Here is the search string I used to test. Please note that field=orig_field will need to be adjusted to whatever the field name is in question, can even be _raw
| makeresults | eval orig_field="error occurred from the server ABCXYZ12345ABCXYZ under lenderprice hop"
| rex mode=sed field=orig_field "s/(?i)server\s+(\S+)\s+under/XZXYYZZ/g"
... View more
What UF version is this?
Recently, Splunk switched over to making the UFs register as splunk . That way the systemd name is same between a Splunk "full" install or UF.
Try this command to see what it is registered:
systemctl -l | grep -i splunk
... View more
This is a good question!
I've got some ideas but need to build a test case for this.
I'm thinking that if I make the GUID and "serverName" on each UF the exact same, it MAY de-duplicate the data because from the indexer(s) perspective, it is coming from the same place (but of course this is just a theory at the moment)
... View more
You've verified that you are pushing to the nominated/dynamic "captain"?
#Linux
$SPLUNK_HOME/bin/splunk show shcluster-status
#Windows
%SPLUNK_HOME%/bin/splunk show shcluster-status
The nominated "captain" will be at the top.
... View more
lguinn,
This makes sense but I find it interesting that making a TCP input through the Splunk Web GUI lead me to believe you could put multiple hosts within the monitor line.
Adam
... View more
Here is a system built input example, yours is no different than mine:
[tcp://test1.foobar.net,tada.foo.net:9000]
connection_host = dns
sourcetype = cisco_syslog
[tcp://172.16.100.99,172.16.200.25,172.16.230.*:9001]
connection_host = ip
sourcetype = cisco_syslog
You're restarting Splunk after making changes, correct?
... View more
kennybirdwell,
Your first stanza is the correct format, that is exactly how you do multiple hosts.
I would check to be sure (if you are using DNS names as inputs) that they can be resolved by Splunk.
If they are statically IP'd machines and you don't want to rely on DNS being available, you could use (although frowned upon), UNIX: /etc/hosts OR WINDOWS: C:\Windows\System32\Drivers\etc\hosts
Adam
... View more
allen_edmonson,
Have you taken a look at "Settings" then the "Monitoring Console"? Enabling Forwarder Monitor will allow you to build these reports pretty quickly.
Splunk Docs :: Set up Forwarder Monitoring
Adam
... View more
ddrillic,
The use of regular expressions within a blacklist is allowed.
The use of regular expressions within [monitor://....] is not allowed.
... View more
The default appears to be 7 Days of acceleration for Firewall Logs, Endpoint Logs, and Wildfire Malware Reports.
I'd run the search below to determine the usage per day against your Palo Alto Indexes and Summary indexes to be able to project an average monthly usage by Palo Alto. The search will return a day by day basis of usage per Index.
index=_internal source="*license_usage.log*" type=Usage | eval yearmonthday=strftime(_time, "%Y%m%d") | eval yearmonth=strftime(_time, "%Y%m%d") | stats sum(eval(b/1024/1024/1024)) AS volume_b by idx yearmonthday yearmonth | chart sum(volume_b) over yearmonth by idx
... View more
tragiccode,
I do not know of a way to do what your example is asking but you can quickly help the user understand which index they come from by how you present the results.
Example, appending a table command to the end of your existing search:
index="log4net" OR index="wineventlog" AND wineventlog:Type="Error" OR log4net:level="Error" earliest=-1h latest=now | table host source sourcetype index _raw
... View more
MonkeyK,
ddrilic brings up a good point, what level of data acceleration is your PA App set to? Limiting the amount of historical data to accelerate will significantly reduce the summary index consumption.
... View more
coolarnie,
The author of the app has a github page, but unfortunately that shows the latest commit as May 2015. The app should install on 6.5 just fine but it is not currently supported so your mileage may vary on capabilities.
... View more
MonkeyK,
When you say "...approach the size of the total indexed data", what do you mean? Total indexed data over the last two months or today?
Summary indexes are great for large time window searches such as annual reporting, so they will be a subset of your overall indexed data.
... View more
Morning tragiccode,
The default fields for each event that are returned in a search are as follows:
host, index, linecount, punct, source, sourcetype, splunk_server, timestamp
and the default selected fields are:
host, source, sourcetype
index is included as a default but not selected.
Therefore, do you have a specific output you were looking for?
... View more
bshuler,
According to the details for the App, it is on the "Future Roadmap", snippet from details below:
URL => Splunk DUO App Details
....
Future roadmap:
-Add CIM compatibility.
-pre-built reports.
....
... View more
You are correct, direct CPU utilization is related to what you said:
CPU utilization = %user + %nice + %system
My answer above was simply to elaborate on what you had stated in your question as the description for %IOWAIT.
... View more
They should be mapped automatically because the built-in searches are looking for a specific set of sourcetypes.
You are using the Windows TA to pull the DNS server logs into Splunk, correct?
How do you view the current DNS logs, via search or the Windows Infrastructure App?
... View more