cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
esix_splunk
Splunk Employee
Member since: ‎10-04-2013
‎03-25-2021
Community Statistics
Posts 1026
Solutions 194
Karma Given 105
Karma Received 522
Member Since ‎10-04-2013
Activity Feed
View All

Re: Not all indexers are indexing with the similar...

by Splunk Employee in Deployment Architecture
‎03-24-2021 11:19 PM
‎03-24-2021 11:19 PM
There's a few things that could be occurring here, so bare with me.   1) Are all the indexers same spec? RAM, CPU, and most importantly IO.. ( nvme / ssd / sas ) 2) Are the search workloads pinning on any of these indexers? Is data balanced on across the indexers? 3) How many intermediates are you funneling the traffic through? 4) What's your autolb setting for the intermediates? 5) How many pipelines do you have on your intermediates?   Going through the above and thinking about Splunk specific configs (assuming equal hardware and sufficient resources..) you may have some bottlenecks with your intermediate tier funneling traffic. Default autolb frequency is 30 seconds, have you adjusted this? Lowering this to 10s or 5s in large volume environments will help spread data more evenly across the indexing fleet.  Additionally, how are the pipelines in your intermediate tier? Rule of thumb is you need 2 X # of indexing pipelines. So in your case, you should have at least 60 pipelines in your intermediates to get the best event spread across your fleet.  Another point to check is if the internal logs are showing any timeouts, or connection refused, to these indexers in questions..    There are a few starting points.. Let us know how it goes. ... View more

Re: Decode Logs coming from Syslog (SSL)

by Splunk Employee in Getting Data In
‎02-15-2021 09:31 PM
1 Karma
‎02-15-2021 09:31 PM
1 Karma
Same still holds true, you cannot send SSL traffic to a Splunk-SSLTCP input and hope Splunk can decrypt it. Splunk TCP/SSL is for Splunk2Splunk(S2S) over SSL.     ... View more

Re: Azure Design Question

by Splunk Employee in Deployment Architecture
‎01-29-2021 12:31 AM
‎01-29-2021 12:31 AM
This is really a great question, with many facets to contemplate!   First I'll say, that preference is to go with AWS or GCP and use Smartstore based architectures until we release blob-storage compatible object storage compatibility.   With that being said, attached storage isn't cheap in Azure/AWS/GCP etc. So as you build out your indexing fleet typically we want to consider this.. So hot/warm, cold, retention period, replication factor and search factor. These all will play a part in that architecture decision. From the technical point of view, 8 vcores is well be low our recommended spec for a deployment at your size. And I would most definitely not deploy that ( 8physical/16vcores yes no problem..) If you follow our Azure Best Practices, we do recommend Standard_DS15_v2 instances for larger deployments. ( The small instances we do recommend the lower 8 core boxes.. again do avoid at your scale!) If the cost wasn't an issue, I would look at deploying fewer larger boxes and storage. Depending on search and indexing requirements, you might be able to get from 20 smaller boxes down to 8 to 10 beefier ones.  And assuming even data distribution and performance disks, search and indexing shouldn't be a concern. * If you're on AWS, you can go smartstore and I3en instances that have a larger compute footprint and not be too concerned about storage as we offload to s3. Any additional compute or cache storage can be added horizontally at the indexing tier. This is a great conversation that your account team should be able to faciliate with one of the platform architects at Splunk. You should definitely engage to go through this and come up with a best solution as what you may have now has a lot of questions..     * Not knowing indexing or search workloads, the above is just purely a high level design conversation.    ... View more

Re: Can I configure apps to only use specific inde...

