Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kalianov
kalianov
Path Finder
Member since:
02-04-2016
06-05-2020
Community Statistics
| Posts | 30 |
| Solutions | 3 |
| Karma Given | 16 |
| Karma Received | 6 |
| Member Since | 02-04-2016 |
Activity Feed
- Karma Re: How to forward internal logs (splunkd.log) from UniversalForwarders to indexer via heavy forwarder for jtacy. 06-05-2020 12:48 AM
- Karma Re: How to configure a heavy forwarder to filter out the ending string from Windows security event logs? for javiergn. 06-05-2020 12:48 AM
- Karma How to index evtx files in Splunk? for chanduira. 06-05-2020 12:48 AM
- Karma Re: Forwarder 6.4.1 with Server 6.2.1 for gpareesi11. 06-05-2020 12:48 AM
- Karma Re: Forwarder 6.4.1 with Server 6.2.1 for nzambo_splunk. 06-05-2020 12:48 AM
- Karma Re: Why are users getting "No results found" in the email they receive from running a map search with the sendemail command? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Why are users getting "No results found" in the email they receive from running a map search with the sendemail command? for martin_mueller. 06-05-2020 12:48 AM
- Got Karma for Re: How to forward internal logs (splunkd.log) from UniversalForwarders to indexer via heavy forwarder. 06-05-2020 12:48 AM
- Got Karma for Re: Display error :Could not create search. 06-05-2020 12:48 AM
- Got Karma for Re: How does Splunk define a host?. 06-05-2020 12:48 AM
- Got Karma for Re: After configuring new servers on the universal forwarder, why are sourcetypes and hosts missing from search?. 06-05-2020 12:48 AM
- Got Karma for Re: Visualize netflow in splunk. 06-05-2020 12:48 AM
- Karma Inline Variable Definitions and Expansions With Eval for niall_munnelly. 06-05-2020 12:47 AM
- Karma Re: How to edit my universal forwarder's monitor configuration for a single log file to prevent indexing events over and over again? for lguinn2. 06-05-2020 12:47 AM
- Got Karma for Re: Why am I getting error "Gap in numbered regexes: expected attribute=whitelist.104 not found" trying to delete hosts from serverclasses using the deployment server GUI?. 06-05-2020 12:47 AM
- Karma Splunk monitor shows Missing forwarders for vdamiangf. 06-05-2020 12:46 AM
- Karma Re: When is it appropriate to set followTail to 'true'? for jrodman. 06-05-2020 12:46 AM
- Karma Re: Pros/cons of using Syslog-NG (or other syslog file receiver) vs. direct tcp/udp 514 to Splunk? for Narj. 06-05-2020 12:46 AM
- Karma Re: monitor a file using tail initially blank for the_wolverine. 06-05-2020 12:46 AM
- Karma Deployment Monitor Missing Forwarders for jdunlea_splunk. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-01-2017
11:12 PM
Thanks for your advice. This is the right solution, but the task is to do it without conversion.
... View more
03-01-2017
07:07 AM
Hi guys!
I have a free Splunk server which installed on Windows 2012 and
I want to index and analyze Security.evtx file, which I download from remote user's PC (Windows7).
I tried to add this stanzas to index.conf and reboot splunk server, but no information were indexed:
I can't use forwarder, it's a one-time need.
Var1
[WinEventLog://C:\temp\Security.evtx]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest
Var2: If I open my "Security.evtx" file in Event Viewer, it's opened in "Saved Logs-Security" tree thats why I tried this:
[WinEventLog://Saved Logs/Security]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest
No results.
... View more
01-11-2017
06:32 AM
Update your APP "Splunk Supporting Add-on for Active Directory"
Check your (eval fld_username=...) string without ldapfilter part
Try this:
| ldapfilter domain="default" search="(&(objectclass=user) (sAMAccountNAme=$fld_username$))"
attrs="sAMAccountNAme,telephoneNumber,displayName,title,department" | streamstats count AS N
|table N, _time, fld_username, displayName,title,department,tel,telephoneNumber
... View more
01-11-2017
04:49 AM
1 Karma
Your index "ASA" is not listed in Data Summary because you need to add it into "indexes searched by default".
That's why you have no results when you trying to search without pointing an index name.
Сheck "Indexes searched by default" in Access controls->Roles
always after you create new index.
