Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About iunderwood
iunderwood
Path Finder
Member since:
03-23-2012
06-05-2020
Community Statistics
| Posts | 21 |
| Solutions | 2 |
| Karma Given | 17 |
| Karma Received | 9 |
| Member Since | 03-23-2012 |
Activity Feed
- Got Karma for Re: Deploying wmi.conf for windows universal forwarders with deployment-server. 12-27-2021 05:02 PM
- Karma Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x? for okrabbe_splunk. 06-05-2020 12:47 AM
- Karma Re: Splunk Technology Add-on (TA) for Unix and Linux for malmoore. 06-05-2020 12:46 AM
- Karma Re: Setup screen with credentials and multiple endpoints for hexx. 06-05-2020 12:46 AM
- Karma Re: How do I trigger the re-indexing of events from a locally collected Windows Event Log channel? for hexx. 06-05-2020 12:46 AM
- Karma Best practices to deploy the S.o.S app in a distributed search environment for hexx. 06-05-2020 12:46 AM
- Karma Re: Splunk Universal Forwarder with WebSphere App Server for rgantly_splunk. 06-05-2020 12:46 AM
- Karma Re: documentation for Splunk App for Server Virtualization for piebob. 06-05-2020 12:46 AM
- Karma Re: Host field getting overwritten in syslog processing for Ayn. 06-05-2020 12:46 AM
- Karma Re: Deploying wmi.conf for windows universal forwarders with deployment-server for dturner83. 06-05-2020 12:46 AM
- Karma Deploying wmi.conf for windows universal forwarders with deployment-server for dturner83. 06-05-2020 12:46 AM
- Karma Re: how can I cache the dashboard ? for Damien_Dallimor. 06-05-2020 12:46 AM
- Karma Re: Can I put splunk installation on NAS? for Damien_Dallimor. 06-05-2020 12:46 AM
- Karma Re: Cisco TCP Syslogs - Close Events Not Split for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Multiple ldap sources in activedirectory.conf for ahall_splunk. 06-05-2020 12:46 AM
- Got Karma for Cisco TCP Syslogs - Close Events Not Split. 06-05-2020 12:46 AM
- Got Karma for Re: Cisco TCP Syslogs - Close Events Not Split. 06-05-2020 12:46 AM
- Got Karma for Re: Deploying wmi.conf for windows universal forwarders with deployment-server. 06-05-2020 12:46 AM
- Got Karma for Re: Deploying wmi.conf for windows universal forwarders with deployment-server. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk Jokes?. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 |
02-21-2017
01:14 PM
I can't say that I'm familiar with how file scraping operations work in Splunk for this case.
For my current case, I made a new UDP input to take in the logs:
[udp://7227]
connection_host = dns
sourcetype = cisco:acs
no_appending_timestamp = true
(Sorry for the really late reply ... I haven't been doing much Splunking in the last year or three.)
... View more
12-28-2015
08:04 AM
1 Karma
(editing my previous response)
It looks like this is part of the web.conf in full now:
# Set to "yes" to enable IPv6 support, or "only" accept connection
# on IPv6 only
listenOnIPv6 = yes
Putting this here since this thread is the top result for the search. 😕
... View more
08-23-2015
05:39 PM
Since ACS allows you to export its logs to different ports, I would also recommend opening up an explicit input for this source type. It's operationally more efficient to do so and then there isn't the risk of something being mismatched by the transform should something else creep in that unexpectedly triggers it.
... View more
10-09-2012
08:00 AM
I have added an account limitation to a subset of Splunk users in a role with the following limitation:
sourcetype=weblogic
Searches are limited as I expect. However, the summary page lists all the source types and hosts that are available in the main index. This is not the behavior I expect.
I am using 4.3.4. Can I fix this without having to move all new data to a separate index and creating a further limitation?
... View more
08-23-2012
02:24 PM
Depending on how often the data needs to be searched, refreshed, or even churned through, this might be a better task to be handled during the Indexing period. This might be one of the few times it could be worthwhile to add additional metadata to the index instead or generating it at search time.
... View more
08-15-2012
11:03 AM
I did something very similar for my Riverbed App, by using a pair of search-time transforms. The first takes the first element of the shortname ... but I also needed something to return a full IPv4 address. It does assume that hostnames do not begin with a number:
This is in props.conf:
REPORT-rbsh_hostname = rbsh_hostname
REPORT-rbsh_hostname_ip = rbsh_hostname_ip
This is in transforms.conf:
[rbsh_hostname]
SOURCE_KEY = host
REGEX = (?=[a-zA-Z])(?P<hostname>[^ ]+?)\.
FORMAT = hostname::$1
[rbsh_hostname_ip]
SOURCE_KEY = host
REGEX = (?=\d+\.\d+\.\d+\.\d+)(?P<hostname>[^$]+)
FORMAT = hostname::$1
This should be able to point you in the right direction.
... View more
08-13-2012
06:13 PM
On a secondary note, if you've got a fair number of servers you want to deploy the TA on, consider running a deployment server as well. I found it a touch tricky to start but is worth all the trouble of figuring out.
... View more
08-13-2012
02:45 PM
Fantastic answer! Thanks!!