by Splunk Employee in Deployment Architecture
‎12-22-2020 01:33 AM
‎12-22-2020 01:33 AM
While there is no feature to really easily do this, you can use search groups and macros to do this... These do require use training and understanding when the craft their searches..   Above being said, in large scale deployment planning there are some points you can take into account for..  Standardized index naming conventions across deployments. ( Think of.. security_linux ops_linux security_windows ops_windows) Search groups defined as per cluster ( https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Distributedsearchgroups) Do note that in the latest versions of Splunk, we don't distribute searches to clusters where the index names dont exist (the cm will report this back in SH.) So searching index=security* would be similar to searching index=security* splunk_server_group=securitycluster.     ... View more

Re: Index Cluster configuration suggestions

by Splunk Employee in Deployment Architecture
‎12-22-2020 01:20 AM
2 Karma
‎12-22-2020 01:20 AM
2 Karma
Most of these are from the Splunk Cloud configurations and those that we've seen to provide best performance. These are also configurations that we've seen to be the best for our customers that are scaling 20tb+ a day and well beyond.   They can definitely help with rolling restarts in large environments. If you're unsure on whether to apply these or not, you can open support ticket and ask them to validate the configuration changes. (Assuming they're not the ones who gave you the configs..) ... View more

Re: If I have multiple Cisco devices sending syslo...

by Splunk Employee in Getting Data In
‎09-28-2020 02:08 PM
‎09-28-2020 02:08 PM
You'd be better to start a new thread and ask the community for help in that manner.   Also, look at the Cisco IOS and ASA TA's that have all the extractions in place. You most likely can find the solution there. ... View more

Re: Moving Cluster to new subnet

by Splunk Employee in Deployment Architecture
‎08-25-2020 12:54 AM
1 Karma
‎08-25-2020 12:54 AM
1 Karma
There's a few what ifs here.. Are you moving peers one/two at a time or lift and shift everything at once.   The lift and shift is the easiest in regards to moving subnets. Gracefully shutdown all your Splunk instances, move them to the new network, configure the OS, reconfigure Splunk via config files (USE DNS THIS TIME), test connectivity, bring everything back up... Shouldn't be any issue.   If you have to move servers one/two at a time, then it can be a bit more difficult as you need to validate IP and port connectivity across you network (never assume its going to work :>).  Before moving anything, I would go through your Splunk config files and find all references to IP and change them to fqdn's. Then make sure you have DNS correct, and if you can't update DNS, configure your /etc/hosts file to be a substitute for these hosts until you can. From there, you can move your hosts incrementally.    Otherwise your process is accurate and will work.  ... View more

Re: How do variations in cpu core speeds of the in...

by Splunk Employee in Deployment Architecture
‎08-25-2020 12:47 AM
1 Karma
‎08-25-2020 12:47 AM
1 Karma
Currently the indexer tier has no understanding of what compute (clock speed or core counts) are available among other peers in a cluster. This is why the current recommendation is for the indexers to match in clock, core, memory, and disk storage. With that, the CM is only aware of the peers and their bucket primacy. Search jobs are distributed and managed by the scheduler for this, and again nothing is shared among peers for this... yet.   There really isnt much tuning that can be recommended without understanding the existing workloads and platform metrics. You might consider reaching out to Splunk Support and see if there is anything they can recommend based on configs that you can provide in a ticket.  ... View more

Re: AWS Smartstore Architecture - i3

by Splunk Employee in Deployment Architecture
‎08-04-2020 06:37 PM
1 Karma
‎08-04-2020 06:37 PM
1 Karma
I'd recommend going with the i3en instances actually. Splunk Cloud is in the process of moving to these, as compute and storage is a bit denser. Regarding if you want to use raid on these or not, this is pretty much up to you and depends on the instance types you use. If you use a i3 4x vs 8x your getting 2 vs 4 1.9tb disks. If you drop those in RAID, you loose space.  If you go raid, which we do in Splunk Cloud, you need to size your cache appropriately. Which usually means adding more indexers. That being said, if you have autoscaling or automation setup properly, your indexers could loose an instance and rebuild with someone minimal impact to the cluster. Since all data, aside from hot, is in S3, adding new indexers and rebalancing is pretty minimal system impact..   I'd go larger instances here..       ... View more

