About danielbb

danielbb

I'm under the impression that HEC ingestion directly to the indexers is supported natively on cloud. I wonder whether the HEC ingestion on-prem to the indexers is supported in the same way?

danielbb

We have a case in which each email message is stored on the file system as a distinct file. Is there a way to ingest each file as a distinct Splunk event? I assume that UF is the right way but I might be wrong.

danielbb

Thank you all, since I have already the HEC cluster and it is with HFs, wouldn't it be better to have UFs since my understanding is that data flows quicker through UFs? and we don't process the data at all at this HEC cluster level.

danielbb

I see - $ ps -ef | grep splunk splunk 2802446 2802413 0 Dec08 ? 00:00:08 [splunkd pid=2802413] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] Meaning, the user splunk runs on the host and when I sudo to be the splunk user, I don't have access the these logs files, even though they are being ingested.

danielbb

I love of the idea of the - HEC inputs directly on indexers (and have an LB in front of them) !

danielbb

We fail again and again these days when we have major spikes in ingestion, primarily with HEC. What would be a good and efficient way to detect major up/down spikes in data ingestion.

danielbb

On Splunk cloud, we can receive HEC ingestion directly to the cloud whereas on-prem we install distinct subclusters for HEC and struggle to scale them up with multiple down-times cases. I wonder whether it's possible for an on-prem installation to send HEC data directly to the indexers.

danielbb

We have a case where the data resides under /usr/feith/log/*.log and the Splunk process can read these files however, when I log in to the unix server I cannot navigate into this directory as the Splunk user. What's going on? bash-4.4$ whoami splunk bash-4.4$ pwd /usr/feith bash-4.4$ \ls -tlr total 388 ... drwxr-xr-x. 2 feith feith 4096 Dec 12 12:17 lib drwx------. 19 feith feith 4096 Dec 13 01:00 log bash-4.4$ cd log/ bash: cd: log/: Permission denied

danielbb

We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Microsoft Azure. They created an indexer, a search head, and a license server/cluster master. We do need to ingest syslog data from Meraki devices, so I wonder whether we need a heavy forwarder. Any thoughts?

danielbb

I want to use HTML on multiple panels in order to create a custom layout of my Splunk Dashboard. I want to use this layout where each rectangle is a panel - Please advise. Is this possible to implement in a Splunk Dashboard?

danielbb · ‎07-30-2024

When ingesting Microsoft Azure data, we see different time formats for different Azure categories, and I wonder how to parse it correctly? Both timezones seem to be UTC. Is the proper approach to set TZ=UTC and specify in datetime.xml the two formats? { category: NonInteractiveUserSignInLogs time: 2024-07-30T18:02:42.0324621Z . . . } { category: RiskyUsers time: 7/30/2024 1:48:56 PM . . . }

danielbb · ‎06-05-2024

We see cases where warm buckets are not being moved to cold storage for six weeks, and we wonder how to set it up correctly so they move within two or three weeks.

danielbb · ‎05-22-2024

We apparently have the StreamWeaver integration in place, but we are not sure how it was implemented as the folks who did it are no longer around. How is it done usually? Is it a REST API integration? as I see at Connect: Splunk Enterprise

danielbb · ‎05-19-2024

Thank you so much, one of our stanzas looks like the following - [script://./bin/ulimit.sh] interval = 27 5 * * * source = scripted_input sourcetype = virtualization:sanity:ulimit index = os disabled = false Based on the link you provided, a reload should be fine. How would we run a "reload"? inputs.conf http reload inputs.conf script reload inputs.conf monitor reload inputs.conf <modular_input> reload inputs.conf batch reload

danielbb · ‎05-17-2024

We want to add a TA (app) to our indexers at the path /opt/splunk/etc/master-apps by running the command /opt/splunk/bin/splunk apply cluster-bundle My question is if we can deploy an indexer app without a restart of the indexer? The TA we want to deploy is an extension to the nix TA, and all it does is run some simple bash scripted inputs.

danielbb · ‎04-29-2024

We are in the midst of a migration from physical servers to virtual servers, and we wonder if stopping Splunk is mandatory in order to perform the Cold Data migration or if there’s a workaround to this and this can be safely done without stopping Splunk.