... View more
08-13-2012
09:03 AM
I should mention that if I set the sourcetype in the input stanza to "cisco" instead of "syslog", the overwrites don't happen.
... View more
08-13-2012
08:57 AM
Here's an odd one I just noticed. I'm taking Syslog in from a Cisco PIX and I've got the input set up as such:
[udp://5150]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
I've also got a transform which changes the source type:
[iu_cisco_pix]
REGEX = %PIX-\d-[A-Z0-9_]+:
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco_pix
When I do a search on the source type, I see a number of entries where the host is changed to "bytes":
<166>Aug 13 2012 11:20:54: %PIX-6-302014: Teardown TCP connection 19849033 for dmz:10.88.14.179/80 to inside:10.8.63.254/48574 duration 0:00:01 bytes 2528 TCP FINs
host=bytes sourcetype=cisco_pix source=udp:5150
Most other lines are fine:
<166>Aug 13 2012 11:54:09: %PIX-6-302013: Built outbound TCP connection 19853901 for dmz:10.88.14.179/80 (10.88.14.179/80) to inside:10.8.63.254/1183 (10.8.63.254/1183)
host=eth1.pix-01.network sourcetype=cisco_pix source=udp:5150
Why does this happen?
If I change the sourcetype to "cisco" in the input stanza, there are no problems.
... View more
08-12-2012
11:57 AM
You'll need to run a saved search as often as you want the cached result to be valid. For example, if you want a 5-minute expire on a search, you'll need to run it every five minutes.
... View more
08-10-2012
08:38 AM
This seems to affect IOS 12.2, at least on all my switching platforms. All my routers run 12.4 or higher and recover w/o incident. I now have a case open with TAC.
... View more
08-09-2012
04:45 AM
1 Karma
The LINE_BREAKER hint put me in the right direction with the first part of the question.
LINE_BREAKER = ([^\<])\<\d{1,3}\>
Essentially the selector in parenthesis is anything that's NOT a <, followed by the expression, so it won't break on the first line, but it will on subsequent ones. I have this working in my development environment and it's working well.
As far as the TCP restarting goes, I've asked that on the Cisco forum. I'll update this answer with that information depending on what I find there.
... View more
08-08-2012
05:30 PM
1 Karma
I've got a dev box that I'm running an instance of Splunk on and one of the things I am testing is the feasibility of using TCP for syslog. Numerous folks and articles suggest TCP is definitely the way to go, and for many reasons, this is a sensible choice. However, there are two items I cannot get to work as I expect which are in the way.
Close events do not split.
Here is an entry where the events are so rapid-fire that they don't split out into individual events of their own:
<188>640624: 640621: Aug 9 2012 00:12:09.428 UTC: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=x.x.x.x remote=y.y.y.y spi=E78EE4D2 seqno=000022E9<188>640625: 640622: Aug 9 2012 00:12:14.012 UTC: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [z.z.z.z:0 -> a.a.a.a:0]
I expect this could be taken care of in props.conf with something like this:
[source::tcp:5170]
BREAK_ONLY_BEFORE = (\<\d+\>\d)+
I have also tried: \<\d{1,3}\>
I figure there needs to be something simple I am missing in my RegEx for this statement.
TCP logging sometimes stops.
Every now and then, one of my remote sites will undergo carrier maintenance and the logging will be unavailable for some time and logging doesn't ever seem to recover. In a "show log", the output looks similar to this:
Trap logging: level informational, 6360 message lines logged
Logging to 192.168.16.10 (tcp port 5140, audit disabled,
link down),
The quick way I have found to restart this is to remove and add my log host. This isn't really practical either. However, I haven't found out where to tell this to keep retrying after a certain amount of time. This isn't specifically a Splunk thing, but I'm hoping someone out there has already run across this.
Thanks in advance for the assistance!
++I;
... View more
08-01-2012
01:34 PM
Simple question ... do the IPs for the hosts' sources resolve in DNS to the reverse name you'd like to see?
... View more
07-31-2012
11:34 AM
What is preventing you from installing universal forwarders on your domain controllers and using those instead?
... View more
07-30-2012
08:22 PM
Before I even take a stab at answering the question ... what makes the data new? Is it from a new source entirely, or are there very specific events that you're looking to change the index on going forward?
... View more
07-27-2012
08:13 AM
3 Karma
I apologize for being late to the party, as it were.
Use your deployment server properly and create an app for the WMI stuff. In this case, we'll call it winsvr-localwmi. Place your wmi.conf in the default directory:
$SPLUNK_HOME/etc/apps/deployment-apps/winsvr-localwmi/default
If you don't have the input defined, you'll need an inputs.conf in the same directory:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
Lastly, be sure your universal forwards restart after the change, or you might end up scratching your head. I made a server class for all my Windows machines. Since my Splunk installation is all RHEL, all my Windows boxes are UFs only.
I put this in my serverclass.conf:
[serverClass:Forwarder_Universal_Windows]
blacklist.0 = *
disabled = 0
filterType = blacklist
machineTypes = windows-intel,windows-x64
restartSplunkd = True
Posting this anyway because I hate finding answers more than once. 🙂
... View more
07-25-2012
08:31 AM
Spaces in the server class will also result in the same problems on non-Windows systems.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
