Activity Feed
- Posted Re: For Splunk Enterprise, Splunk Light, and Hunk pre 6.3, default root certificates expire on July 21, 2016 - Recommendations? on Security. 06-22-2016 09:19 AM
- Posted Re: How to configure Splunk to distinguish different types of logs from syslog and save them in different indexes on a Splunk Indexer? on Getting Data In. 06-12-2016 10:58 PM
- Posted Is it possible to modify an indexed event? on Knowledge Management. 06-10-2016 12:25 AM
- Tagged Is it possible to modify an indexed event? on Knowledge Management. 06-10-2016 12:25 AM
- Tagged Is it possible to modify an indexed event? on Knowledge Management. 06-10-2016 12:25 AM
- Tagged Is it possible to modify an indexed event? on Knowledge Management. 06-10-2016 12:25 AM
- Posted How to configure Splunk to distinguish different types of logs from syslog and save them in different indexes on a Splunk Indexer? on Getting Data In. 06-08-2016 04:30 AM
- Tagged How to configure Splunk to distinguish different types of logs from syslog and save them in different indexes on a Splunk Indexer? on Getting Data In. 06-08-2016 04:30 AM
- Tagged How to configure Splunk to distinguish different types of logs from syslog and save them in different indexes on a Splunk Indexer? on Getting Data In. 06-08-2016 04:30 AM
- Tagged How to configure Splunk to distinguish different types of logs from syslog and save them in different indexes on a Splunk Indexer? on Getting Data In. 06-08-2016 04:30 AM
- Posted Re: For Splunk Enterprise, Splunk Light, and Hunk pre 6.3, default root certificates expire on July 21, 2016 - Recommendations? on Security. 06-01-2016 04:23 AM
- Posted Re: How to configure Splunk to permanently index certain data to indexA instead of the current indexB? on Getting Data In. 05-16-2016 11:31 PM
- Posted How to configure Splunk to permanently index certain data to indexA instead of the current indexB? on Getting Data In. 05-16-2016 12:33 AM
- Tagged How to configure Splunk to permanently index certain data to indexA instead of the current indexB? on Getting Data In. 05-16-2016 12:33 AM
- Tagged How to configure Splunk to permanently index certain data to indexA instead of the current indexB? on Getting Data In. 05-16-2016 12:33 AM
- Tagged How to configure Splunk to permanently index certain data to indexA instead of the current indexB? on Getting Data In. 05-16-2016 12:33 AM
- Posted Re: Splunk Indexer and Universal Forwarder version compatibility on Getting Data In. 03-15-2016 11:44 PM
- Posted Splunk Indexer and Universal Forwarder version compatibility on Getting Data In. 03-15-2016 07:43 PM
- Tagged Splunk Indexer and Universal Forwarder version compatibility on Getting Data In. 03-15-2016 07:43 PM
- Tagged Splunk Indexer and Universal Forwarder version compatibility on Getting Data In. 03-15-2016 07:43 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-22-2016
09:19 AM
I forgot whether I enabled SSL on the UF installed on my Windows Servers or not. How do I verify it?
... View more
06-12-2016
10:58 PM
Does this mean re-direct the syslog from CiscoNetworkDevice to cisco_syslog while data is getting into the Splunk Indexer?
... View more
06-10-2016
12:25 AM
Is it possible to modify an indexed event? My company is using Splunk for detecting suspicious activities. One of the scenarios is to detect Failed Logons to servers. I am afraid that someone (e.g. attacker) can modify the timestamp, username, or even delete the whole log to cover his/her track. Anyone know about this?
Any white paper or official document has been released regarding to the above question?
Thanks in advance!
... View more
06-08-2016
04:30 AM
I have just installed a Splunk App where the logs are from some appliances, so obviously they are sending syslog to our Splunk Indexer. However, this Splunk App is only suitable for analyzing specific logs of one of the vendor appliances (vendor specific Splunk App). So, the problem is that I configured all my network devices (i.e. switch, router, firewall, etc) to send syslog to our Splunk Indexer where the Splunk Indexer stores these logs in the "main" Index.
So, how do I tell the newly installed Splunk App to only capture the "needed" logs to perform analysis from the pool of logs in the "Main" index? (The "need to analyze" logs are in the pool of logs stored in "Main" Index)
... View more
06-01-2016
04:23 AM
I have deployed lots of UF on my servers. I am just thinking whether I should update the certificate of my Indexer first or my UF(s) first.......
I am afraid that if I update the certificate on my Indexer, then all UF (with the old and going to expire certificate) will disconnect with my Indexer. Thus, no log can be sent to Indexer from UF, until the certificate is updated on these UF(s)......!
I have more than 150 servers deployed with UF....... I don't want to update the certificate 150 times.... please.....
Anyone can give me some suggestions? 😞
... View more
05-16-2016
11:31 PM
If I copy the data from the old index i.e. apache, to the new index i.e. apache_^, will this count onto the daily bandwidth usage? I tried to create a new index (apache_^) and then set its home path to the same as the old index (apache). Afterward, it consume 200% of the licensed daily bandwidth usage AND congested the message queue.
... View more
05-16-2016
12:33 AM
Hi all!
I checked in the forum that someone has already asked similar question.
++++++Copy from another question and answer+++++
For example, if you are trying to move the sourcetype WinEventLog:Application from the main (default) index to the os index, something like this could get you started:
splunk cmd exporttool defaultdb/db_1262807912_1262278800_6 /dev/stdout -csv sourcetype::WinEventLog:Application | splunk cmd importtool os/db_temp /dev/stdin
++++++++++++++++++++++++++++++++++++++++++++
However, this can only copy the data from one index to another index. If new data keeps coming in, the data still be indexed in the old index. Basically, my situation is as follows:
I installed a Splunk App that allows Splunk users to investigate Apache web traffic. However, the Splunk App has set, by default, to process and search data in apache_^ index. Unfortunately, my Apache web traffic data is in "apache" index. So how can I configure the Splunk to permanently index Apache web traffic data to "apache_^" index instead of "apache" index?
... View more
03-15-2016
11:44 PM
Thanks Acharlieh !!
... View more
03-15-2016
07:43 PM
I noticed that Splunk official suggested us to keep the Indexer and UF using the same version (I am using 6.2.3). However, due to some issue, I need to upgrade the UF to 6.2.6 or 6.3. So doing, any compatibility issue will be introduced?
... View more
03-05-2016
08:43 PM
Thanks Raghav! Because our company have limited resources, the search head and the indexer are installed on the same VM....(yes...VM). HF is then installed on another VM.
Let me ask my boss to consider the resources before installing any apps. Actually I already feel that my Splunk is getting slow............
... View more
03-05-2016
03:32 AM
Hi all! I am Charles from Hong Kong and new to Splunk. Hello everyone!
My boss asked me to fully utilize our newly installed Splunk Indexer and Heavy Forwarder by installing as much Splunk Apps as it can. However, the indexer has only been assigned 8 core CPU and 500GB of storage, where my Splunk vendor suggested me to assign 24 core CPU to it (impossible!!) I am worrying that if I installed too much apps on the indexer will result in degrading the performance of Splunk, or even crash the system.
Any of you have such experiences on how to estimate the largest possible numbers of Splunk apps that can be installed and can share with me please? Thanks!
P.S. Our indexer currently receiving around 10 GB of data per day.
... View more
