About bdf0506

bdf0506 · ‎10-22-2018

I just moved my Splunk indexer from one server to another. A few bumps in the road, but everything seems to be working now, except for that fact that two hosts will not resolve in DNS, so Splunk is indexing them as IP addresses instead. They are located on a different network than the Splunk indexer, but they still resolve in DNS. Old server was running CentOS, new server is running Ubuntu 18.04. All other hosts that I index run Splunk universal forwarder, and when those logs make it to my indexer, they are already coming in with hostnames and not IPs. The traffic is coming on typical udp/514, one from a cisco ASA, the other from a Cisco Switch. Prior to moving the Splunk instance, hostnames resolved fine. The DNS server is the same as it was before. They resolve fine with nslookup: [root@splunk ~]$ nslookup 192.168.50.2 2.50.168.192.in-addr.arpa name = Switch. Authoritative answers can be found from: [root@splunk ~]$ nslookup 192.168.10.50 50.10.168.192.in-addr.arpa name = CiscoASA. Authoritative answers can be found from: Any idea why these wouldn't resolve with Splunk indexer?

bdf0506 · ‎08-27-2018

I got to the bottom of this. My original post was actually correct, but I had it in the wrong place, as I was erroneously placing this in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/inputs.conf when it needed to be in $SPLUNK_HOME/etc/apps/search/inputs.conf. You don't need a props.conf defined on either the Windows host or the main Indexer for this to work. [monitor://C:\BlueIris\log\] disabled = false sourcetype = blueiris

bdf0506 · ‎08-26-2018

No change. I first removed this from props.conf on the INDEXER: [blueiris] sourcetype = blueiris Then, I changed the inputs.conf on the Windows Unviersal Forwarder to this: [monitor://C:\BlueIris\log] disabled = false And then I added a props.conf file on Windows that shows this: [source:://C:\BlueIris\log*] sourcetype = blueiris But after doing all that, it still is being tagged with the incorrect sourcetype.

bdf0506 · ‎08-26-2018

I have the universal forwarder installed on a Windows 2012 server. I am trying to monitor a log directory for a custom application. The application creates a new log file for each month, so I have many text files in the folder that look like 201808.txt, 201807.txt, 201806.txt, etc. When I monitor the directory, instead of hardcoding the sourcetype that I am telling splunk to do, it is instead setting the sourcetype to the filename. How can I fix this? On the Windows Server, inputs.conf: [monitor://C:\BlueIris\log] disabled = false sourcetype = blueiris On the indexer, props.conf: [blueiris] sourcetype = blueiris

bdf0506 · ‎05-12-2018

I was able to get a quick win here by modifying the udp/514 settings. It was set to "generic_single_line", and setting it to "syslog" appears to have corrected this. Thanks @xpac.

bdf0506 · ‎05-11-2018

In doing so, i suppose I would need to change the sourcetypes of these so that I can do that. I've never done much with that, but suppose I could. "generic_single_line" likely shouldnt really be used to begin with and I likely should put these in correct sourcetypes.

bdf0506 · ‎05-11-2018

I have logs from two Unifi switches. One parses the date just fine, the other gets the year messed up, but parses the rest correctly. How come this is happening? On the one that works fine, shows the correct date of 05/11/18: But this one does not, notice the year is incorrect. This one shows a date of 05/11/15 instead of 05/11/18 like it should: Since they both use the same source/sourcetype, and other hosts share this same source/sourcetype with various other date formats, I really don't want to hardcode anything unless I can also hardcode a reference to the host ip address. Any ideas why the parsing isn't working correctly? I find it odd that it parses 192.168.10.10 correctly but then thinks 192.168.10.15 is a reference to a year.

bdf0506 · ‎04-30-2018

Not really a question, but wanted to pass this along, as this appears to be the only forum around for this app. Be on the lookout when you have bandwidth monitor enabled. I forgot that I had enabled it, and when I looked at my bandwidth over the past few months, noticed a huge tick in my average bandwidth usage. In my case, I noticed Bandwidth monitor using about 20Gb of data a day. If you look at inputs.conf, I believe it is disabled by default. In my case, I enabled it months ago and forgot about it. I just disabled it - since i don't use this function in homemonitor - and just like that, my bandwidth usage dropped by an avg of 20gb daily. Alternatively, you can change the default interval from "1800" to something much higher. I'm assuming 1800 is in seconds, so default is every 30 minutes. Each test must process about 400Mb (though was not able to determine exact amount of usage per test), 48 times a day, which gives you close to 20Gb of bandwidth just for speedtests. Over the course of a month, that's close to 600Gb of usage. Definitely problematic if your ISP has a bandwidth cap.

