Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About EdgarAllenProse
EdgarAllenProse
Path Finder
Member since:
09-29-2016
06-16-2020
Community Statistics
| Posts | 29 |
| Solutions | 1 |
| Karma Given | 12 |
| Karma Received | 10 |
| Member Since | 09-29-2016 |
Activity Feed
- Karma Re: Why am I seeing "'SearchOperator:loadjob': Cannot find artifacts within the search time range" error in my saved search? for yannK. 06-05-2020 12:48 AM
- Karma Re: What is the difference between sma and avg? for jkat54. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Microsoft Windows: How to limit the amount of Perfmon events? for somesoni2. 06-05-2020 12:48 AM
- Karma Splunk App for Windows Infrastructure: Why does Failed Logons by IP Address chart never populate data? for hochit. 06-05-2020 12:48 AM
- Karma Re: How to make the deployment server manage all Universal Forwarders' server.conf account for system unique fields like "sslKeysfilePassword ” and “pass4SymmKey”? for gjanders. 06-05-2020 12:48 AM
- Karma Re: Is it possible to create a dashboard that accepts text and creates a searchable log based on the input? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Is it possible to create a dashboard that accepts text and creates a searchable log based on the input? for bshuler_splunk. 06-05-2020 12:48 AM
- Karma Re: Is there an expected release for Splunk App for Windows Infrastructure 1.4.0 that will be compatible with 6.5.0? for jwelch_splunk. 06-05-2020 12:48 AM
- Karma How to troubleshoot why an indexer in a cluster is missing from the Monitoring Console? for agehring4823. 06-05-2020 12:48 AM
- Karma Re: How to forward _internal to defaultGroup for gcusello. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk App for Windows Infrastructure: Why does Failed Logons by IP Address chart never populate data?. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk App for Windows Infrastructure: Why does Failed Logons by IP Address chart never populate data?. 06-05-2020 12:48 AM
- Got Karma for How to create a dashboard with text input fields that will update a lookup file?. 06-05-2020 12:48 AM
- Got Karma for Transforms not splitting sourcetypes. 06-05-2020 12:48 AM
- Got Karma for How to figure out index disk space footprint on indexers?. 06-05-2020 12:48 AM
- Got Karma for How to figure out index disk space footprint on indexers?. 06-05-2020 12:48 AM
- Got Karma for How to figure out index disk space footprint on indexers?. 06-05-2020 12:48 AM
- Got Karma for How to figure out index disk space footprint on indexers?. 06-05-2020 12:48 AM
- Got Karma for Re: How to figure out index disk space footprint on indexers?. 06-05-2020 12:48 AM
- Got Karma for Re: How to figure out index disk space footprint on indexers?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 4 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
03-13-2017
08:37 AM
2 Karma
Oh! Also, make sure the search is run all time and if you are running an indexer cluster run the query on the master, otherwise run it on the indexer.
... View more
03-13-2017
08:35 AM
4 Karma
I was struggling to find short and long term estimations on how much space was taken by each index in each state, so if you are trying to make a plan or taking over an older deployment your 2 friends are dbinspect and the Monitoring Console . Seriously try to avoid internal metrics with splunkd unless you are looking at license volume.
Monitoring Console deserves a course on it's own, but using dbinspect, I was able to find - by bucket and state - volumes compressed and uncompressed, while figuring out a decent estimation of how I should configure my indexes.conf .
