When my company first purchased Splunk 4.x fschange was not deprecated and was one of the reasons that we have Splunk. I know it’s been since 5.x that it has been labeled as deprecated and is still in the latest 6.x release. We find it very useful and meets our basic requirement for change tracking. It is very easy and provides that one place to manage our change tracking needs. With the latest changes to PCI compliance one would think having this remain in core Splunk would be a great selling point for Splunk as it is a strong security tool why take away capability??? Splunk is recommending using the OS native tools to do this. This is not nearly as streamlined as using fschange and adds more work to implement on an enterprise basis (more complex and fragmented across multiple process owners ie: Windows Admins, UNIX Admins, Security and so on.. I have asked my Splunk Sales support team to submit an enhancement request to keep fschange supported and remove it from being deprecated. I think from what I have seen looking thru all of the interest in fschange on “Answers” if everyone that has used it or has a need would also submit an official enhancement request so we can keep fschange supported. Supported being the key word as with any compliance type tool most companies require it to be supported to use it. Please submit your enhancement requests to help save fschange. If we all do this it would be hard for Splunk to look the other way. I for one would hate to see it go away. What say you? ... View more

I have loaded the DB2 driver 10.5 db2jcc4.jar to /opt/splunk/mnt/etc/apps/dbx/bin/lib but I get the following error when connecting to DB2 that is running on an I5 AS400 system. Anyone know how to get this fixed? Seems I need to install "db2jcc_license_cisuz.jar" but don't know where to get it or how to install? Encountered the following error while trying to save: In handler 'databases': Error connecting to database: com.ibm.db2.jcc.am.SqlSyntaxErrorException: [jcc][t4][10509][13454][4.16.53] Connection to the data server failed. The IBM Data Server for JDBC and SQLJ license was invalid or was not activated for the DB2 for z/OS subsystem. If you are connecting directly to the data server and using DB2 Connect Unlimited Edition for System z, perform the activation step by running the activation program in the license activation kit. If you are using any other edition of DB2 Connect, obtain the license file, db2jcc_license_cisuz.jar, from the license activation kit, and follow the installation directions to include the license file in the class path. ERRORCODE=-4230, SQLSTATE=42968 ... View more

I am trying to bring in MS lync conversations into Splunk. We can get To: and From: data but the conversation data is encoded. I tried using the CHARSET = utf-8 in the props.conf but that doesn't work. Any thoughts? Is this possible? Using a powershell script we can get the following: Date: Tue, 16 Jul 2013 15:01:02 GMT MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MIME_Boundary" From: user1@thisplace.com To: user2@thisplace.com Session-Id: 253f92dae4f9460bb66fb37a7cec8c13;9ca2fa0cac;3c2d56428e Subject: Conversation between mcross@llbean.com and jandrews@llbean.com --MIME_Boundary Content-Transfer-Encoding: base64 Content-Type: application/msword; charset="utf-8" e1xydGYxXGZiaWRpc1xhbnNpXGFuc2ljcGcxMjUyXGRlZmYwXGRlZmxhbmcxMDMzXGRlZnRhYjM2 MHtcZm9udHRibHtcZjBcZm5pbFxmY2hhcnNldDAgTWljcm9zb2Z0IFNhbnMgU2VyaWY7fXtcZjFc ZnN3aXNzXGZjaGFyc2V0MCBTZWdvZSBVSTt9e1xmMlxmc3dpc3MgQXJpYWw7fX0NCntcY29sb3J0 YmwgO1xyZWQwXGdyZWVuMFxibHVlMDt9DQpcdmlld2tpbmQ0XHVjMVxwYXJkXGx0cnBhclxmMFxm czE3IFxiIFRyYW5zY3JpcHQgZm9yIGluc3RhbnQgbWVzc2FnaW5nIChJTSkgc2Vzc2lvbjogXGIw XGIgQ29udmVyc2F0aW9uIGJldHdlZW4gbWNyb3NzQGxsYmVhbi5jb20gYW5kIGphbmRyZXdzQGxs YmVhbi5jb21cYjBccGFyDQpccGFyDQpcYiBtY3Jvc3NAbGxiZWFuLmNvbSBbMjAxMy0wNy0xNiAx NTowMTowMlpdOlxiMFxwYXINCiAgXGNmMVxmMVxmczIwIEhpIEpvc2ggYW5kIHdlbGNvbWUgYmFj ayAtXH5wbGVhc2UgYXR0ZW5kIG10ZyBpbiBQaW5lY29uZSBhdCAxMWFtIC0gVk13YXJlIEhBIC0g cGxlYXNlIGJyaW5nIExldmkgd2l0aCB5b3UgLSB5b3UgYm90aCBnb3QgaW52aXRlIGJ1dCBkaWQg bm90IHJlc3BvbmRcY2YwXGYyXGZzMjRccGFyDQpcZjBcZnMxNyBcYiBqYW5kcmV3c0BsbGJlYW4u Y29tIFsyMDEzLTA3LTE2IDE1OjAxOjEyWl06XGIwXHBhcg0KICBcY2YxXGYxXGZzMjAgSSB3aWxs IGJlIGxhdGVcY2YwXGYyXGZzMjRccGFyDQpcZjBcZnMxNyBcYiBtY3Jvc3NAbGxiZWFuLmNvbSBb MjAxMy0wNy0xNiAxNTowMToyNVpdOlxiMFxwYXINCiAgXGNmMVxmMVxmczIwIGhvdyBsYXRlIC0g SSB3aWxsIGxldCBEaWNrIGtub3dcY2YwXGYyXGZzMjRccGFyDQpcZjBcZnMxNyBcYiBqYW5kcmV3 c0BsbGJlYW4uY29tIFsyMDEzLTA3LTE2IDE1OjAxOjM2Wl06XGIwXHBhcg0KICBcY2YxXGYxXGZz MjAgNS0xMCBtaW5cY2YwXGYyXGZzMjRccGFyDQpcZjBcZnMxNyBcYiBqYW5kcmV3c0BsbGJlYW4u Y29tIFsyMDEzLTA3LTE2IDE1OjAxOjQwWl06XGIwXHBhcg0KICBcY2YxXGYxXGZzMjAgd29ya2lu ZyBvbiBhbiBpc3N1ZVxjZjBcZjJcZnMyNFxwYXINClxmMFxmczE3IFxiIG1jcm9zc0BsbGJlYW4u Y29tIFsyMDEzLTA3LTE2IDE1OjAxOjQyWl06XGIwXHBhcg0KICBcY2YxXGYxXGZzMjAgb2sgLSB0 aGFua3NcY2YwXGYyXGZzMjRccGFyDQp9DQo= --MIME_Boundary-- This is what’s in the Encoded text. I was able to view using MS Mord: Transcript for instant messaging (IM) session: Conversation between user1@thisplace.com and user2@thisplace.com user1@thisplace.com [2013-07-16 15:03:21Z]: hi - moved to Snapdragon user2@thisplace.com [2013-07-16 15:03:32Z]: ok i will be there in a minute ... View more

