Activity Feed
- Karma Re: Rsyslog Log Rotation for jawahir007. 06-05-2020 12:51 AM
- Karma Search that shows scheduled time of saved searches for brdr. 06-05-2020 12:50 AM
- Karma Re: Why does metadata command returns only one sourcetype? for richgalloway. 06-05-2020 12:50 AM
- Karma What are the implications of enabling suppress_sourcename in your Windows inputs.conf ? for itrimble1. 06-05-2020 12:50 AM
- Karma Re: What is your average indexing rate from your monitoring console ? for itrimble1. 06-05-2020 12:50 AM
- Karma Re: What is your average indexing rate from your monitoring console ? for harsmarvania57. 06-05-2020 12:50 AM
- Karma What is your average indexing rate from your monitoring console ? for itrimble1. 06-05-2020 12:50 AM
- Karma Re: Extreme Latency with Windows Events on one Windows Event Collector. How do I troubleshoot? for itrimble1. 06-05-2020 12:50 AM
- Karma Re: Extreme Latency with Windows Events on one Windows Event Collector. How do I troubleshoot? for davidwaugh. 06-05-2020 12:50 AM
- Karma Re: Extreme Latency with Windows Events on one Windows Event Collector. How do I troubleshoot? for itrimble1. 06-05-2020 12:50 AM
- Karma Re: Extreme Latency with Windows Events on one Windows Event Collector. How do I troubleshoot? for itrimble1. 06-05-2020 12:50 AM
- Karma Extreme Latency with Windows Events on one Windows Event Collector. How do I troubleshoot? for davidwaugh. 06-05-2020 12:50 AM
- Karma Re: Need help with Configurations Analytics App for Splunk for configurations management. for landen99. 06-05-2020 12:50 AM
- Karma Re: Need help with Configurations Analytics App for Splunk for configurations management. for woodcock. 06-05-2020 12:50 AM
- Karma Re: Pi-hole DNS App for Splunk: Why are we getting error "no route to host" when sending logs from pi-hole to Splunk with a UF? for johnny21. 06-05-2020 12:50 AM
- Karma Re: Logs in an index getting rolled cold to frozen before size or time limits are reached for solarboyz1. 06-05-2020 12:49 AM
- Karma Is there a way to calculate bandwidth requirements for Splunk index replication in a indexer cluster? for keithyap. 06-05-2020 12:49 AM
- Karma Re: Tuning for performance for gjanders. 06-05-2020 12:49 AM
- Karma Re: Tuning for performance for masonmorales. 06-05-2020 12:49 AM
- Karma Re: how to edit the title after alert saved? for woodcock. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-27-2020
03:42 PM
This works for us, but rsyslog stops processing data and has to be restarted.
... View more
01-27-2020
03:40 PM
Thanks, I did see this and have tried using logrotate. When we rotate the logs, they need to be moved to an archive folder outside of the syslog directory. When I add a command to move the files after postrotate, they files are moved successfully, but rsyslog stops working and must be restarted.
For example:
/opt/splunk/syslog/*/*
{
daily
missingok
compress
notifempty
sharedscripts
postrotate
mv /opt/splunk/syslog/*/*.gz /opt/splunk/archive/;
endscript
}
... View more
01-26-2020
12:35 PM
@mydog8it, are you able to share your process and the script you are using? That would be helpful.
... View more
01-24-2020
08:37 AM
We need to rotate syslog files once they reach a certain size.
Our directory structure looks like the following:
/opt/splunk/syslog/datasource1
/opt/splunk/syslog/datasource2
/opt/splunk/syslog/datasource3
etc.
Once files in the source folders reach 1GB for example, we need them to be moved to /opt/splunk/old_files
Has anyone successfully set up a rotation script?
... View more
10-09-2019
08:38 AM
Thanks @richgalloway, this did the trick!
