cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sylvainlectra
Explorer
Member since: ‎04-07-2017
‎06-05-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎04-07-2017
Activity Feed
View All

Re: Kubernetes/Docker json logs

by in All Apps and Add-ons
‎11-20-2017 08:33 AM
‎11-20-2017 08:33 AM
Well, why do yourself something someone has already done. It's seems to be everything that I wanted. Thanks. ... View more

Kubernetes/Docker json logs

by in All Apps and Add-ons
‎11-20-2017 03:52 AM
‎11-20-2017 03:52 AM
I'm currently trying to setup the streaming of the kubernetes / docker logs into Splunk. As you might now docker stores his container logs into files with a json syntax : {log: "this is one log line", stream: "stdout", time: "2017-10-30T21:30:19.379796735Z"} {log: "this is another log line", stream: "stdout", time: "2017-10-30T21:30:19.45Z"} I have setup the Universal Splunk Forwarder to ingest those log files and send them to the indexers but the feedback I have used from the developers is that this is completely unreadable and I tend to agree with them ... I've tried everything in the Search requests to be able to remodel the event object and discard everything but the log field of the docker json without success. Another problem I have is that mixed sources (from different software) are written in those logs so different format can end up in the log field: raw text, json (escaped by docker) ... etc. The first thing I'd like to do is to extract the log field of the docker json and send only that to splunk. Then I'd like that to apply the correct source type to the log data, i.e. : json, access combined or anything else. Regards. ... View more

Re: What is the correct way to edit conf files and...

by in Splunk Search
‎07-07-2017 07:09 AM
‎07-07-2017 07:09 AM
So, in a few words, if I do something in Splunk Web but Splunk Web does not allow me to edit what I've done I'm doomed forever ? ... View more

Re: What is the correct way to edit conf files and...

by in Splunk Search
‎07-07-2017 06:58 AM
‎07-07-2017 06:58 AM
Not really, I'm not going to ask Splunk users to come to me each time they want to create something on the search heads. ... View more

What is the correct way to edit conf files and pro...

by in Splunk Search
‎07-07-2017 02:55 AM
‎07-07-2017 02:55 AM
Let's say I've made an action that triggers configuration replication across the SH Cluster (e.g: created a field extractions through Splunk Web). Now let's say Splunk Web does not allow me to edit what I've done (e.g. change the owner of the field extraction) and thus oblige me to edit the configuration files manually. After editing the files on one SH Cluster member (must I do it only on the Captain ?), what should I do to propagate the manual changes across the cluster ? ... View more

Re: Do splunk indexers check SSL certificate expir...

by in Security
‎06-29-2017 07:06 AM
‎06-29-2017 07:06 AM
I'm asking the opposite, What are the checks done by the indexers on the certificates presented by the forwarders ... View more

Do splunk indexers check SSL certificate expiratio...

by in Security
‎06-29-2017 04:28 AM
‎06-29-2017 04:28 AM
I've configured forwarders to use SSL certificates that are checked against the rootCA defined on the indexers. I am wondering if the indexers will reject the certificates once we are past the expiration date of the forwarders certificates. I am asking because those certificates are going to be setup on machines that are at our customers and, most likely, they won't be renewed afterwards. So I need to know if Splunk indexers only checks that the certificates have been signed by the rootCA or if it also does complementary checks like the validity of the certificates. ... View more

Re: Can I use indexer discovery to forward search ...

by in Deployment Architecture
‎04-07-2017 08:15 AM
‎04-07-2017 08:15 AM
Hi, I've copied my outputs.conf from my other forwarders on my search head in /opt/splunk/etc/system/local/outputs.conf : [indexer_discovery:master1] pass4SymmKey = ************ master_uri = https://*********:8089 [tcpout:group1] autoLBFrequency = 30 forceTimebasedAutoLB = true indexerDiscovery = master1 useACK = true [tcpout] defaultGroup = group1 After a restart I'm able to add monitors to the indexes present on the peers which seems to mean that discovery occured but I see no data from the heads when I do a search and "list forward-server" on the search heads returns nothing root@********-spk-search1:/opt/splunk/etc# /opt/splunk/bin/splunk list forward-server Active forwards: None Configured but inactive forwards: None Did I miss something ? Also how do I disable local indexing on the search heads ? Regards. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to