. 07-07-2020 08:54 AM
- Karma Re: Tuning for performance for gjanders. 06-05-2020 12:49 AM
- Karma How to get logs from Azure and O365 into Splunk? for marycordova. 06-05-2020 12:49 AM
- Karma Re: How do I change the user Splunk runs as? for joelby. 06-05-2020 12:47 AM
- Karma Re: How to determine index volume by sourcetype? for ykherianDEPRECA. 06-05-2020 12:47 AM
- Karma How to set command line parameters that splunkd passes to mongod? for kurdbahr. 06-05-2020 12:47 AM
- Karma Re: How to set command line parameters that splunkd passes to mongod? for kurdbahr. 06-05-2020 12:47 AM
- Karma Re: Reporting and Management for OSSEC: OSSEC logs are indexed and can be searched, but why are all dashboards empty? for ozirus. 06-05-2020 12:47 AM
- Karma Why does login page show "Your browser could not connect to Splunk.com..." after upgrading server to 6.2 in a closed environment with web.conf configuration? for pil321. 06-05-2020 12:47 AM
- Karma Re: Why does login page show "Your browser could not connect to Splunk.com..." after upgrading server to 6.2 in a closed environment with web.conf configuration? for Ellen. 06-05-2020 12:47 AM
- Got Karma for Re: Can someone clarify the definition of "Commercial Use" for the Reporting and Management for OSSEC app?. 06-05-2020 12:47 AM
- Got Karma for Re: Can someone clarify the definition of "Commercial Use" for the Reporting and Management for OSSEC app?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 1 | |||
| 2 | |||
| 9 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 5 |
03-28-2011
02:08 PM
2 Karma
This question has come up a few times. The PDF server does not run on Windows.
Assuming you need to keep your current Windows-based configuration, you might consider setting up a separate search head running linux to support PDF reporting. Then, you can follow the docs here to configure PDF printing.
See also:
http://answers.splunk.com/questions/12368/pdf-report-server-on-windows-host
http://answers.splunk.com/questions/10348/is-there-any-way-to-print-reports-to-pdf-on-windows
... View more
03-28-2011
03:31 AM
4 Karma
If you haven't already found it, have you checked out the deployment server setup information in the docs?
http://www.splunk.com/base/Documentation/latest/Deploy/Planadeployment
... View more
03-28-2011
02:31 AM
You might be able to get creative with the 'map' command to generalize the second case. But in any event, it's clearly not a trivial thing to do.
... View more
03-27-2011
04:29 PM
1 Karma
The rpm and deb installers put the files in /opt/splunk. Ideally you'd move your existing installation aside, do a clean install via package, and then copy all of your local configuration (etc/system/local, etc/apps, etc/users, licenses, deployment manager files) into the new installation before starting Splunk. That way the package manager thinks it's a clean install rather than dealing with pre-existing/customized files.
... View more
03-27-2011
03:04 PM
Use coalesce:
| eval prefix=coalesce(prefix,"033")
or alternateively, edit your lookup table definition to to return a default value.
... View more
03-26-2011
01:44 AM
2 Karma
Check the files in $SPLUNK_HOME\etc\system\local on the forwarder -- the old hostname is probably still present in one of the config files. Check server.conf and inputs.conf in particular.
... View more
03-26-2011
01:35 AM
1 Karma
When it "doesn't load", what precisely happens? Does it come back immediately, or does it sit for 30-60 seconds and time out?
The most likely problem is a firewall issue, either on your virtual host or a restriction enforced by GoDaddy. You'd trypically see a delay rather than an immedaite response if that's the case.
A couple of very generic things to try:
If it's on the CentOS host, you may need to edit /etc/sysconfig/iptables and add a rule to permit access to port 8000. This link may help.
Also, try running netstat -an --tcp , and make sure that you see Splunk listening on port 8000.
... View more
03-26-2011
01:26 AM
Here's one approach.
For simplicity, this assumes that your max is calculated over the same time period as your reporting range. It pulls everything into field values rather than field names, since stats and most other transformative commands want to operate against values:
sourcetype=whatever
| rex field=_raw max_match=10 "(?<kvpair>\w+=\d+)"
| mvexpand kvpair
| rex field=kvpair "(?<key>\w+)=(?<value>\d+)"
| stats first(value) as "Latest" max(value) as "Max" avg(value) as "Average" by host,key
| sort host,key
If your intent was to have the 'Max' value for only the last 24 hours, regardless of the overall search time window, you can mask out the older values:
...
| eval todayvalue=if(now()-86400<_time, todayvalue, null)
| stats first(value) as "Latest" max(todayvalue) as "24h Max" avg(value) as "Average" by host,key
... View more
03-25-2011
01:36 PM
What does your data look like? Is the username completely missing from the third index, or just not extracted into that field?
... View more
03-25-2011
01:33 PM
1 Karma
Splunk is pretty flexible. Take a look at lookup tables and custom search commands.
Lookup tables allow you to add new fields based on existing ones. Typically you'll use a CSV file, but you can also us custom Python code. Take a look at the earlier question about Using CIDR in a lookup table for more ideas.
Custom search commands allow you to take things further, and process search results almost any way you want. Again, these would be written in Python. For more information, look here and here.
For your example case, a lookup is the way to go. If you are blacklisting individual IP addresses, create a CSV-based lookup with two fields src_ip and blacklisted , then search for, e.g., blacklisted=1 . If you want to use network ranges instead, try the subnet lookup script referenced here or use eventtypes.
... View more
03-23-2011
02:42 PM
Splunk works well under CentOS x86_64. CentOS does use older versions of some packages, particularly Python. Not generally a big deal since Splunk includes its own copy of Python, but it can be annoying at times, e.g., when testing scripts and forgetting to point to Splunk's copy.
