Activity Feed
- Karma Re: Replaceing NULL string for null() for javiergn. 06-05-2020 12:48 AM
- Got Karma for Using Splunk for Snort, how do I get Snort Alert Fast logs into the Splunk App for Enterprise Security?. 06-05-2020 12:47 AM
- Got Karma for Re: How to analyze packet logs generated by Snort ?. 06-05-2020 12:47 AM
- Got Karma for Re: How to analyze packet logs generated by Snort ?. 06-05-2020 12:47 AM
- Got Karma for Re: How to configure different sourcetypes for udp port 514 ?. 06-05-2020 12:47 AM
- Karma Re: Checkpoint OPSEC LEA client script for Jason. 06-05-2020 12:46 AM
- Karma Re: Regex's and Windows paths in inputs.conf and props.conf for Lowell. 06-05-2020 12:45 AM
- Posted How to get every configuration detail in the local directory of an app via rest command? on Splunk Search. 02-03-2020 09:25 AM
- Tagged How to get every configuration detail in the local directory of an app via rest command? on Splunk Search. 02-03-2020 09:25 AM
- Tagged How to get every configuration detail in the local directory of an app via rest command? on Splunk Search. 02-03-2020 09:25 AM
- Tagged How to get every configuration detail in the local directory of an app via rest command? on Splunk Search. 02-03-2020 09:25 AM
- Posted Re: Full queues and low IOWait???! on Monitoring Splunk. 12-07-2017 01:30 AM
- Posted Re: Full queues and low IOWait???! on Monitoring Splunk. 12-06-2017 12:32 AM
- Posted Re: Full queues and low IOWait???! on Monitoring Splunk. 12-06-2017 12:32 AM
- Posted Re: Full queues and low IOWait???! on Monitoring Splunk. 12-05-2017 02:17 AM
- Posted Re: Full queues and low IOWait???! on Monitoring Splunk. 12-05-2017 01:09 AM
- Posted Full queues and low IOWait???! on Monitoring Splunk. 12-04-2017 10:09 PM
- Tagged Full queues and low IOWait???! on Monitoring Splunk. 12-04-2017 10:09 PM
- Tagged Full queues and low IOWait???! on Monitoring Splunk. 12-04-2017 10:09 PM
- Tagged Full queues and low IOWait???! on Monitoring Splunk. 12-04-2017 10:09 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
1 | |||
0 |
02-03-2020
09:25 AM
Because of reasons, I need to find a way to find every customized config parameter of an app placed in the local dir. I get some info using rest command but not exactly that and not sure if possible.
If this is not possible, getting all the config for each object in an app could work too.
It should be something like the list generated under the "all configurations", but I need the details of each object. The same is shown when clicked in one of those objects in the "all configurations" menu.
Any clue?
Thanks!
... View more
12-07-2017
01:30 AM
Yes, iowait has never reached 1 process waiting for IO, there is plenty of free ram, and CPU is usually under 85%... I haven't checked nmon. I'll give it a try!
... View more
12-06-2017
12:32 AM
I have enabled 2 pipelines, so 8 procs perinstance. If so. where does it comes from all the other procs? ps aux | grep -i splunk | wc -l gives me something over 800...
And yes, we are using ext4.
My questions is simpler than this... How can I be sure I'm having low disk performance if I have no iowait?
... View more
12-05-2017
02:17 AM
It seems we are going throught the very same issue and conclusions. Our nproc limit was increased in the indexing layer and we didn't get a huge performance improve... almost any. Have you tried using strace to check out syscall statistics? I could be really helpful. As I said, 93% of our CPU time in an indexer was wasted waiting... and still there were resources to be used.
strace -y -tt -T -f -c -p [splunkd_parent_pid]
I used pstree -p to figure out splunkd parent pid...
Hope it helps!
... View more
12-05-2017
01:09 AM
Red Hat and THP are already disabled... How did you get that conclusion? Maybe it helps...
... View more
12-04-2017
10:09 PM
From some time now I'm getting very low performance in my infra and I'm looking for a way to confirm that what is lacking the performance are disks. In any other systems keeping iowait monitored and under control would be enough, but I don't think this is true for Splunk. Not always at least. In my case, global cpu use is under 80%, free RAM enough and indexers iowait is always under 1, that's why I cannot understand why some queues are full even when there are more resources to be used.
But, what came up to me is that IOWait under 1 is way too low compared to other params and something different from expected for me was happening. So I straced for a while the Splunk process and all its childs and what I got was these are waiting (futex and epoll_wait) for something to happen up to 93% of the total run time!! I think it's waiting for an IO operation chance but and, this is important, this chance is being controlled by Splunk and not by the kernel (Splunk is not trying to open a file until some condition) and that's why IO is very low even when performance and other resource usage are low too.
My questions here are:
1. Is this statement true? If so, when will a Splunk indexer OS will show high IOWait under any circumstances?
2. Does Full queues always imply low disk performance?
3. Is there any configuration tweak I can do?
4. Which params to monitor in a Splunk system in terms of IO performance? In these terms, are queue fill up percentage something like iowait?
Thanks!!!
... View more
09-23-2016
01:21 AM
Yes, I've tried that, but it generates a performance problem. Each single event have up to 50 fields and any off them can (or cannot) be NULL, and this index has 50.000.000 events, so it's a problem evaluating each field of each event when making a search.
I think I could rephrase the question like this:
Is it possible to modify _raw before extracting fields at search time??
