Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About brent_weaver
brent_weaver
Builder
Member since:
04-28-2015
02-17-2021
Community Statistics
| Posts | 336 |
| Solutions | 5 |
| Karma Given | 1 |
| Karma Received | 59 |
| Member Since | 04-28-2015 |
Activity Feed
- Got Karma for How can I add HTML to the search page?. 06-04-2024 06:17 AM
- Got Karma for Re: How to bulk delete multiple hosts from Splunk that have not phoned home within a set interval?. 02-26-2024 11:32 AM
- Got Karma for How are people managing dynamic entities in iTSI?. 10-09-2021 12:14 PM
- Got Karma for How do I secure the event collector port 8088 with an ssl certificate?. 04-19-2021 04:10 PM
- Got Karma for How to edit inputs.conf to prevent WinNetMon from using up all my license?. 03-04-2021 05:32 AM
- Posted HEC HWF behind AWS Loadbalancer. ELB or ALB? on Deployment Architecture. 12-09-2020 04:58 PM
- Posted Re: Splunk UF Docker Image root process writing splunkd's stderr.log to stdout on Deployment Architecture. 12-04-2020 03:58 AM
- Posted Splunk UF Docker Image root process writing splunkd's stderr.log to stdout on Deployment Architecture. 12-03-2020 05:27 PM
- Posted Re: Unable to rewrite host meta key at ingestion on Getting Data In. 11-29-2020 09:04 AM
- Posted Re: Unable to rewrite host meta key at ingestion on Getting Data In. 11-29-2020 08:51 AM
- Posted Unable to rewrite host meta key at ingestion on Getting Data In. 11-29-2020 05:29 AM
- Posted Re: TIME_FORMAT in props.conf seems to not be working on Getting Data In. 11-27-2020 10:24 AM
- Got Karma for Re: TIME_FORMAT in props.conf seems to not be working. 11-26-2020 12:40 PM
- Got Karma for Re: TIME_FORMAT in props.conf seems to not be working. 11-26-2020 12:39 PM
- Posted Re: TIME_FORMAT in props.conf seems to not be working on Getting Data In. 11-26-2020 12:01 PM
- Posted Re: TIME_FORMAT in props.conf seems to not be working on Getting Data In. 11-26-2020 09:12 AM
- Posted Re: TIME_FORMAT in props.conf seems to not be working on Getting Data In. 11-26-2020 09:06 AM
- Got Karma for TIME_FORMAT in props.conf seems to not be working. 11-25-2020 04:13 PM
- Posted TIME_FORMAT in props.conf seems to not be working on Getting Data In. 11-25-2020 01:16 PM
- Posted Re: Need help writing input stanza for maillog on Getting Data In. 11-15-2020 03:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-01-2015
08:24 AM
Hey there... I am wanting to remove indexes that I created for testing purposed while installing splunk. It seems like a surgical task from what I am reading. Is there no functional way to do this without compromising the system?
... View more
09-30-2015
05:29 AM
1 Karma
Hello all!
I am trying to get a central config for smtp email config that I will deploy to my search heads. I notice when I go into the UI under Server Settings -> Email settings that I can configure smtp. I notice it created a file called alert_actions.conf in etc/system/local. So I assume (like everything else in splunk) I can deploy this as part of an app that splunk will read for its email config. The problem is that when I remove this file, the email config stays intact in splunk. Is this the only place this info is stored? What am I missing?
... View more
09-25-2015
06:42 AM
We have a barracuda firewall and are trying to present Splunk SH. There is an issue in the way splunk is coded (pr so iots seems) where when using a reverse proxy paths do not exist. If I am on the inside of this firewall I have no issue with this working. Here is the error I am seeing in my browser:
Failed to load resource: the server responded with a status of 404 (Not Found)
https://portal.domain.com/splunk/en-US/i18ncatalog?autoload=1 Failed to load resource: the server responded with a status of 404 (Not Found)
accountpage.js:13 Uncaught TypeError: Cannot set property 'LOCALE' of undefinede.Router.extend.initialize @ accountpage.js:13t.Router @ accountpage.js:9n @ accountpage.js:9(anonymous function) @ accountpage.js:13l @ accountpage.js:6(anonymous function) @ accountpage.js:6
We have our web.conf configured to make splunk root /splunk instead of / .
ANY help is much appreciated.
... View more
09-22-2015
04:35 AM
Does this still apply when the issue only happen sometimes? It is the same file, it just seems that the file get fwd before it is done being written.
... View more
09-21-2015
05:19 AM
I am having an issue with a particular log file where two entries get concatenated into one entry. It is not the data because if I take take the same data and add it via file upload it is fine, meaning all lines are unique. Has anyone else had an issue like this? It seems that it is a timing problem that the host if forwarding the same time the file is being written... Is this perhaps the result of the log file not being locked when written to???
Any help is appreciated. Thanks!