Re: Splunk Failover Capabilities - DNS

by Splunk Employee in Deployment Architecture
‎07-13-2020 07:01 PM
1 Karma
‎07-13-2020 07:01 PM
1 Karma
On the Splunk side, you just need to configure everything with your DNS names, and use name resolution. For the DNS side, you can update your CNAMES in DR. CNAMEs just point to A records. This is very common. E.g., Primary Hosts- DNS A Record : splunk-cm-live  10.1.1.1            with CNAME splunk-cm DNS A Record : splunk-sh-live 10.1.1.2.              with CNAME splunk-sh   For the DR Sites DNS A Record : splunk-cm-dr 10.2.1.1 DNS A Record : splunk-sh-dr  10.2.1.2      Once a failover occurs, you update the CNAMEs to reflect the DR A records. This can be automated, and usually is. SSL Certs would be sticky point here, if they are host name based. Splunk config files point to the cnames.     ... View more

Re: Splunk Training PPT

by Splunk Employee in Splunk Search
‎07-13-2020 06:48 PM
1 Karma
‎07-13-2020 06:48 PM
1 Karma
I'd recommend going through conf.splunk.com and using some of the presentations from there as source material... That'll be the easiest. And of course, google is your friend. And docs.splunk.com has plenty of material for architecture. ... View more

Re: Would Splunk ES be able to run on machines wit...

by Splunk Employee in Installation
‎07-09-2020 10:02 PM
‎07-09-2020 10:02 PM
Im going to be a bad guy here and state something that's obvious. If you are trying to run this in production with 4cpu, this is not supported and Splunk will not support this.  With ES, you're using a Premium App from Splunk and if you're planning to use it as intended, you need to have the resources available for DMA etc.    Otherwise, why did you choose to go with ES?  More so, Splunk is not supported on a 4cpu system anyways.  In a lab or dev, sure. But again if this is in production, you're going to have problems with scalability and usability which will make the users think that Splunk is a poor solution that they've paid a premium for. Stick to the minimum hardware spec as documented, at the minimum.     ... View more

Re: Sending MacOS logs to Splunk without involving...

by Splunk Employee in Getting Data In
‎07-08-2020 06:21 AM
1 Karma
‎07-08-2020 06:21 AM
1 Karma
Ill second that statement. JAMF seems to be the most common, and easiest way to manage a fleet of Max OS based laptops. I've yet to see other notable (read that as useful) endpoint management for Macs, but I digress. JAMF can be pulled into Splunk. These are pushed out of JAMF in xml format and easy to deal with on the Splunk side. Check out Splunkbase for existing TA's that can help pull this from the JAMF APIs.       ... View more

Re: I have a Splunk Enterprise Search Head in a Pr...

by Splunk Employee in Deployment Architecture
‎07-02-2020 08:20 PM
1 Karma
‎07-02-2020 08:20 PM
1 Karma
Rsync will work fine for this. Be cautious around the GUIDs of the SH, if you bring production back up while the DR is running you can have some potential issues. You could change this easily enough and not sync this config file. If you're syncing KOs, why no use GIT or similar repo control. This is what most companies are doing now these days. It's a lot easier for granular control of what you replicate across, not to mention the benefits of version control/tracking.  ... View more

Re: Architecting for Splunk Total Beginner

by Splunk Employee in Deployment Architecture
‎06-23-2020 11:35 PM
1 Karma
‎06-23-2020 11:35 PM
1 Karma
Regarding serverless "push" to Splunk, as opposed to Splunk polling. This is the future of real time analytics, and polling will eventually die.  With that, Splunk has support for HTTP Event Collection (HEC), which is a standard logging library in Java and most major languages now. This allows logging to send, via a key, to a remote https location its logs in a structured format.  There's quite a bit of information on this here : https://dev.splunk.com/enterprise/docs/dataapps/httpeventcollector/. Splunk Architecture courses will touch on this a bit, HEC is typically enabled on the indexer(s), and in larger environments a load balancer is put in front of this for clients to send to and distribute events evenly. See more here : https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/UsetheHTTPEventCollector As for adding REST endpoints, this is always a good idea to enable other apps access to your systems, as RESTful connectivity is pretty much standard for webapps now. And with this, as long as you have a REST logging endpoint, Splunk can poll this. This circles back around to having a requirement for a Agent that does polling, and the lack of data during the polling intervals...       ... View more