... View more
01-10-2017
11:37 PM
base_max_searches = 100 is too much.
max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches
max_rt_searches = max_rt_search_multiplier x max_hist_searches
... View more
01-04-2017
05:17 AM
1 Karma
I think you need to check parameters (base_max_searches, max_searches_per_cpu, max_rt_search_multiplier) in file limits.conf in [search] section.
Caution: do not change limits.conf settings unless you know what you are doing.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Limitsconf#.5Bsearch.5D
Also read this:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Report/Configurethepriorityofscheduledreports
... View more
11-30-2016
04:01 AM
Did you check "Indexes searched by default" in Access controls->Roles after you created new index?
... View more
11-30-2016
03:58 AM
1 Karma
Did you check "Indexes searched by default" in Access controls->Roles after you created new index?
... View more
11-29-2016
06:53 AM
1 Karma
Extract field with data size per session, for example "trafic_size"
Extract other fields (ip, port, e.t.c.)
Select the time period for which you want to count traffic
Calculate your traffic:
your search | stats sum (trafic_size)
OR calculate your traffic by ip:
your search | stats sum (trafic_size) by ip
... View more
10-28-2016
01:08 AM
Also you can make a fields extraction for your data, which were indexed
All Fields - >> Extract New Fields
Instructions:
http://docs.splunk.com/Splexicon:Fieldextraction
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX
... View more
09-22-2016
02:24 AM
1 Karma
Thanks a lot. I have did the next things on my HF:
- uninstalled my app, as you said
- copy from default outputs.conf some stanzas into system/local/outputs.conf :
[tcpout]
defaultGroup = myindexer:port
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_internal)
disable that lines in default outputs.conf
restart heavy Forwarder
It is works
I hope that my license will not be down.
... View more
09-21-2016
02:41 AM
Hi.
My configuration is UF->HF->INDEXER.
Aim: configure DMC to monitor all instances of my deployment including Universal Forwarders (ver 6.1.4 or 6.2.0).
Problem is that I can't get splunkd.log and other internal logs from UniversalForwarders to my indexer(ver 6.4.1).
I have deployed a small app to my Universal Forwarders with such
inputs.conf:
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.]
index = _internal
sourcetype = splunkd
_TCP_ROUTING = *
otputs.conf
[tcpout]
forwardedindex.0.whitelist = .
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
forwardedindex.filter.disable = false
But I still have no data on my indexer from that UF
On Universal Forwarders I have such $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = heavyforwarder:9997
[tcpout-server://heavyforwarder:9997]
All non internal logs have indexed good, but internal logs such as splunkd.log have not indexed.
Also I have some UFs that are sending data directly to indexer and I see all internal logs from them without my app. So I can monitor them and my heavy forvarder in DMC without problem, but I need all forwarders.
Need help
... View more
06-21-2016
04:31 AM
Thanks a lot. It's working
... View more
06-21-2016
03:53 AM
Hi.
I have a monitor of "/etc/shadow" file with last password change field lastchange in days (example lastchange=16937). It's a number of days from 01/01/1970
I need to determine the date of last password change of a user.
I want to do something like: 01.01.1970+lastchange=last_password_change_date
How to do that?
... View more
05-31-2016
04:21 AM
Hi guys!
I have two questions:
1) Is it possible to use Forvarder ver 6.4.1
if my indexer and deployment servers have Splunk Entervrise ver 6.2.1
2) Which instalation of Splunk forwarder I can use for
Red Hat Enterprise Linux Server release 7.0 core 3.10.0-123.6.3.el7.x86_64
... View more
04-25-2016
06:45 AM
Your variant with SEDCMD works good
Thanks a lot!
... View more
04-25-2016
06:36 AM
1 Yes, I have restarted my HF
2 My conf files is in SPLUNk_HOME$system/local
3 My configuration is very simple
UF->HF->INDEXER
What is the difference between
[source::WinEventLog:Security]
[WinEventLog:Security]
... View more
04-25-2016
05:20 AM
Hello guys
I'm trying to drop the end of all Security events:
This event is generated when a logon session is created. It is generated on the computer that was accessed.
....
My conf files on Heavy Forwarder is:
transforms.conf
[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated when)
FORMAT = $1
props.conf
[WinEventLog:Security]
TRANSFORMS-windows_events =win-event-cut-en
However, this does not work.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