... View more
09-16-2015
09:10 AM
I am looking into writing something that will check the health of my indexer and search head clusters. This will eventually be put into an enterprise monitoring tool and alerts sent out if there is an "issue". I know you can run splunk show cluster-status etc... We are running this all on Linux and I am thinking that someone may have a shell script that can be used to verify health of this environment.
Any suggestions?
... View more
09-11-2015
04:09 AM
Hello all.
I need to use the Barracuda NG Firewall app (see instructions below) and it looks like I need to set up a syslog input for this. Where do I set this up in an indexer cluster? Do I do it on all the indexer servers as they are configured to be round-robin DNS....
Steps
1. Install the Barracuda NG Firewall Splunk App on your Splunk Server. For more information, see http://docs.splunk.com/Documentation/PCI/2.1.1/Install/InstalltheAppManually
2. Send me Loghost IP Address, Loghost Port – Enter 5140 for plaintext or 5141 for SSL-encrypted connections.
The Barracuda NG Firewall app can only process syslog data that is received on port 5140 (not encrypted) or 5141 for SSL-encrypted connections.
Transmission Mode – UDP/TCP
3. The Splunk server must be configured to receive the syslog data. Verify that you have a Data input entry for TCP or UDP port 5140 or TCP port 5141 (SSL) that listens for the incoming syslog streaming connections. You must use port 5140/5141 because the Barracuda NG Firewall Splunk app can only process data received on these ports. For more information, see http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Monitornetworkports
Any help is much appreciated!
... View more
09-09-2015
06:43 AM
This data will be coming in tailing a file. But as I stated in my post I am currently uploading the file via the web interface for testing.
... View more
09-09-2015
06:15 AM
Dave -
Thank you for taking the time to ans this post. I am new to splunk and cannot figure out how to make this become a sourcetype. For testig purposes I am just taking my CEF file and uploading it through the we portal. I have a TA for imperva that does most of the job except the multi-word key value pairs.
So how do I take the article you referenced and make it a sourcetype that I can apply when reading in the file? Perhaps I am missing an app.conf file?
... View more
09-08-2015
10:44 AM
Hello all!
I am a Splunk "newb" when it comes to parsing out files for ingestion. Here is my situation. I have a CEF formatted file, which onto itself is not a problem. Splunk handles that just fine... What is a problem is at the end of lines there are key/value pairs, but the values have white spaces in it and splunk (or better yet I) cannot figure out hot to parse that out. Here is an example:
CEF|ProdManuf|ProdName|Vervion|Timestamp| key1=this is key1 key2=this is key two key3=another random length string
So my question is how to I deal with the tail end of this string to get these as full key value pairs. I would assume a regular expression that will capture the pairs.
Thanks!
... View more
09-01-2015
07:32 AM
Hey there... I have a Splunk environment with the following architecture:
1 Deployment Server
1 License Server
1 Index Cluster Master
4 Index Slaves/Cluster
3 node search head cluster
1 Search head not in the cluster
I keep getting the following message:
Unexpected duplicate app: cdop_all_indexer_base
Checking filesystem compatibility... Done
Checking conf files for problems...
Unexpected duplicate app: cdop_all_indexer_base
Unexpected duplicate app: cdop_all_indexer_base
Unexpected duplicate app: cdop_all_indexer_base
Unexpected duplicate app: cdop_all_indexer_base
Done
Unexpected duplicate app: cdop_all_indexer_base
Checking replication_port port [8091]: Unexpected duplicate app: cdop_al l_indexer_base
open
Unexpected duplicate app: cdop_all_indexer_base
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Unexpected duplicate app: cdop_all_indexer_base
Unexpected duplicate app: cdop_all_indexer_base
Unexpected duplicate app: cdop_all_indexer_base
Done
[ OK ]
It does look like these are duplicate apps:
indx2:/home/splunk $ find /opt/splunk/etc/ -name cdop_all_indexer_base
/opt/splunk/etc/slave-apps.old/cdop_all_indexer_base
/opt/splunk/etc/slave-apps/cdop_all_indexer_base
/opt/splunk/etc/apps/cdop_all_indexer_base
... View more
08-24-2015
05:24 AM
Good morning. I am wondering what filesystem and fs options people are using for spunk indexers? I am running it on CentOS and have chosen xfs for my 4TB filesystems. We expect to have a lot of indexes, so I was wondering what recommendation people may have on this. I cannot imagine that the default fs setup is the best option, but maybe.
Any feedback is much appreciated.
... View more
08-16-2015
01:52 PM
I am installing Splunk as a splunk user. I have it all down, but what directory are people installing it in? Using /opt does not seem like a good idea because you then need to make the /opt dir 775 or 777 depending on who owns /opt...
I welcome to hear where others are installing it. Thanks!
... View more
08-14-2015
07:06 AM
Fritz - Thank you for taking the time to respond. It seems that you are more affected on the forward servers?!??! I am talking about running splunk exterprise server as splunk user. Does this change your comments or advice?