The search used (which desperately needs cleaning, as it has plenty of unnecessary stats tables written into it):
| dbinspect index=*
| search tsidxState="full" bucketId=*
| eval ageDays=round((endEpoch-startEpoch)/84000,10)
| stats min(startEpoch) as MinStartTime max(startEpoch) as MaxStartTime min(endEpoch) as MinEndTime max(endEpoch) as MaxEndTime max(hostCount) as MaxHosts max(sourceTypeCount) as MaxSourceTypes sum(eventCount) as TotalEvents sum(rawSize) as rawSizeBytes sum(sizeOnDiskMB) as sizeOnDiskBytes values(ageDays) as ageDays dc(bucketId) as countBuckets by index bucketId, state
| where ageDays<90 AND ageDays>0.0000000000
| eval sizeOnDiskBytes=round(sizeOnDiskBytes*pow(1024,2))
| eval dailyDisk=round(sizeOnDiskBytes/ageDays,5)
| eval dailyRaw=round(rawSizeBytes/ageDays,5)
| eval dailyEventCount=round(TotalEvents/ageDays)
| table index bucketId state dailyDisk ageDays rawSizeBytes, sizeOnDiskBytes TotalEvents PercentSizeReduction dailyRaw dailyEventCount ageDays
| stats sum(dailyDisk) as dailyBDiskBucket, values(ageDays), sum(dailyRaw) as dailyBRaw sum(dailyEventCount) as dailyEvent, avg(dailyDisk) as dailyBDiskAvg, avg(dailyRaw) as dailyBRawAvg, avg(dailyEventCount) as dailyEventAvg, dc(bucketId) as countBucket by index, state, ageDays
| eval bPerEvent=round(dailyBDiskBucket/dailyEvent)
| eval bPerEventRaw=round(dailyBRaw/dailyEvent)
| table dailyBDiskBucket index ageDays dailyEvent bPerEvent dailyBRaw bPerEventRaw state
| sort ageDays
| stats sum(dailyBDiskBucket) as Vol_totDBSize, avg(dailyBDiskBucket) as Vol_avgDailyIndexed, max(dailyBDiskBucket) as Vol_largestVolBucket, avg(dailyEvent) as avgEventsPerDay, avg(bPerEvent) as Vol_avgVolPerEvent, avg(dailyBRaw) as Vol_avgDailyRawVol, avg(bPerEventRaw) as Vol_avgVolPerRawEvent, range(ageDays) as rangeAge by index, state
| foreach Vol_* [eval <<FIELD>>=if(<<FIELD>> >= pow(1024,3), tostring(round(<<FIELD>>/pow(1024,3),3))+ " GB", if(<<FIELD>> >= pow(1024,2), tostring(round(<<FIELD>>/pow(1024,2),3))+ " MB", if(<<FIELD>> >= pow(1024,1), tostring(round(<<FIELD>>/pow(1024,2),3))+ " KB", tostring(round(<<FIELD>>)) + " bytes")))]
| rename Vol_* as *
| eval comb="Index Avg/day: " + avgDailyIndexed + "," + "Raw Avg/day: " + avgDailyRawVol + "," + "DB Size: " + totDBSize + "," + "Per Event Avg/Vol: " + avgVolPerEvent + "," + "Retention Range: " + tostring(round(rangeAge))
| eval comb = split(comb,",")
| xyseries index state comb
| table index hot warm cold
This search helped a lot in knowing where to move forward in configuration changes. Hopefully this helps you avoid the trip into wonderland. The main are you want to look is Index Avg/day that's the compressed value; what is written to disk.
... View more
03-01-2017
05:46 AM
Sorry I missed this response, I did take your steps, when initially setting up, restarting splunkd, ingesting new data and all, but still no luck. I'm kind of at a loss haha, I may at this point submit a support ticket to splunk.
... View more
02-15-2017
02:24 PM
can you give a sample log? Or fields and their values? Anonymized of course.
... View more
02-15-2017
02:20 PM
Is the file local to the splunk instance? can you show us the inputs and props conf files? Did you choose index once or continuous monitoring of the file when you were going through the add data wizard?
When you added the data into splunk if you used continuous monitoring, it will not show the data currently in the file.
To get the data, copy the files contents then remove it --> save the file --> open the file back up and paste it back in and save. The data should show up in splunk if you configured it correctly with the wizard.
If you did index once, the data should be there, however, splunk requires a timestamp but it should grab the mod time automatically. Also make sure the sourcetype is "csv" when you select it.
... View more
02-14-2017
02:47 PM
I'm setting up a universal forwarder to see if I need to do this there first.