... View more
10-08-2019
02:17 PM
We've got over 50 sourcetypes, however, when I run the command below, I only see syslog under the sourcetype column.
| metadata type=sourcetypes | sort - totalCount
Does anyone have an explanation?
... View more
10-05-2019
08:25 AM
Hi @gcusello, thanks for your response. Events stopped on 10/4 on only this DNS server. We have a second DNS server that is forwarding events just fine. It appears to be isolated to this one DNS server.
... View more
10-04-2019
09:23 AM
One of our DNS servers running a universal forwarder, suddenly stopped sending Windows Event logs to our indexers.
DNS events are still being forwarded.
... View more
10-03-2019
12:57 PM
Changed use_threads to use 15 threads. (Made no difference)
Enabled: On the rest of the Windows Event Collectors
suppress_sourcename
suppress_checkpoint
suppress_keywords
suppress_type
suppress_opcode
Note: Splunk recommends not changing these settings without speaking with support first.
This is the result. While we are pleased with this after months. We will evaluate how it affects Enterprise Security.
... View more
09-11-2019
05:01 AM
Iwu, I've read the documentation, however, SA-Eventgen isn't working. Do you have a Splunk Enterprise environment configured with SA-Eventgen and SPL Examples working?
... View more
09-10-2019
02:49 PM
Hello community, I've installed SA-Eventgen and SPL Examples as directed in the following .conf talk:
https://conf.splunk.com/files/2017/recordings/creating-your-own-splunk-learning-environment.mp4
However, this doesn't work. I've taken a look at the documentation, created a folder named "local" under the SPL_Examples directory and moved the eventgen.config from the apps\spl_examples\default folder to the apps\spl_exampels\local folder. I restarted Splunk and still getting no events. What am I missing? Luke Netto's talk referenced above makes it seem so trivial?
I'm working with a brand new install of Splunk on a Windows 10 system. The only apps I've installed as of this post are SA-Eventgen and SPL Examples.
Splunk Enterprise Version: 7.3.1
SA-Eventgen Version: 6.5.1
Splunk SPL Examples Version: 1.0.0
Appreciate any help with this!
Here are some of the errors I'm seeing in the internal index:
From Splunkd.log:
09-11-2019 12:21:10.206 -0500 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py"" 2019-09-11 12:21:10 eventgen WARNING MainProcess {'positional_args': (0,), 'event': 'Generator Queue Full. Reput the backfill generator task later. %d backfill generators are dispatched.'}
... View more
09-09-2019
09:41 AM
Thanks for the assist, @harsmarvania57. Turned out to be a temporary issue with our Anomali feed.
... View more
09-06-2019
06:39 AM
Have you checked your buckets? If they are being frozen prematurely due to storage pressure, the data might have been deleted before retention policy expiry.
... View more
08-29-2019
02:33 PM
We got most of them working by placing each folder under /etc/apps.
Still working on Windows and SH monitoring.
... View more
08-29-2019
07:13 AM
From the Monitoring Console:
Health Check: msg="A script exited abnormally with exit status: 4"
input="./opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py" stanza="default"
Health Check: msg="A script exited abnormally with exit status: 1" input="./opt/splunk/etc/apps/threatstream/bin/ts_ioc_ingest.py" stanza="ts_ioc_ingest://threatstream_app"
Working on resolving this health check warning occurring on our ES instance. Has anyone experienced it before?
... View more
08-22-2019
09:51 AM
@mikaelbje
... View more
08-21-2019
02:14 PM
Hey @davidwaugh, are you running a distributed setup? If so, what does your index cluster look like?
... View more
08-21-2019
01:49 PM
1 Karma
Hi @mikaelbje, what would you recommend instead of using Windows Event Collectors? Is the alternative simply installing a universal forwarder on every endpoint?
... View more
08-13-2019
12:36 PM
Thanks for the assist!
... View more
03-27-2019
08:53 AM
@lycollicott , thanks for the post. We were having the same issue on a Server 2016 box and using LaunchSplunk=0 resolved it.
... View more
