Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gurinderbhatti
gurinderbhatti
Path Finder
Member since:
10-22-2013
06-05-2020
Community Statistics
| Posts | 34 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 13 |
| Member Since | 10-22-2013 |
Activity Feed
- Got Karma for Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. 06-05-2020 12:47 AM
- Got Karma for Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. 06-05-2020 12:47 AM
- Got Karma for Re: Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. 06-05-2020 12:47 AM
- Got Karma for Re: Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. 06-05-2020 12:47 AM
- Got Karma for Re: Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. 06-05-2020 12:47 AM
- Got Karma for How to restrict user access to a new index?. 06-05-2020 12:47 AM
- Got Karma for How to restrict user access to a new index?. 06-05-2020 12:47 AM
- Got Karma for how much data does a particular sourcetype ingest daily. 06-05-2020 12:47 AM
- Karma Re: data not showing up in indexer for Ayn. 06-05-2020 12:46 AM
- Got Karma for Re: Daily index volume by sourcetype. 06-05-2020 12:46 AM
- Got Karma for limit user access to dashboard only. 06-05-2020 12:46 AM
- Got Karma for limit user access to dashboard only. 06-05-2020 12:46 AM
- Got Karma for limit user access to dashboard only. 06-05-2020 12:46 AM
- Got Karma for events per minute. 06-05-2020 12:46 AM
- Posted Re: Moving ldap users to local on Security. 10-22-2014 10:48 AM
- Posted Re: How to restrict user access to a new index? on Security. 09-26-2014 07:03 AM
- Posted Re: How to restrict user access to a new index? on Security. 09-24-2014 01:49 PM
- Posted How to restrict user access to a new index? on Security. 09-24-2014 01:08 PM
- Tagged How to restrict user access to a new index? on Security. 09-24-2014 01:08 PM
- Tagged How to restrict user access to a new index? on Security. 09-24-2014 01:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 2 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 3 | |||
| 0 | |||
| 0 |
10-22-2014
10:48 AM
how do i achieve the reverse? i have a local account running jobs. i created an AD account with the same name; can i move the local account to AD? (since they have the same name, it should make things more seamless)
my concern is the jobs the local account is running may fail. please advise.
... View more
09-26-2014
07:03 AM
i can do it, its just the convention we are, we'd like to stay with it. but if its a last resort, i might have to. I just thought i read something about being able to blacklist indexes so that a role cannot have access to it. was wondering if someone could give me a clear example of how to implement something like that. thx
... View more
09-24-2014
01:49 PM
thanks rob. We did it this way for scalability reasons, we actually have alot more than 10 indexes and everytime we add an index, we dont want to have to update the authorize.conf file to added it to the srchIndexesAllowed = path. since our naming convention of 'index_?' wont change, its better for us to leave it as a wildcard of index_*.
i was thinking along the lines of possibly putting in a blacklist for index_x, so that all indexes are searchable except those belonging to a blacklist....any thoughts?
... View more
09-24-2014
01:08 PM
2 Karma
i have a user access dilemma:
i have 10 indexes. index=index_a, index_b,index_c,index_d,index_e,index_f,index_g,index_h,index_i,index_k,index_l,index_m.
my normal userbase i gave them access via "srchIndexesAllowed = index_*"
now i created a new index, index= index_x, how do i make sure only admin or certain roles have access to it, because the index_* covers everything, and would cover this new index too, which i dont want.
Appreciate the answers in advance.
... View more
09-16-2014
10:57 PM
i am in a similar situation. i have a heavy forward on which i've installed db connect app. however, i do not want to parse any events on this forwarder; instead i want to forward them to my indexers. do i need to simply push a forwarders conf file or outputs conf file to the heavy forward along with any inputs.conf or other necessary files?
or do i need to explicity turn off local indexing somewhere?
... View more
09-16-2014
09:29 PM
3 Karma
there was a python process which was tied to this somehow, killed that process and was able to start the splunk daemon.
... View more
09-16-2014
09:09 PM
2 Karma
I am installing the splunk package and after untaring the pkg on a linux box i am trying to start splunk (tried both as root and as a splunk user) and getting the below error:
Checking prerequisites... Checking http port [8000]: already bound ERROR: The http port [8000] is already bound. Splunk needs to use this port. Would you like to change ports? [y/n]: n Exiting....
checking output of netstat reveals the following:
[root@hostA ~]# netstat -na | grep 8000 tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
Any ideas how i can get splunk to start running?