... View more
02-14-2017
01:33 PM
I tried the responses on similar questions, but they don't seem to be working.
... View more
02-14-2017
01:31 PM
1 Karma
So I am trying to take a single monitored log, and split sourcetypes based off of the terms SCAN, RECV, SEND. I created my props and transforms first. I made sure that splunk recognized the sourcetype in props, this was successfull. I created inputs stanza for the monitored file and the only sourcetype I see is test_barracuda, which was from the props stanza, I am not getting the split transforms should be doing.
inputs.conf
[monitor://C:\\Users\\eap\\Desktop\\security\\Splunk\\DEVELOPMENT\\Test_Ingest\\test_raw_spam.txt]
disabled = false
sourcetype = test_barracuda
index = test
props.conf
[test_barracuda]
CHARSET=AUTO
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
category=Custom
disabled=false
pulldown_type=true
TRANSFORMS-overridest = set_sourcetype
transforms.conf
[set_sourcetype]
REGEX = \d+\s+(SEND|SCAN|RECV)\s
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::test_$1
This is an all in one test instance, so I placed these in SPLUNK_HOME/etc/apps/search/local/
Order of implementation: props.conf --> transforms.conf --> stop splunk --> clear event data from index test --> start splunk --> inputs.conf --> restart splunk.
Splunk gets the data. In the correct index, but only in sourcetype=test_barracuda.
I check to see if the regex in transforms is correct:
Query
index=test sourcetype="test_barracuda" | rex field=_raw "\d+\s+(?P<st>SEND|SCAN|RECV)\s"
Query works and I get exactly as many events in the 3 correct st fields.
So I do btools on props and transforms (note I'm not seeing any errors during /debug/refresh or splunk restart)
btools
C:\Program Files\Splunk\bin>splunk cmd btool transforms list set_sourcetype --debug
C:\Program Files\Splunk\etc\apps\search\local\transforms.conf [set_sourcetype]
C:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
C:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
C:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
C:\Program Files\Splunk\etc\apps\search\local\transforms.conf DEST_KEY = MetaData:Sourcetype
C:\Program Files\Splunk\etc\apps\search\local\transforms.conf FORMAT = sourcetype::test_$1
C:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
C:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
C:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
C:\Program Files\Splunk\etc\apps\search\local\transforms.conf REGEX = \d+\s+(SEND|SCAN|RECV)\s
C:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
C:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
C:\Program Files\Splunk\etc\system\default\transforms.conf [set_sourcetype_to_stash]
C:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
C:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
C:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
C:\Program Files\Splunk\etc\system\default\transforms.conf DEST_KEY = MetaData:Sourcetype
C:\Program Files\Splunk\etc\system\default\transforms.conf FORMAT = sourcetype::stash
C:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
C:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
C:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
C:\Program Files\Splunk\etc\system\default\transforms.conf REGEX = .
C:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
C:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
C:\Program Files\Splunk\bin>splunk cmd btool props list test_barracuda --debug
C:\Program Files\Splunk\etc\apps\search\local\props.conf [test_barracuda]
C:\Program Files\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True
C:\Program Files\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true
C:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE =
C:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True
C:\Program Files\Splunk\etc\apps\search\local\props.conf CHARSET = AUTO
C:\Program Files\Splunk\etc\system\default\props.conf DATETIME_CONFIG = \etc\datetime.xml
C:\Program Files\Splunk\etc\system\default\props.conf HEADER_MODE =
C:\Program Files\Splunk\etc\system\default\props.conf LEARN_MODEL = true
C:\Program Files\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true
C:\Program Files\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_AGO = 2000
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600
C:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800
C:\Program Files\Splunk\etc\system\default\props.conf MAX_EVENTS = 256
C:\Program Files\Splunk\etc\system\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
C:\Program Files\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER =
C:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER =
C:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE =
C:\Program Files\Splunk\etc\apps\search\local\props.conf NO_BINARY_CHECK = true
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION = indexing
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-all = full
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none
C:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard
C:\Program Files\Splunk\etc\apps\search\local\props.conf SHOULD_LINEMERGE = true
C:\Program Files\Splunk\etc\system\default\props.conf TRANSFORMS =
C:\Program Files\Splunk\etc\apps\search\local\props.conf TRANSFORMS-overridest = set_sourcetype
C:\Program Files\Splunk\etc\system\default\props.conf TRUNCATE = 10000
C:\Program Files\Splunk\etc\apps\search\local\props.conf category = Custom
C:\Program Files\Splunk\etc\system\default\props.conf detect_trailing_nulls = auto
C:\Program Files\Splunk\etc\apps\search\local\props.conf disabled = false
C:\Program Files\Splunk\etc\system\default\props.conf maxDist = 100
C:\Program Files\Splunk\etc\system\default\props.conf priority =
C:\Program Files\Splunk\etc\apps\search\local\props.conf pulldown_type = true
C:\Program Files\Splunk\etc\system\default\props.conf sourcetype =
No conflicts, but I'm not seeing anything for the expected sourcetypes test_SEND, test_RECV, or test_SCAN
Any idea where I messed up?
