Hey Guys, Got another one for you: Is there anyway to adjust max authenticated session time in Splunk Web? Seems like sessions die to quickly and we are forced to re-authenticate. Just curious if there is a max session time that can be defined in web.conf for example. Let me know. Thanks. Brian ... View more

Hey guys, Just wondering if anyone knows whats the best way to keep track of your light forwarders. Reason being is that one of my light forwarders stop reporting to the deployment server for months because the service was stopped on the server side. When the service restarted, it basically was catching up on indexing and blew up my indexing volume license. I wanna see if there is a way to create an alert if a light forwarder has not reported to the deployment server in the past 24 hours. I assume you would somehow need to do a diff between whats currently checking in vs. yesterday but not sure. How do you guys do it? Whats the best way? Let me know your input. Thanks Guys. Brian ... View more

Hey guys, Got another one for ya: I need to lookup sourcetypes for the past year. I basically need to know how to run a search similar to the "Index Volume" report on the GUI. Currently, if I run the Index Volume report for the past year it will take forever and my WebGUI session will die. I want to see if there is anyway to run this query and then export it to CSV somehow. I have seen the other question posts and the index volume troubleshooting page but I'd like to tailor those queries to go back for the past year in relative time (-12m) and then export to CSV. Any help you can provide would be great. If you need any clarification on anything let me know. Thanks. Brian ... View more

Hey Guys, I am trying to understand how the props.conf and transforms.conf work when manipulating/filtering data. In a very simple way, let me explain what I need done. Problem: I have Cisco ASA Logs sent to this syslog-ng server. I would like to setup a monitor point on the folder containing the logs. However, I want to exclude the following events from getting indexed: ASA-6-302016 ASA-6-302015 ASA-7-609001 ASA-7-609002 ASA-6-302013 ASA-6-302014 ASA-6-302020 ASA-6-302021 ASA-6-305012 ASA-6-305011 Everything else other than this I would like to index to a certain specified index. Can someone tell me from start to finish how I would do this as for as specifying the monitor path to get indexed and the appropriate props.conf/transforms.conf configuration specifications that are needed. The documentation is a little tricky for me to understand so maybe an example will make me understand better. Appreciate any help you can provide. Thanks. Brian ... View more

Hi all, I noticed 2 things today: Doesn't look like my indexers are indexing any login events to the GUI. When going to $splunk_home/var/log/splunk/web-service* , I only see successful login events being logged and not failed login event. I would like to get both successful and failed login events indexed via Splunk so I can create alerts for multiple failed logins. Any help you can provide on this would be great. Thanks. Brian ... View more

Hi guys, I have been doing an audit of allowable ranges that are allowed to connect to our Splunk Web GUI on the Network Layer. However, I'm curious to see if we can lockdown the Web GUI via a config (as Splunk runs on its own Web Server) to allow only certain ranges to connect to it via TCP 8000. If there is no way to do it on the Web Application Layer then I will resort to doing it on the OS Layer via something like IPTables. Any help you can provide on this topic would be great. Thanks. Brian ... View more

Hi All, For the past few months I have been testing the DLP Feature of the Cisco Ironport to help block any sensitive data (i.e. credit card numbers) from being sent. I have been indexing these logs in Splunk and want to make an alert to send to system administrators if a server tries to send an email with a credit card number. (Obviously an alert to the sender will not work in this case as the sender is a server. ) However, there does not appear to be a log line that will indicate a DLP Policy Violation between a sender and receiver. They are separated in multiple log lines like so: 2011 Oct 28 16:13:51 ironport_server mail [info] splunk_maillogs:nopid Info: MID 6509657 quarantined to "Policy" (DLP violation) 2011 Oct 28 16:13:51 ironport_server mail [info] splunk_maillogs:nopid Info: MID 6509657 DLP violation 2011 Oct 28 16:13:38 ironport_server mail [info] splunk_maillogs:nopid Info: MID 6509657 ready 53 bytes from brian@server 2011 Oct 28 16:13:38 ironport_server mail [info] splunk_maillogs:nopid Info: MID 6509657 ICID 6237668 RID 0 To: brian@testsite I guess the only key here to bind these two types of log messages together is with the message ID. However, this would need to be a 2 part query: Find any log with a DLP Policy Violation. Find all logs pertaining to the MID value specified in the Violation Log. Any idea on how to make a 2 part query and make an alert out of it? Or is there a better way to do this? Let me know what you think. Any help is appreciated. Thanks. Brian ... View more

Hi, I would like to modify this query: index=_internal group="per_index_thruput" | eval mb=kb/1024| timechart span=1d sum(mb) by series Basically I want to include only indexes that apply to actual license volume and I would like to be able to add a field showing total volume based on the indexes that returned on the query. I know this is probably a stupid question that has been asked over and over and this use to be available in Splunk 3.x I believe. Let me know. Thanks. Brian ... View more