... View more
Labels
- Labels:
-
Linux
09-10-2014
02:23 PM
Ironically, this post relates to my question. I have a intermediate server with a heavy forwarder installed. I am using db connect app on the intermediate server to get mssql db logs. I want to forward them to an indexer. What path in the inputs.conf file should i monitor on the heavy forwarder? "/var/splunkhot/splunk/var/lib/splunk"?
... View more
07-14-2014
02:09 PM
i was told not to use the metrics.log because it is not accurate and truncates data after top 20 hosts.i think adding the limit function should resolve that.
using license_usage gives 2 colums for each WinEventLog type(diff vals) y?.Also how do i tell it what indexes to query? seems like it takes all the indexes into account.
thanks in advance....
index=_internal source=*license_usage.log type=usage st="WinEventLog:Security"OR st="WinEventLog:Application"OR st="WinEventLog:System" |eval GB = b/1024/1024/1024| rename st AS sourcetype |timechart span=1d sum(GB) AS "Total GB used" by sourcetype
... View more
07-14-2014
07:26 AM
Hi Martin, thank you very much. im almost there!
so the series=A/B/C query works. Only issue is we have over 20+ windows indexes and they all collect data for these specific sourcetypes series=WinEventLog:System/Security/Application
However, i only want this data from index=1, index=2, index=4
index=_internal source="*metrics.log" index=1 group=per_sourcetype_thruput series=WinEventLog:System OR series=WinEventLog:Security OR series=WinEventLog:Application| timechart limit=0 minspan=1h per_hour(kb) by series
doesnt seem to work
... View more
07-13-2014
01:25 PM
Hi Martin, i do have access to _internal.
thanks but that only gives me top 10 sourcetypes, what if i want sourcetype A and B and C, which exist in lets say 3 different indexes X, Y , Z.
bascially i want to get the size of the windows security/system/event logs on a daily basis. These are all being captured as different sourcetypes from a few different indexes.
... View more
07-12-2014
10:04 PM
well the sourcetype syslog doesnt show up for hostC , and it should not, it only and correctly shows up for hostA and hostB.
But why does sourcetype /webapp.log show up for hostC. its not configured anywhere in serverclass yet it shows up for my lnx_appservers index as well as another index lnx_splunk (for system releated events i.e. iostat, vmstats,ps,etc)
any ideas?
... View more
07-12-2014
08:32 PM
thx Martin,
there are no transforms.conf for this source and index.
this hostC is showing up in another index (lnx_splunk)
the conf file monitors multiple statistical parameters
[monitor:///root/.bash_history]
index=lnx_splunk
[monitor:///home/.../.bash_history]
index=lnx_splunk
[script://./bin/openPortsEnhanced.sh]
index=lnx_splunk
[script://./bin/service.sh]
index=lnx_splunk
[script://./bin/sshdChecker.sh]
but my question remains, this hos is never mentioned in serverclass.conf, so what config is getting pushed to it and why is it associating with the lnx_appservers index
... View more
07-11-2014
01:16 PM
Thanks Martin, below is my inputs.conf file:
System logs
[monitor:///var/adm]
index=lnx_appservers
whitelist=(.log|log$|messages)
disabled = 0
Application Logs
[monitor:///x/y/z/WebApp/WebApp.log]
index = lnx_appservers
sourcetype = app_webapp
disabled = false
ignoreOlderThan = 7d
my serverclass looks like this:
[serverClass:lnx_webapp]
whitelist.0 = hostA*
whitelist.1 = hostB*
restartSplunkd = true
[serverClass:lnx_webapp:app:deploymentclient]
[serverClass:lnx_webapp:app:lnx_webapp_inputs]
[serverClass:lnx_webapp:app:lnx_webapp_props]
[serverClass:lnx_webapp:app:forwarder_outputs]
... View more
07-11-2014
11:11 AM
thanks Martin,
im trying to find where to exactly get this info. seems to me the charts are broken on my sos app.
anyway i can integrate that logic into the search above?