events for testing
In case you want to test, here are 3 events that match the criteria for each expected sourcetype
Feb 13 12:14:57 192.168.x.x outbound/smtp: 127.0.0.1 1487013294-09b08c0e0d22d7b0001-vy5CMk 0 0 SEND - 1 0112918C8063 250 2.6.0 <2050829162.21743.1487013293752.JavaMail@dc1prjasszap434.whc> [InternalId=91736206477550, Hostname=host.prod.outlook.com] 11518 bytes in 0.192, 58.365 KB/sec Queued mail for delivery #to#name-com.mail.protection.outlook.com[8.8.8.8]:25
Feb 13 12:14:56 192.168.x.x scan: mail2-3.place.com[8.8.8.8] 1487013294-09b08c0e0d22d7b0001-vy5CMk 1487013294 1487013296 SCAN - prvs=7217d0fa1f=services_noreply@place.com name@otherplace.com - 7 88 corporate SZ:3263 SUBJ:Message: Attempt to retrieve your User ID
Feb 13 12:14:15 192.168.x.x inbound/pass1: name.place1.com[8.8.8.8] 1487013254-09b08c0e0e22d7a0001-VY5SBA 1487013254 1487013255 RECV information=place2.com@thing.com name@thingy1.com 2 3 blacklist.org[8.8.8.8]
... View more
02-13-2017
02:44 PM
It did not update in the settings
... View more
02-13-2017
02:31 PM
Is it okay that I did these in splunk_home/etc/app/search/local/?
... View more
02-13-2017
02:15 PM
I plugged those in and cleaned the fishbucket, then restarted still didn't work.
query
index=* NOT (sourcetype=Win* OR sourcetype=Perf*) | stats count by sourcetype
results in
sourcetype count
Test 3825
shiftlog 42
test_barracuda 22950
... View more
02-13-2017
01:58 PM
Here is a sample containing each type of event: anonymized, but not in a way that would conflict with regex or the confs.
Feb 13 12:14:57 192.168.x.x outbound/smtp: 127.0.0.1 1487013294-09b08c0e0d22d7b0001-vy5CMk 0 0 SEND - 1 0112918C8063 250 2.6.0 <2050829162.21743.1487013293752.JavaMail@dc1prjasszap434.whc> [InternalId=91736206477550, Hostname=host.prod.outlook.com] 11518 bytes in 0.192, 58.365 KB/sec Queued mail for delivery #to#name-com.mail.protection.outlook.com[8.8.8.8]:25
Feb 13 12:14:56 192.168.x.x scan: mail2-3.place.com[8.8.8.8] 1487013294-09b08c0e0d22d7b0001-vy5CMk 1487013294 1487013296 SCAN - prvs=7217d0fa1f=services_noreply@place.com name@otherplace.com - 7 88 corporate SZ:3263 SUBJ:Message: Attempt to retrieve your User ID
Feb 13 12:14:15 192.168.x.x inbound/pass1: name.place1.com[8.8.8.8] 1487013254-09b08c0e0e22d7a0001-VY5SBA 1487013254 1487013255 RECV information=place2.com@thing.com name@thingy1.com 2 3 blacklist.org[8.8.8.8]
... View more
02-13-2017
12:58 PM
I am testing splitting sourcetypes for a one time indexed file on my test box. All time formats are parsed correctly when the log ingests. The file splits just fine into exactly as many events as expected.
