What about using something like Puppet? I imagine that should work. ... View more

Great suggestions and thank you for the response. Much appreciated. However, I was just wanting to know specifically about the current state of the tagcreate and tagdelete commands and if we have officially retired them or if we are planning to bring them back in the future sometime, similar to how we had Live Tail in 3.4.x, then when 4.0.x came out last year, that feature was "missing" until recently when 4.1.x was released, and now its back and better than ever. Make sense? ... View more

Thanks! When you say "In the past, Splunk had..." do you mean in 3.4.x version or something else? ... View more

When you first install Splunk, the default index should be the index called "main". And since it is the default, you do not have to specify it when you search across your events. Essentially, "index=main" is implied with all of your searches. ... View more

Sounds reasonable. Curious to know, though, what the ETA is for supporting LDAP failover within Splunk. ... View more

Also, see this page in the Splunk docs for more details regaring the "eval" command: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Eval Also, see this page regarding the functions that can be used with the "eval" command: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions ... View more

Agreed. showdupes filter=all|latest would be very beneficial, especially when debugging input configs. ... View more

I'm not the person that can really answer if it WOULD be separate or part of ESS Suite or not, but I imagine, technically, it could be either or both. A separate App OR just another menu item with ESS called FISMA Controls, or something like that, where you go select to go the FISMA-related dashboards and/or form searches, etc. ... View more

Yes, you can abstract the twenty hosts into a host group tag called "web_servers" or something similar. Then you could search using the host group tag instead of listing the hosts names within the search, like this: tag="web_servers" See this page on how to tag your hosts names with the same host group tag: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Tagthehostfield Another way you could search might be to include a wildcard in the host name value itself, like this: host="Mav*" which would find hosts names Mav01, Mav02, Mav03, etc. You can also do it with ip addresses too like this: host="10.21.0.*" which would search across only the ips that start with "10.21.0" ... View more

Yes it can. See this page for detailed instruction on how to set that up. http://www.splunk.com/wiki/Apps:Configure_OPSEC_LEA_input Also, note that the solution provided via this link includes an executable that works on Linux and Solaris only. However, the open source project for the lea-loggrabber portion of it is now available here: http://code.google.com/p/splunkcheckpoint ... View more

First of all, please be aware that SANS.ORG has embraced the top 20 Critical FISMA controls put forth by NIST.... (See this page regarding that topic:) http://www.sans.org/critical-security-controls/ ...and Splunk has been certified by SANS.ORG as a vetted tool for Top 20 Critical Control #6 http://www.sans.org/critical-security-controls/user-tools.php ...and here are all of the specific 8500-53 controls regarding TTCC #6 listed (scroll down a little on this page) http://www.sans.org/critical-security-controls/control.php?id=6 Knowing this, technically, Splunk is certified for FISMA Top 20 Critical Control #6, and also provides the capability to tie in and integrate other actions into the adjacent FISMA controls (i.e. Splunk cannot synchronize your server clock, but it CAN trigger a script to sync them when it sees a time offset difference, thus providing a compensating control around clock syncing) Also, I think the current ISO Goverance section of ESS can be enhanced to include a FISMA-specific module that can help with that integration into some of the other FISMA Top 20 Critical Controls as well. (Imagine a FISMA fly-out menu with specific searches, reports, or alerts related to FISMA.) This may be something that Splunk professional services could probably scope out and add to ESS too, if that makes it easier. Additionally, we may be looking into creating a FISMA-specific module as part of the core ESS App. No ETA yet that I am aware of, but customer's are starting to drive us that way for sure. All in all, I think no one product can cover all of FISMA requirements, but Splunk has the best starting point (i.e. core Splunk + ESS App) and potential to specialize as you need, for FISMA or any other type of compliancy you are considering Splunk for. ... View more

BTW, I think the "eval" statement needs to be used in the example above. Probably should also need to perform two sub-searches in succession, one of the earliest and one for the latest time values, like this: * [search sourcetype=syslog error |eval endtimeu = _time+300 | fields + endtimeu] [search sourcetype=syslog error |eval starttimeu = _time-300 | fields + starttimeu] ... View more