... View more
09-22-2016
06:51 AM
But this is at index time... I need at search time and not in the query.
... View more
09-22-2016
06:35 AM
Thanks woodcook!! But, is this SPL? I cannot modify my queries. I need to do it with any config if it even exists
... View more
09-22-2016
04:22 AM
Hello,
I've got some events like this extracting fields using kv_mode=auto:
key1="value1", key2="value2", null1="NULL", key3="value3", null2="NULL", key4="value4"
This config generates these fields:
1. key1="value1
2. key2="value2"
3. null1="NULL"
4. key3="value3"
5. null2="value2"
6. key4="value4"
At search time, and without modifying my SPL queries (so I guess it should be done with some config at props.conf and transforms.conf), I need to rewrite null fields (null1 and null2 in the example) to contain the value "" (empty string), null value (null(), which I think it's the same for Splunk) or even removing these kv-null-pairs. I have done this before, but at index-time, using a sedcmd, but it's not so clear for me to get this working at search time, which is what I need.
Ideally, fields should look like this:
1. key1="value1
2. key2="value2"
3. null1=""
4. key3="value3"
5. null2=""
6. key4="value4"
or
1. key1="value1
2. key2="value2"
3. key3="value3"
4. key4="value4"
Thanks for your help!
... View more
08-09-2016
05:43 AM
yes, this is working!!
But I'm in doubt... what's the difference between ... | where field1 = null() and ... | where isnull(field1) ??
... View more
08-09-2016
02:49 AM
Yes, that was my first option, but I get no results when I look for that fields like this:
... | where nullfield=null()
That makes me think that empty-string is not the same as null()...
... View more
08-08-2016
11:47 PM
Hi,
I'm trying to reuse an old app for a new environment and, of course, data and fields similar but different, so adapting this part is where the big efforts come. It's 90% done already but, however, I'm stucked in this point. I've got semicolon-separated data, that makes it really simple to parse. The problem is that, fields with no data contain the string "NULL" . This doesn't fit at all my needs. What I need is to convert these NULL strings into null-valued fields, just the same if I do:
...| eval myNullField = null()
I now that I cannot get it using null() into a SEDCMD, but just to explain this better, this shouold be perfect:
SEDCMD-NullStringtoNull = s/NULL/null()/g
I don't know if null() returns and hex code that means null for Splunk... Using that code into a SEDCMD could do the trick.
Of course, an easy option could be rewriting that fields with SPL, but that implies modifying each query, and that is my very last option.
Thanks a lot!!
... View more
10-19-2015
04:05 PM
1 Karma
Up to the config, you cannot define more than one input for the same port:
[udp:// : ]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
However, did it work for any of you??
... View more
07-27-2015
11:14 PM
2 Karma
Hi billcyz,
there should be 2 possibilities here, but I think nowadays Splunk or any APP cannot support any of them.
Decription. It's not easy to do this, only as far as I know, only some HTTPS proxies (Squid: http://wiki.squid-cache.org/Features/SslBump) can do something like a MITM, decript data, generate a self-signed certificate and use some mimic technique to be like the original one. But, still with possibility, I don't know any procedure to take the data out of Squid and analyze the raw data.
Draw a packet in a human readable way, like Wireshark, for example. It's only possible with raw traffic, not SSL. And, anyway, I don't know how can Splunk can do this. I don't know any app or method.
However, in this case you're trying to decipher SecureShell (ssh) traffic. I guess it's not going to be possible. But, regarding Snort, the most straightforward way to get Snot data into Splunk is using Splunk for Snort (https://splunkbase.splunk.com/app/340/ ). It's CIM compliant and will be possible to integrate that info with Splunk App for Enterprise Security.
... View more
07-16-2015
01:07 AM
1 Karma
I'm a bit stuck with this. This is my situation:
I've installed Snort between the LAN and its GW and all traffic has to go through Snort. This is working perfectly.
Snort has enabled 2 outputs. 1) unified2, used to introduce data into a Snorby and 2) alert_fast to a file. This file is being readed by a splunk UF and sent to the Indexer.
I've installed Splunk for Snort on the indexer receiving Snort alert fast data, it's CIM compliant and should fit into an Enterprise Security environment. I think so at least. As the doc says, this data is being sourcetyped as snort_alert_fast. This app will process it and changes the sourcetype for snort once cim fields have been created. This is working too, I've double-checked it in the search panel.
Now, this is my problem. I can't find any kind of data regarding this in the Enterprise security APP.
In which panel is it supposed to be showing statistics and data from Snort? I guess in any part of the threat menu, but every counter or graph is empty.
How can I check if Snort data is being processes by the Splunk App for Enterprise Security?
Taking advantage of this question, Splunk for ES is not generating any Notable events... I have no clue about this.
... View more
11-20-2014
02:04 AM
Hi splunkers,
Last week I've installed Splunk and Splunk App for VMware, everything looks to work fine but to details which are driving me mad.
I installed Splunk 6.2 and Splunk App for VMware 3.1.2. Indexer and DSC in the same machine, DCN in other machine using the ova provided in the App package. I have not installed any forwarder in the only vCenter that is monitorized. Now my question, does anybody know why gauges/clocks graph in the dashboard are always showing 0%? And, I don't know if it's related or not, but I think so. There's no entity info such like CPU or memory assigned to a VM or a Host. Where is this information gathered?
Thanks!
PD: Isn't there a bugtrack or so for Splunk and apps??!!
... View more