But there are 3 sourcetypes I need to split it into: Send, receive and scan as the message section of the logs vary heavily. The regex has been tested and works fine. No errors from btool.
inputs.conf
[monitor://C:\\Users\\<user>\\Desktop\\security\\Splunk\\DEVELOPMENT\\Test_Ingest\\test_raw_spam.txt]
disabled = false
sourcetype = test_barracuda
index = test
props.conf - to note, I tried the TRANSFORMS- line in the test_barracuda stanza, but still no results.
[test_barracuda]
CHARSET=AUTO
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
category=Custom
disabled=false
pulldown_type=true
[source:\\C:\\Users\\<user>\\Desktop\\security\\Splunk\\DEVELOPMENT\\Test_Ingest\\test_raw_spam.txt]
TRANSFORMS-changesourcetype = send_set_sourcetype, recv_set_sourcetype, scan_set_sourcetype
Transfoms.conf
[send_set_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = (\sSEND\s)
FORMAT = sourcetype::test_send
[recv_set_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = (\sRECV\s)
FORMAT = sourcetype::test_recv
[scan_set_sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = (\sSCAN\s)
FORMAT = sourcetype::test_send
When I do a search after resetting, I am not seeing any results in the new sourcetypes, only in test_barricuda. Any thoughts?
I forced re-indexing of all file monitors because of the fact that this was a one time monitor, still no results in new sourcetypes.
command used:
splunk clean eventdata _thefishbucket
... View more
02-09-2017
11:44 PM
Can you define what you are trying to do a touch more clearly? Do you not want them doing index=* Or sourcetype=*, or are you trying to not allow wild cards at all? As far as I know you can't restrict wildcard usage by role, but you can restrict search terms by role in user access control, so when a user does wildcard a field their search is limited to what you you say they can be looking for.
... View more
02-09-2017
03:27 PM
2 Karma
It might be a failure on the macro. I just realized I have this issue, so we'll troubleshoot together!
TL;DR, fields are wrong, and lookup mentioned in macro ip-to-host does not exist, update macro for fix-localhost , fix the query (shown below), and remove |ip-to-host from query. That should fix it. Oh and don't forget to change the panels query as well after testing.
Failed Logons Over Time query=
eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type
|timechart count by signature
Failed Logons by IP query =
eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type
|`ip-to-host`
|`fix-localhost`
|stats count by src_nt_host,src_ip
|sort -count
|rename src_nt_host as "Workstation",src_ip as "IP Address"
Note the two macros in your failed logon by IP query:
ip-to-host
fix-localhost
Now the searches for each macro:
ip-to-host = join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]
fix-localhost = 'eval src_host=if(src_ip=="127.0.0.1" OR src_ip=="-",upper(host),src_host)|eval src_host=src_nt_domain."\".src_host '
Now I'm going to say, I see a problem here: index=wineventlog does not have src_ip field; eventtype=msad* uses index=wineventlog .
BUT! There is a field IpAddress that contains IP addresses, and host that contains hostnames where the field src_host does not exist.
So lets tweak these macros:
ip-to-host = join src [|inputlookup tHostInfo | table src,Caller_Domain]
fix-localhost = eval host=if(IpAddress=="127.0.0.1" OR IpAddress=="-",upper(host),host)|eval host= Caller_Domain."\\".host
Still not getting anything, so I search
|eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type
|`ip-to-host`
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"
Note, I've changed the query to represent fields that exist in index=wineventlog .
Still not getting anything! But wait, a lookup is mentioned in the macro ip-to-host , lets see how that is configured!