bdf0506 · ‎01-09-2017

OKay, still struggling with this then. I realized then all of my udp/514 was getting tagged as tomato traffic, which definitely isn't what I wanted...I just want traffic from 192.168.40.1 to be tagged as tomato I tried this in homemonitor/local/transforms.conf but this still didn't work. [tomato] Make sure that this matches the hostname of your router, tomato is just an example. REGEX = ^host::192.168.40.1$ SOURCE_KEY = MetaData:Host FORMAT = sourcetype::tomato DEST_KEY = MetaData:Sourcetype Ultimately, I just need a way to get it to pick this up based on the IP instead of a regex string. I'm probably missing something basic. I also tried REGEX = ^192\.168\.40\.1$ and that wouldnt work correctly either.

bdf0506 · ‎01-09-2017

That works much better. Very clean to use as well, thanks.

bdf0506 · ‎01-09-2017

Oh boy, that seems super complicated. I think the lesser of two evils would be to customize the field extraction on the new data, as well as somehow modifying the existing data, if possible...

bdf0506 · ‎01-08-2017

So I'm trying to get a search to pick events that have happened so far this month. Problem is, that I have to calculate the previous day's activity in the following day. So on Jan 2, I am calculating Jan 1st bandwidth usage. Then if I want to grab just January's events, then technically I need to grab events from Jan 2 to Feb 1, instead of Jan 1 to Jan 31. Events look like this: Dec 31 03:15:04 bandwidth_stats Date=2016-12-30, Download=37680.19, Upload=909.42, Total=38589.61 Jan 01 03:15:03 bandwidth_stats Date=2016-12-31, Download=9175.72, Upload=774.79, Total=9950.51 Jan 02 03:15:04 bandwidth_stats Date=2017-01-01, Download=6682.41, Upload=674.98, Total=7357.39 Jan 03 03:15:05 bandwidth_stats Date=2017-01-02, Download=8770.47, Upload=709.43, Total=9479.90 So let's assume that today in Jan 3rd, around noon. I want to pull just the events that are Month to date, so in reality that's only event 3 and 4. But it's also pulling event 2 that I don't want it to. Time picker is set to Month to date. Search query looks like this: bandwidth_stats | eval _time=strptime(Date,"%Y-%m-%d") What else can I do to make it pull just this month's events, based on the Date field in the events?

bdf0506 · ‎01-08-2017

Thanks for the reply! I'm using splunk on Linux. I can see how syslog-ng would make things cleaner, but for now that's not something I was planning on exploring. I think I got this working. The data was being set to the indexer of homemonitor, but the sourcetype was set to generic_single_line instead of tomato like I needed it to. I think that the default inputs.conf also wasn't being read properly. In default/inputs.conf, it shows a line that is sourcetype=syslog , notice that there is no space before and after the equal (not sure if that actually matters). I created local/inputs.conf, set sourcetype = tomato , and that seemed to do the trick. That transformed the data the correct way, and now it's being tagged correctly for homemonitor to see the data! Next step is to get the bandwidth monitor part of this working, but i'll tackle that at a later date. Thanks for the pointers.

bdf0506 · ‎01-07-2017

Hello all. I'm trying to get this to work with tomato, and I'm having no luck. I'm following the instructions that are on the wiki but still nothing. My setup may be a little different than the instructions, so possibly i'm missing something basic. My logs that are coming over syslog come in as: host=192.168.40.1 source=udp:514 sourcetype=generic_single_line In lots of the documentation it says to specify the hostname of the router, but given that it is coming in as an IP and not a hostname, I don't think that would work. I've followed https://github.com/amiracle/homemonitor/wiki/Issues-with-Setup-Page-%28404-Error%29-Fix---work-around to get the main setup working. So my files look like this: app.conf [install] is_configured = 1 props.conf [host::192.168.40.1] TRANSFORMS-homemonitor = index_redirect_to_homemonitor transforms.conf `[index_redirect_to_homemonitor] REGEX = . DEST_KEY = _MetaData:Index FORMAT = homemonitor [tomato] Make sure that this matches the hostname of your router, tomato is just an example. REGEX = 192.168.40.1 SOURCE_KEY = MetaData:Host FORMAT = sourcetype::tomato DEST_KEY = MetaData:Sourcetype` What else am I missing to make this work properly to read the tomato log files?

Posts	14
Solutions	2
Karma Given	0
Karma Received	1
Member Since	‎01-07-2017

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

Why is DNS lookup failing during indexing for 2 ho...

Why am I having sourcetype override problems when ...

Date parsing incorrect

High Bandwidth usage from speedtest addin

Time picker to pick month to date events with modi...

Unable to get working with Tomato