... View more
03-21-2011
08:24 PM
2 Karma
Is Splunk smart enough to recognize that main and others are included under the primary volume even when main 's path doesn't reference the volume name?
In other words, is it necessary to re-define the values of homePath and coldPath for each index, or will it automatically freeze buckets from all indexes on the partition when the value of maxVolumeDataSizeMB is crossed?
In the example below, it seems like buckets in main should start to be frozen after the total usage crossed ~3 TB, but it isn't completely clear based on the documentation here and here.
# $SPLUNK_DB = /mnt/internal
[main]
homePath = $SPLUNK_DB/defaultdb/db
coldPath = $SPLUNK_DB/defaultdb/colddb
# Initial indexing location
[volume:primary]
path = /mnt/internal
maxVolumeDataSizeMB = 3000000
[index2]
homePath = primary:/defaultdb/db
coldPath = primary:/defaultdb/colddb
... View more
03-15-2011
09:08 PM
1 Karma
Great suggestion and proof of concept. One nitpick though - personally, I'd lean against credentials in a hidden file. Security by obscurity and all that.
... View more
02-28-2011
03:36 AM
2 Karma
The best approach is to run syslog-ng on the Splunk server and have it write events to different files based on the facility. If the facility is included in the filename or path, then Splunk can extract it into a field based on the source . Syslog-ng allows a $FACILITY variable that should give you what you need.
For more information on setting up syslog-ng with Splunk, look here.
Something along these lines should work...
In syslog-ng.conf:
destination d_split_by_host {
file("/inputs/syslog/$HOST/$FACILITY/messages"
owner("root")
group("splunk")
perm(0640)
dir_perm(0750)
create_dirs(yes)
);
}
In transforms.conf:
[source-syslog-facility]
SOURCE_KEY = source
REGEX = ^/inputs/syslog/[^/+]/([^/+])/
FORMAT = syslog_facility::$1
In props.conf:
[syslog]
REPORT-facility = source-syslog-facility
... View more
02-27-2011
10:21 PM
Just to be clear, the web service still needs a full installation of Splunk, though it would not necessarily perform any indexing. What you're looking for is a dedicated search head.
To get started, look here:
http://www.splunk.com/base/Documentation/4.1.7/Installation/CapacityplanningforalargerSplunkdeployment#Dividing_up_indexing_and_searching
In broad terms, shoot for at least one core per concurrent user, plus another one or two for scheduled search jobs. CPU and RAM will be considerably more important than disk. (Most of the disk load is on indexers, not search heads).
... View more
02-26-2011
08:59 PM
What user is SplunkWeb running as? LocalSystem? If you (temporarily) disable UAC, does it make any difference? If you run netstatn -an -p tcp, is port 8000 used for anything else?
... View more
02-17-2011
06:28 PM
Splunk will use whatever the operating system sees.
This really isn't the best place for your question -- you'll get much better information by asking it in a RedHat-specific forum, or contacting RedHat directly for support. Be sure to let them know exactly what controller card your server uses, if you have that information.
The operating system will need to recognize the RAID controller somehow, but it's possible that RHEL will include the appropriate kernel module / driver out-of-the box. It looks like it might be a rebadged LSI MegaRAID family card, in which case it would probably work without additional drivers.
... View more
02-17-2011
04:11 PM
6 Karma
Midnight is just zero hours, relative to the current day, so you can use:
earliest=-0h@d
or just:
earliest=@d
You should also have Today available as an option in the TimeRangePicker.
... View more
02-15-2011
10:01 PM
2 Karma
It's much simpler to keep all of your indexes on one volume unless you have a reason not to.
Your best bet is probably to carve off one or more volumes for the operating system, then allocate the majority of the space as single, dedicated volume to contain all of your Splunk indexes.
Splunk 4.2 may change things, but right now keeping everything together avoids a lot of tuning considerations. See the following for more information:
http://answers.splunk.com/questions/8730/how-to-manage-the-size-of-my-indexes-to-fit-in-my-volumes
You've probably already found this, but you might also want to look over the information here:
http://www.splunk.com/base/Documentation/latest/admin/HowSplunkstoresindexes
... View more
02-15-2011
02:24 PM
I can't speak for Splunk, but it seems like it would be easy to add if enough customers demand it. The best thing would be to submit an enhancement request - see http://answers.splunk.com/questions/4844/how-can-i-submit-an-enhancement-request
... View more
02-15-2011
01:46 PM
1 Karma
There's no include mechanism as such.
Place your common configuration into an app, and leaving your system-specific entries in the current location. You don't necessarily need a new app for every input - just create a common "shared-inputs" app to contain them, or even put the file in another, existing app. Putting them in search might work well if you aren't using the deployment manager.
I'd do it this way:
Same on all system: /opt/splunk/etc/apps/shared-inputs/inputs.conf
Machine-level settings: /opt/splunk/etc/system/local/inputs.conf
(Yes, I know this is still partly what you're trying to avoid, but is probably the cleanest way with current functionality)
... View more
01-21-2011
09:29 PM
1 Karma
As you've seen, it's 2.
See also:
http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open
... View more
01-21-2011
02:25 PM
Yes.
See Enterprise vs Free License for the differences between the two types of license.
... View more
01-19-2011
10:41 PM
2 Karma
Assuming single-line events, eval can do it:
| eval line_length=len(_raw)
... View more
01-19-2011
04:05 PM
Snort is really the wrong tool for the job. Snort is an IDS; it's not a bandwidth/traffic monitor.
If you want to report and alert on numbers of intrusion detection alerts, then yes, you can do that.
If you want to report and alert on traffic utilization, then you'll need firewall logs, netflow information, or some other source that includes this type of data. Once you have the raw data, Splunk can help with the reporting.
... View more