There is no lookup tHostInfo , so lets remove ip-to-host from the query.
|eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"
YES!!!!!! IT WORKS!
Results:
Workstation IP Address count
DOMAIN<Hostname> 127.0.0.1 2
DOMAIN<Hostname> 10.###.##.### 1
DOMAIN<hostname> 127.0.0.1 1
So change the fields in the macro fix-localhost, as noted in "lets tweak these macros" then remove ip-to-host from the query, while updating the query the panel uses to search.
... View more
01-18-2017
08:00 AM
The goal is to have the deployment server manage server.conf on all Universal Forwarders, like it does with inputs/outputs.conf. Automation is preferred as there are over 300 Windows systems.
E.g. When we make certificate updates, change the sslVersions, and/or the allowed cipherSuite, we want the deployment server to handle it all.
This is an issue as the server.conf includes four fields that appear to be unique to each system, and based on our understanding the deployment server updates the whole file, not per stanza:
sslKeysfilePassword
sslPassword
pass4SymmKey
serverName
How do deployment servers handle system unique fields so the deployment server doesn’t just overwrite them and cause configuration issues? Any tips for what direction I need to look in? I would appreciate any help as manually updating all universal forwarders would be insanely time consuming.
Here is a scrubbed version of the relevant fields for our deployment server's ~/default/server.conf:
[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
useSplunkdClientSSLCompression = true
# enableSplunkSearchSSL has been moved to web.conf/[settings]/enableSplunkWebSSL
#Allow only sslv3 and above connections to the HTTP server
sslVersions = *,-ssl2
sslVersionsForClient = *,-ssl2
sendStrictTransportSecurityHeader = false
allowSslCompression = true
allowSslRenegotiation = true
# For the HTTP server, Diable ciphers lower than 128-bit and disallow ciphers that
# don't provide authentication and/or encryption.
# Use 'openssl ciphers -v' to generate a list of supported ciphers
# Allow only TLSv1 cipher with 'high' encryption suits, i.e. whose key lengths are
# larger than or equal to 128 bits
cipherSuite = TLSv#+HIGH:TLSv#.2+HIGH:@STRENGTH
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = ######
caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
# DEPRECATED
caPath = $SPLUNK_HOME/etc/auth
[applicationsManagement]
updateTimeout = #h
sslVersions = tls#.#
caCertFile = $SPLUNK_HOME/etc/auth/#####.pem
sslVerifyServerCert = true
sslCommonNameToCheck = apps.splunk.com, cdn.apps.splunk.com
sslAltNameToCheck = splunkbase.splunk.com, apps.splunk.com, cdn.apps.splunk.com
cipherSuite = TLSv#+HIGH:@STRENGTH
[clustering]
mode = disabled
pass4SymmKey =
register_replication_address =
register_forwarder_address =
register_search_address =
executor_workers = 10
manual_detention = false
encrypt_fields = "server: :sslKeysfilePassword", "server: :sslPassword", "server: :pass4SymmKey", "server: :password", "outputs:tcpout:sslPassword", "outputs:indexer_discovery:pass4SymmKey", "inputs:SSL:password$
Here is a scrubbed version belonging to one of the windows systems:
[general]
serverName = <Server Name>
pass4SymmKey = $1$###############
[sslConfig]
sslKeysfilePassword = $###############
... View more
01-12-2017
02:29 PM
Thanks for the explanation, changing interval worked. I also realized I was seeing so many logs because of the excessive amount of counters.
So changing
interval=30 (~90 logs every 30 seconds)
to
interval=300 (~90 logs every 300 seconds)
The counters creating so many separate logs made me think setting the interval to 30 was making no difference in log count. But changing it to the way you advised gives me a lot less over time. Thanks!
... View more
01-12-2017
12:35 PM
I have several machines being monitored with perfmon, and I am struggling to figure out how to limit the amount of logs coming in.