... View more
07-11-2014
08:48 AM
1 Karma
i am trying to modify the below search
index=internal metrics kb series!=* "group=per_host_thruput" daysago=5 | eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series | rename sum(indexed_mb) as totalmb
this gives me top sourcetypes and how much data they consume daily.
but what if i have a particular indexes (index=gold and index=silver) and a particular sourcetype or sourcetypes (security, windows,etc)
how do i figure out how much data these particular sourcetypes from both these indexes are ingesting daily? and if i wanted these numbers over 7 days but also wanted the mix/max/avg as well. can someone write up a quick query? thanks in advance
... View more
07-11-2014
08:37 AM
when searching for a specific index and sourcetype, the results come from a host that is not configured anywhere in serverclass.conf
i configured an inputs.conf file which monitors "/var/syslog" and "/x/y/z/WebApp/WebApp.log"
this config was pushed out to 2 hosts hostA and hostB
when i do the below search
index=lnx_appservers source="/x/y/z/WebApp/WebApp.log"
the results show up as coming from hostC (not configured anywhere on my deployment server)
but if i do search for index=lnx_appservers host=hostA OR host=hostB
the source in the results is /var/syslog
So bascially , where am i getting hostC from? why does /var/syslog show up but not the webapp.log when i search for hostA or hostB in that index?
... View more
07-10-2014
01:56 PM
1 Karma
What if i want to know for a specific sourcetype in a specific index?
We have over 50+ indexes but for a couple of indexes, lets say index=a, index=b, index=c, i want to know how much data on a daily basis, my windows system/security/events logs are generating (min,max,avg) for a 30 day range.
Can someone write up a quick search for this? Much appreciated.
... View more
07-03-2014
09:29 AM
i am trying to install the checkpoint opsec lea for splunk (linux)
i've installed the tgz package (its showing up in my apps pulldown)
i've configured a lea connection on the checkpoing mgmt station
when i try to go to the checkpoint lea app on the search head, i get the following 404
404 Not Found
Return to Splunk home page
Splunk cannot find the "connections" view.
This page was linked to from mylocalsite:8000/en-US/app/launcher/home.
Any suggestions?
... View more
- Tags:
- checkpoint
- lea
- opsec
03-13-2014
06:49 AM
Thanks Ayn, you guys were right, it was an oversight on my part. My indexes.conf file was missing this particular index. I added it , now my indexer has the index definition and can catalogue the bit9 log data.
thanks again for everyone's input.
... View more
03-12-2014
04:12 PM
interesting tidbit....we have multiple syslog forwarders but only 1 that i am forwarding these logs to.
yet , when i do search : index=_internal /var/syslog/bit9/*.log
i get messages "Adding watch on path: /var/syslog/bit9/bit9.log." from all the other fowarders except the one that has these logs.But i know that it does take my inputs.conf because i tested commenting it out and pushed it out, and the inputs file on my forwader was commented out. when i uncomment and push it, it becomes uncommented.all i get from this one is Parsing configuration stanza:monitor:///var/syslog/bit9/bit9.log
... View more
03-12-2014
09:11 AM
i checked on my indexer /var/splunkhot/splunk/etc/apps/infosec_syslog_props
and my props.conf is in there
[bit9_eventlog]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_FORMAT = %b %d %H:%M:%S
TRANSFORMS-host = infosec_syslog_host
... View more
03-12-2014
08:50 AM
Ayn
i have the index created in my inputs.conf file on my deployment server anspd i push this out to the indexers via a serverclass file.
how do i verify what indexes exist on my indexer?
... View more
03-12-2014
08:26 AM
update:i am getting the following warning/error message on my search head: Search peer ptc-lpsplapp701 has the following message: received event for unconfigured/disabled/deleted index='sep_bit9' with source='source::/var/syslog/bit9/bit9.log' host='host::ptc-wgbit9ps701' sourcetype='sourcetype::bit9_eventlog' (1 missing total)
most answers reference maybe a typo in the inputs file but my inputs file seems fine to me:
[monitor:///var/syslog/bit9/bit9.log]
sourcetype = bit9_eventlog
index = sep_bit9
disabled = false
ignoreOlderThan = 1d
... View more
03-10-2014
10:59 AM
1- yes that index was created (in the syslog inputs file)
2- i think so, that search yields the following:
03-10-2014 14:22:51.122 +0000 INFO WatchedFile - Will begin reading at offset=55741583 for file='/var/syslog/bit9/bit9.log'.
3- not sure how to do this?
i think the timestamping should be ok, its a basic %b %d %Y %I:%M:%S timestamp format, so my props is simple as well.
i restarted the agent on the forwarder again and i can see watchedfile path entry on my search. yet still no real data even tho the bit9.log file is constantly being written to.
... View more