... View more
08-14-2015
04:18 AM
Couple of facts:
I am installing Splunk from the source (*.tgz file).
Our Splunk account is part of AD/LDAP
A few questions:
1. If I want it to be installed in /opt , what permissions do I set on the /opt directory w/o opening it up completely or making it owned by Splunk? Is there a better place to install this?
2. Can I use a service account that is in LDAP/AD to start Splunk? Would it work with:
/opt/splunk/bin/splunk enable boot-start -user splunk
Any suggestions on this is most welcome! Thank you in advance.
... View more
08-10-2015
05:38 AM
Hey thank you for your response. I am asking bout the service account at a linux level to install splunk with. So when I install splunk on linux I am not going to use the linux root account, i want to use a splunk account that is on an ldap server. Is this possible and/or even possible?
... View more
08-07-2015
10:40 AM
We are installing Splunk on CentOS Linux in the next week or so. Our service accounts are going to be on an LDAP server. Will I be able to install and run the Splunk App for Enterprise Security with an LDAP service account?
... View more
08-07-2015
08:07 AM
Hello!
I am about to embark on an install of the Splunk App for Enterprise Security on a set of shiny new CentOS Linux servers. Here is the config:
4 Clustered Indexer Servers
2 Search Heads
1 Deployment server with License manager running on it
Some of my questions are as follows:
I have chosen to use xfs as the filesystem for indexes. I will be striping the lv across 16 LUN's, which cluster size should I use for optimal perf? Is xfs the correct fs for this in the first place? Should I break out the hot and cold areas into multiple mount points? I expext about 5k iops per sec on each disk.
Given that this env has clustered indexers, what considerations should I make?
I understand that ES relies heavily on sourcetype, what are the implications in ES if I create my own sourcetypes?
ANY advice to spare me future pain is more than welcome. Thanks!
... View more
08-03-2015
04:28 PM
1 Karma
I am using the deployment server and it has been my company's practice to put inputs.conf files in local. Is this where it belongs? It would seem that local would take precedence over default and is used to very specific site logging needs? Am I way off base here? Toto, is this Kansas 🙂
Thanks!
... View more
07-23-2015
07:37 PM
What is the optimal format our application can generate for splunk to pick it up by default? Development can make the format whatever it needs to be, what is best?
... View more
- Tags:
- formatting
- log
07-22-2015
03:56 AM
We are rebuilding our distributed search Splunk environment:
1 Deployment Server
1 Dedicated Search Head
1 License Server
4 Indexer Servers
Client Fwd servers will be running Linux or Windows
We would like to run the entire environment on Linux but am concerned that some of the console apps will not work (i.e. MSSQL apps). For example we are running it on Windows now and we tried to install the Splunk App for *nix and it would not us use it. The save button was greyed out and it told us that we need to run it on Linux. Is this in our head? Do we need to have it running on Linux to monitor linux, and the same for Windows?
Any insight is MUCH appreciated!
... View more
07-21-2015
05:18 AM
What is the bare min i need to deploy an app that logs /var/log/messages?
... View more
07-20-2015
08:21 AM
I have two platforms to monitor. I want to create one application that I can apply to all hosts that come on board. I know that Spunk will not scream anymore with 6.2.x, but are there adverse affects? Will it create errors in the Spunk log files?
... View more
07-19-2015
05:22 PM
Here is a log file from my Linux forwarder I installed:
Script started on Sun 19 Jul 2015 08:08:14 PM EDT
/root/dev/packages # ls
splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm
/root/dev/packages # rpm -iv splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm
warning: splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 653fb112: NOKEY
Preparing packages...
splunkforwarder-6.2.4-271043.x86_64
complete
/root/dev/packages # which splunk
/opt/splunkforwarder/bin/splunk
/root/dev/packages # splunk start --accept-license
This appears to be your first time running this version of Splunk.
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Generating a 1024 bit RSA private key
...........++++++
...........++++++
writing new private key to 'privKeySecure.pem'
Signature ok
subject=/CN=devopslinux/O=SplunkUser
Getting CA Private Key
writing RSA key
Done
[ OK ]
/root/dev/packages # splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
/root/dev/packages # splunk set deploy-poll 10.11.0.4:9997
Your session is invalid. Please login.
Splunk username: admin
Password:
Configuration updated.
You need to restart the Splunk Server (splunkd) for your changes to take effect.
/root/dev/packages # service splunk restart
Restarting splunk (via systemctl): [ OK ]
/root/dev/packages # exit
exit
Script done on Sun 19 Jul 2015 08:13:51 PM EDT
/root #
What am I missing? This node is not showing up as a client in forwarder management.
Thanks!
... View more
07-19-2015
01:37 PM
I changed the port and reinstalled the whole thing and this still does not work. If I started out of the box to set this up is there ONE place I can look for a full configuration of Splunk? I am more than certain it is something I am doing wrong, problem is the documentation is a rat race to find anything. So scattered. Sorry I am just frustrated.
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-17-2021
11:03 PM
|
