Activity Feed
- Posted Re: CIDR search against multivalue fields on Splunk Search. 01-25-2012 12:00 PM
- Posted Re: CIDR search against multivalue fields on Splunk Search. 01-06-2012 09:11 PM
- Posted CIDR search against multivalue fields on Splunk Search. 01-06-2012 08:20 AM
- Tagged CIDR search against multivalue fields on Splunk Search. 01-06-2012 08:20 AM
- Tagged CIDR search against multivalue fields on Splunk Search. 01-06-2012 08:20 AM
- Tagged CIDR search against multivalue fields on Splunk Search. 01-06-2012 08:20 AM
- Tagged CIDR search against multivalue fields on Splunk Search. 01-06-2012 08:20 AM
- Tagged CIDR search against multivalue fields on Splunk Search. 01-06-2012 08:20 AM
- Posted Re: Good unix way check if splunkd and splunkweb are running on Splunk Search. 12-21-2011 03:07 PM
- Posted Re: Good unix way check if splunkd and splunkweb are running on Splunk Search. 12-16-2011 12:48 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
01-25-2012
12:00 PM
The problem was the target, target_port, and target_locality fields hadn't actually been set as MV fields by default. So by adding the following, it now works properly:
props.conf:
[cisco_ips_syslog]
REPORT-target = target,target_port,target_locality
transforms.conf:
[target]
REGEX = target=\"(.+?)\"
FORMAT = target::$1
MV_ADD = True
[target_port]
REGEX = target_port=\"(.+?)\"
FORMAT = target_port::$1
MV_ADD = True
[target_locality]
REGEX = target_locality=\"(.+?)\"
FORMAT = target_locality::$1
MV_ADD = True
... View more
01-06-2012
09:11 PM
Unfortunately that yields the same result, matches with cidrmatch(target,"a.a.a.0/24") but nothing else.
... View more
01-06-2012
08:20 AM
I'm using the Splunk for Cisco IPS app which outputs some events with multiple targets with IP addresses:
target=a.a.a.a target=b.b.b.b target=c.c.c.c ... target=n.n.n.n .
If I search with target=a.a.a.0/24, then I get a match, but searching for target=b.b.b.0/24 or any of the later values does not match. Is there a way to properly CIDR search through all the values of a multivalue field?
... View more
12-21-2011
03:07 PM
They all run with different mgmt ports. So you use the port they run on to differentiate. For example, here are two instances on the same host, one uses 8089 the other 8092 for the management port:
$ ps x | grep -i splunkd
1630 ? Sl 69477:29 splunkd -p 8092 start
1631 ? Ss 10:42 splunkd -p 8092 start
7146 ? Sl 7200:38 splunkd -p 8089 restart
7147 ? Ss 13:03 splunkd -p 8089 restart
So with check_procs you do -a '-p 8089' and -a '-p 8092' for the other. Similarly check_listen_tcp_udp.sh can be used to make sure splunkd is listening on the proper port.
... View more
12-16-2011
12:48 PM
I'm using Nagios with the stock check_procs nagios plugin along with check_listen_tcp_udp. You can use NRPE to check from a Nagios server to any systems with Splunk instances. So in nrpe.cfg I have:
command[check_splunk_indexer_proc]=/apps/tools/nagios/libexec/check_procs -c 1:1 -C splunkd -u {USER} -s Ss -a '-p {MGMTPORT}'
command[check_splunk_indexer_mgmtport]=/apps/tools/nagios/libexec/custom/check_listen_tcp_udp.sh -p {MGMTPORT} -P tcp
command[check_splunk_indexer_webport]=/apps/tools/nagios/libexec/custom/check_listen_tcp_udp.sh -p {WEBPORT} -P tcp
Just replace {USER} with the user you run Splunk as and fill in your {MGMTPORT} and {WEBPORT}.
You could take it a step further and use an event handler with a simple script to automatically restart Splunk if it is found to not be running.
... View more