Here is the perfmon section of inputs.conf in Splunk Add-on for Microsoft Windows:
###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transiti$
disabled = 0
instances = *
interval = 30
object = Processor
useEnglishOnly=true
index = perfmon
## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk $
disabled = 0
instances = *
interval = 30
object = LogicalDisk
useEnglishOnly=true
index = perfmon
## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Re$
disabled = 1
instances = *
interval = 10
object = PhysicalDisk
useEnglishOnly=true
index = perfmon
## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Ou$
disabled = 0
interval = 30
object = Memory
useEnglishOnly=true
index = perfmon
So in an attempt to ease back on the amount of logs, all that seems to be getting accomplished is limiting the frequency at which I receive them.
Instead of getting 5 logs every second, I am getting ~9000 logs every 30 minutes.
Instead of having Splunk poll the data every 30 minutes, is there a way to have it only grab the current state logs? I don't need every single perfmon log every single second, if I can have splunk check every 5 minutes and just grab the most recent log per host per sourcetype (specific to the perfmon), that would be extremely helpful.
I'm aware of the interval being at 30 minutes, I was tweaking it trying to see if I could limit ingestion.
Instead of getting 5 logs per second for each host, I want to get 5 logs per 5 minutes for each host.
Thanks for your time and any help/advice is greatly appreciated.
... View more
12-05-2016
12:38 PM
1 Karma
Is there a way to create a dashboard with text input fields that does not do any searching, but rather pushes user input into a new row within a created input file?
Basically what I am trying to accomplish is this:
Lookup File: userLoggedInfo.csv
Dashboard: User Log
Dashboard looks like this:
Event: | Text Box |
Time of Event: | Text Box |
IP in event: | Text Box |
Analysis Notes: | Text Box |
When a user plugs in information I want to add what the user wrote to the lookupfile in a new row.
So before user inputs information, the file would look like this:
|Event|Time of Event|IP in Event|Analysis notes|
After the user hits the submit button in the dashboard, it should update like so and any future submission would be added to the next empty row:
|Event |Time of Event |IP in Event |Analysis notes |
|HD Error | Dec 21 | 192.168.16.1 | HardDrive failed because a rock was thrown at it. Verified|
So what would be a good starting point in learning to make textboxes output non-queried text into a lookup (for later querying) in a submittable form based dashboard?
... View more
11-28-2016
09:39 AM
Sorry for the late response! So this seems close to what I am trying to do, however, does this work to create a dashboard within splunk that creates logs based off of input in the dashboard? It seems like this is more geared to creating logs from external apps.
... View more
11-28-2016
09:37 AM
This was helpful for understanding token usage, but What I am trying to do is create a specific log within splunk. So the input fields aren't used to perform a search, but rather create a combined log that is ultimately queryable. Thank you for a good doc to through in my bookmarks though!
Do you know any other resources more specific to creating logs within splunk?
... View more
11-23-2016
12:14 PM
I am trying to figure out how to create a dashboard that essentially creates a log that is searchable based on the input.
example:
There are 4 Input boxes and a submit button.
1st text Box:
Date: | User inputs a date |
2nd Text box:
Source IP: | user inputs source IP they are looking at |
3rd Text box
Port: | user inputs a port number |
4th Text box
Notes | a box where user can type in generic notes |
so after those are filled out and the user hits submit, a log is generated that might look like this when queried:
LOG:
date: 11/23/2016 13:09, Source IP: 192.168.1.1, Port: 443, Notes: "I looked at a thing today, and this is some data I collected. It probably means nothing, but here it is."
Are there any docs, references, or answers that might point me in the right direction?
... View more
10-28-2016
02:39 PM
Oh, gotcha, I'm not sure that will work based off of the way splunk references .conf, but if it is possible this doc may be of assistance:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/AboutConfigurationFiles
... View more
10-28-2016
01:46 PM
I remember reading about how making changes like that in savedsearches.conf is discouraged, however when I accidentally use a naming convention that doesn't match the rest of my saved searches my work around is to clone the saved search giving it the name you want and deleted the old saved search.
... View more
10-27-2016
09:48 AM
That was a bit strange I never got the update either. Either way, thank you.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-16-2020
12:40 PM
|
Karma from