Re: Splunk Commands Hanging

by Splunk Employee in Monitoring Splunk
‎06-22-2020 10:02 PM
‎06-22-2020 10:02 PM
Ok, so first lets get some terminology updated here to align with the industrial standard. There is no SF. There is a Splunk Universal Forwarder (UF) and a Splunk Heavy Forwarder (HF). The difference here is that a UF is a minimal agent without a GUI, and a HF is a full instance of Splunk that can act as a forwarder, or it can act as any role in the Splunk environment { Search Head (SH), Deployer, Deployment Server (DS), Indexer (IDX), Monitoring Console (MC), License Master (LM) etc.} Circling back. Can you confirm there are not multiple versions of the UF or HF installed? The behavior you're describing seems very similar to what happens when you have multiple instances installed and in the executable environment path. Please confirm that this is not the case, a simple 'which splunk' may show the executables outside of the current folder you're executing from. To cleanly check this, you can do a 'sudo killall splunkd && sudo killall mongod'. This will hard kill all Splunk processes on the system. And we can start this from scratch. You Splunk UF should be installed in /opt/splunkforwarder, or if you installed a HF it will be in /opt/splunk. If you installed this as systemd, you need to restart the process with a 'systemctl start Splunkd.service`. If you are running ./splunk start as a user, there are issues around this. So please confirm this. Also, please read through our docs on systemd. There are some nuances to how systemd works vs initd. See docs here : https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/RunSplunkassystemdservice#What_is_systemd.3F             ... View more

Re: Universal Forwarder audit logs not going to Sp...

by Splunk Employee in Monitoring Splunk
‎06-21-2020 06:54 PM
‎06-21-2020 06:54 PM
You do need to update that to  "_audit" in your first tier of whitelists..     ... View more

Re: Splunk Commands Hanging

by Splunk Employee in Monitoring Splunk
‎06-21-2020 06:52 PM
‎06-21-2020 06:52 PM
So do you have both the universal forwarder and a Heaver Forwarder/Full Install on the same machine? ... View more

Re: SHC New Member reverts to down after restart

by Splunk Employee in Deployment Architecture
‎06-21-2020 06:35 PM
‎06-21-2020 06:35 PM
Is the deployer online and available to these nodes? There does need to be connectivity for the initial join..   Regarding re-adding these, you'll probably want to to do a splunk resync shcluster-replicated-config to force the members to reach out to the captain and replicate configurations. If those members have been out of the cluster for quite some time, more then 24h, you probably should do a full clean on them. See the documentation here on this : https://docs.splunk.com/Documentation/Splunk/8.0.4/DistSearch/Addaclustermember#Add_a_member_that_left_the_cluster_without_being_removed_from_it ... View more

Re: Splunk Stream

by Splunk Employee in Getting Data In
‎06-21-2020 06:26 PM
‎06-21-2020 06:26 PM
Have you gone through the Splunk Stream Supported protocols? https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/ProtocolDetection You'll notice, that IPFIX is not listed here. Now that being said, you can use Netflow to aggregate IPFIX flows into stream. This is documented here : https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoingestNetflowandIPFIXdata.  Another option is that you can also ingest pcap files that have IPFIX in them also : https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoparsePCAPfiles Most of your stream questions regarding configuration, deployment, and protocol support can be found here : https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/AboutSplunkAppforStream   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-25-2021 02:40 AM