danielbb · ‎04-07-2024

Since we are in early stages of using Splunk cloud, we don't define props.conf as part of the onboarding process, and we introduce props for a certain sourcetype only when parsing goes off. So for a certain sourcetype, line-breaking is off, and when looking for the sourcetype on the indexers (via support) and on the on-prem HF where the data is ingested and I cannot find the props for this sourcetype. So I wonder is it possible to have no sourcetype anywhere for a particular source?

danielbb · ‎03-04-2024

It comes down to whether Kafka can transport UDP and TCP reliably from all the devices to the various Splunk clusters.

danielbb · ‎03-03-2024

With syslog-ng we hit all kinds of limitations from the inability to support TCP, to the inability to write fast enough to disk, and therefore losing vast amounts of UDP data, struggling to have the various F5 LBs to distribute the data evenly to the syslog servers behind the F5s... and all of this led to Kafka as a potential solution. Does anybody use Kafka effectively instead of syslog-ng? By the way, we did look at Splunk Connect for Syslog (SC4S) without much luck.

danielbb · ‎02-21-2024

Thank you @richgalloway you are helpful as always

danielbb · ‎02-21-2024

I just realized that the NIX TA is being deployed to our forwarders via the deployment apps, to the indexers via the master apps and to the SHs via the SH apps. It was a surprise for me to realize that the TA is not being deployed to the deployment and deployer servers, the license master and the cluster master. And therefore, how can the TA be deployed to all Splunk servers?

danielbb · ‎01-29-2024

Sorry for not being clear. The process of building these VMs is ongoing, and during this process we would like to be absolutely sure that these VMs are ready to host all the Splunk components. For example. our SE suggested to check the following - THP turned off. All internal logs are being forwarded to indexer tier. MC set-up Splunk running as correct user Splunk restart enabled So I wonder what would be the best way to ensure that these VMs are built correctly? I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?

danielbb · ‎01-26-2024

We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspects. I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?

danielbb · ‎12-18-2023

We use the free version of syslog-ng, and recently we had a requirement to have TLS on top of TCP, and we don't have the knowledge to implement it. Therefore we wonder whether anybody has migrated from syslog-ng to SC4S to assist with more advanced requirements such as TCP/TLS? https://splunkbase.splunk.com/app/4740 If so, what lessons learned and motivations to do that?

danielbb · ‎12-12-2023

Thank you all, so, we have the concept of regions, and our Splunk architecture revolves around it. So, let’s say the European one - it has the all the Splunk data of Europe in the European indexer cluster and because of that I asked the question, whether each region should have its own cluster master or they can share. If they share, how can I figure out how many buckets the cluster handles? So, we won’t reach the one million ..

Posts	547
Solutions	3
Karma Given	306
Karma Received	30
Member Since	‎07-24-2019

Online Status	Online
Date Last Visited	yesterday

Is there a difference between HEC ingestion on-pre...

Is there a way to ingest an entire file as an even...

How do we detect fluctuations in data ingestion?

How can we avoid the scaling issues with on-prem H...

How do I fix this weird permission case?

How can I set up a couple of VMs on Azure?

How do I use HTML on multiple panels?

How do I deal with inconsistent time formats from ...

What are the criteria for a warm bucket to be move...

How does the integration with StreamWeaver work?

Is there a difference between HEC ingestion on-pre...

Is there a way to ingest an entire file as an even...

Re: How can we avoid the scaling issues with on-pr...

Re: How do I fix this weird permission case?

Re: How can we avoid the scaling issues with on-pr...

How do we detect fluctuations in data ingestion?

How can we avoid the scaling issues with on-prem H...

How do I fix this weird permission case?

How can I set up a couple of VMs on Azure?

How do I use HTML on multiple panels?

How do I deal with inconsistent time formats from ...

What are the criteria for a warm bucket to be move...

How does the integration with StreamWeaver work?

Re: Deploying a simple TA to indexers - rolling re...

Deploying a simple TA to indexers - rolling restar...

Do we need to shut down Splunk in order to migrate...

Where is my props for a certain sourcetype?

Re: Is Kafka a good substitute for syslog-ng?

Is Kafka a good substitute for syslog-ng?

Re: How do I deploy the Splunk Add-on for Unix and...

How do I deploy the Splunk Add-on for Unix and Lin...

Re: Transitioning to virtualized servers and valid...

Transitioning to virtualized servers and validatio...

Migrating from syslog-ng to Splunk Connect for Sys...

Re: Cluster Master scalability