Just a question for anyone that may know the answer… Does Splunk have a listing of what is considered to be a standard index name and sourcetypes? I would think Splunk must maintain a list of Index names that get matched up with Splunk supported Apps. So for example something like this: Index_Name What data is expected Splunk Supported App os unix syslog UNIX vmware esx, vmware Vmware etc…… I keep finding out the hard way that naming the Index right the first time saves a lot of time instead of trying to reconfigure App’s after the fact to point at the right index. Just didn’t want to reinvent the wheel if this data if available. ... View more

For my windows servers I have set them up to send via syslog to Loglogic and also send to the Splunk indexer. Currently I am sending the Security, System and Application logs to both Loglogic and Splunk using a heavyforwarder. The issue is in some cases I would like to only send the application and system logs to Splunk but have all 3 logs continue to Loglogic. Anyway to disable some logs from going to the indexers but keep all 3 logs going via syslog? Here is my inputs.conf: [WinEventLog:Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = win _SYSLOG_ROUTING = log_logic [WinEventLog:Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 index = win _SYSLOG_ROUTING = log_logic [WinEventLog:System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = win _SYSLOG_ROUTING = log_logic ... View more

While using a good regex to grab everything after the ip addess and before the time stamps of the following Netdisco log file I could not get my Splunk 4.3.3 search heads to match. I also for a test turned on the web interface on my indexers and found the same problem. Both are running 4.3.3 build 128297. Here is a sample of the log: 1c:6f:65:0c:e1:61 172.1.0.1 FastEthernet4/13 1332864535 1342584229 70:f3:95:12:af:09 172.1.0.1 FastEthernet5/24 1332864535 1342584229 70:f3:95:12:cc:19 172.1.0.1 FastEthernet3/12 1332864535 1342584229 f0:de:f1:3e:00:c8 172.1.0.1 FastEthernet4/16 1332864535 1342562547 00:1e:37:2f:c5:90 172.1.0.1 4.18 1332770653 1342584117 00:50:56:96:16:7c 172.1.0.1 GigabitEthernet2/0/10 1336706871 1342584112 00:50:56:bd:00:35 172.1.0.1 GigabitEthernet1/0/9 1336706871 1342584112 In my props.conf I have this line “That doesn’t work in Splunk (the field switch_port never shows) “but does work using web based regex testing sites like "rubular and regexr” EXTRACT-switch_port = (?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(?<switch_port>[\w\/.:]+) I took this a few steps further by trying a simple rex command in the web interface on both the search heads and the indexers as follows: index=network sourcetype=mac_data | rex "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(?<switch_ports2>[\w\/.:]+)" That still had no matches. I had my Sales Engineer take the sample log entry from above and was able to make this work fine in Splunk 4.3.1 build 119532. Is this a bug with 4.3.3? Or is something else on my end causing this issue? I did open a Splunk ticket on this but wanted to get some feedback from others. Also will post any findings here. Splunk ticket is "CASE [90835] : Rex and Props.conf extraction not working" All the other extractions are working fine for this sourcetype. Here is the full props on this sourcetype: [mac_data] EXTRACT-mac = (?i)(?<mac>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}) EXTRACT-switch_ip = (?i)(?<switch_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) EXTRACT-switch_port = (?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(?<switch_port>[\w\/.:]+) ... View more

I have setup my main syslog server to forward syslog via TCP port 514 to a test Splunk system running 4.2 that was upgraded from 4.1.7. The syslog data arrives fine and I can see it. The problem is that no DNS resoltion is happening. Here is an example of a log seen in splunk: <4>Nov 22 10:28:00 10.10.10.100 kernel: The 10.10.10.100 is a known host in DNS and does not resolve in Splunk. If I do a nslookup from the command prompt of the server running splunk it does resolve. My input.conf is setup right as follows: [tcp://514] connection_host = dns index = main sourcetype = syslog Doing a "tcpdump port 53" during a restart of Splunk I see that it never tried to resolve this ip address in the log "10.10.10.100". The address I do see Splunk resolving is the IP address of the syslog server sending the tcp syslog message. It was my understanding that Splunk should resolve IP's captured when doing tcp syslog forwarding not just the single IP of the forwarding syslog server. Any help here? ... View more

I want to install Splunk to run under Redhat Linux 5 running on an IFL processor under z/VM on an IBM z9. I see this same question has been asked for SUSE and s390. I'm asking it again for Redhat support on s390. My sales team (today) has opened a feature request for support on s390. ... View more