Activity Feed
- Karma Re: Microsoft Azure App for Splunk for VatsalJagani. 03-25-2022 06:20 AM
- Posted Re: Microsoft Azure App for Splunk on All Apps and Add-ons. 03-23-2022 09:48 PM
- Karma Re: Splunk Add-On for Microsoft Cloud Services for richgalloway. 03-21-2022 03:20 PM
- Posted Splunk Enterprise Security Cloud Security feature on Splunk Dev. 03-21-2022 03:14 PM
- Posted Why is Microsoft Azure App for Splunk not showing any data? on All Apps and Add-ons. 03-21-2022 03:10 PM
- Posted Re: Splunk Add-On for Microsoft Cloud Services on All Apps and Add-ons. 03-21-2022 02:57 PM
- Posted Splunk Add-On for Microsoft Cloud Services on All Apps and Add-ons. 03-21-2022 11:44 AM
- Karma Re: Identifying Windows hosts for yongly. 06-05-2020 12:46 AM
- Got Karma for Re: Forwarding Mainframe logs to Splunk. 06-05-2020 12:46 AM
- Got Karma for Convert Splunk default time to human readable format. 06-05-2020 12:46 AM
- Got Karma for Convert Splunk default time to human readable format. 06-05-2020 12:46 AM
- Got Karma for Convert Splunk default time to human readable format. 06-05-2020 12:46 AM
- Got Karma for Convert Splunk default time to human readable format. 06-05-2020 12:46 AM
- Got Karma for Re: Convert Splunk default time to human readable format. 06-05-2020 12:46 AM
- Got Karma for Re: Format of configuration files. 06-05-2020 12:46 AM
- Got Karma for Bug in Export Raw events. 06-05-2020 12:46 AM
- Got Karma for Bug in Export Raw events. 06-05-2020 12:46 AM
- Got Karma for Bug in Export Raw events. 06-05-2020 12:46 AM
- Got Karma for Report on Splunk Forwarders. 06-05-2020 12:46 AM
- Got Karma for Temporarily stop indexing. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 3 | |||
| 0 |
03-23-2022
09:48 PM
Hello Vatsal, Thanks for the response. I don't see any errors in the Splunkd log. I will reach out to Splunk support for assistance. Best regards.
... View more
03-21-2022
03:14 PM
We are running the latest update for Splunk Enterprise Security, which includes the new "Cloud Security" option., In Cloud Security, I can see some data when using the "Microsoft 365 Security Option". However, no data is shown for the following options: Security Groups IAM Activity Network ACLs Access Analyzer Is there some configuration that I have missed? Thanks. Steve Rogers
... View more
Labels
- Labels:
-
app
03-21-2022
03:10 PM
We are running in Splunk Cloud and have configured the "Splunk Add-On for Microsoft Cloud Services" based on the provided configuration documentation.
I am trying to use the Microsoft Azure App for Splunk to view Azure data (which I presumed would be pulled in by the "Splunk Add-On for Microsoft Cloud Services", but the Microsoft Azure App for Splunk shows no data at all.
I have verified the Add-on configuration, but still not seeing any data? Does anyone have this app working and displaying results?
Best regards, Steve Rogers
... View more
Labels
- Labels:
-
configuration
03-21-2022
02:57 PM
Thanks for the response, Rich. I had seen that, but was wondering if there was anything more specific regarding Splunk Enterprise Security. However, I will dig into this further and see what else I can find.
... View more
03-21-2022
11:44 AM
Hello, We are configuring the Splunk add-on for Microsoft Cloud Services. Is there a corresponding Splunk app for visualization of the data that is ingested by this add-on? Steve Rogers
... View more
Labels
- Labels:
-
configuration
03-14-2017
05:01 PM
Sorry about that. I thought everyone could see the code posted by Dan.
... View more
03-14-2017
05:00 PM
Working solution:
in props.conf:
[LEEF_csv]
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-leef = LEEF_KVP
in transforms.conf:
[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true
... View more
03-14-2017
09:18 AM
I used the solution provided by Dan [Splunk]. Thanks again for your assistance.
... View more
03-13-2017
09:25 PM
Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.
Best regards,
Steve Rogers
... View more
03-06-2017
08:35 PM
Thanks very much for you prompt response. I will try adding those configurations.
... View more
03-06-2017
12:13 PM
I am trying to import "LEEF" formatted data (from an IBM mainframe) into Splunk, but none of the name / value pairs are recognized. There is question in Splunk community from 2011 regarding this same issue which was not answered. Should I just use the manual field extraction for this type of data or is this a known log format which Splunk can handle?
See sample log event below:
"LEEF:1.0|IBM|RACF|2.2.1|80 27.0|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ devTime=2017-02-27T14:01:47.630-0500 usrName=U020005 name=LISA DODARO usrPriv= usrGroups= ICTXname= ICTXreg= job=JB0 27 Feb 2017 14:01:46.26 U0200051 intent= allow= class=MXADMIN prof= res= vol= dsn= sens= own= box= terminal= poe= logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) auth= desc=Success reason= appl= sum=RACF GENERAL success for U020005: logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) cmd="
... View more
- Tags:
- splunk-enterprise
11-03-2014
12:58 PM
Hello Kristian,
Thanks for the response. In digging into this further, it appears the bulk of the logs entries from indexer are coming from "/opt/splunk/var/log/splunk/metrics.log". I will check into this further.
... View more
11-03-2014
10:32 AM
My environment generates on average about 12GB of logs daily (out of a license for 20GB). The Splunk indexer is generating on average about 1.5GB to 1.8GB daily log volume? This seems excessive / high? How could I determine what is causing the indexer to generate this high volume of logs? Or is this "normal"?
Thanks.
... View more
10-15-2014
07:28 AM
Thanks to everyone who contributed answers. After using the "list monitor" command, it showed that the files in question were being monitored. The problem was in the search. The files were going to a specific index which was not included by default in the "user" role. I added that index as a default to the "user role" and the logs are now showing.
Thanks again to everyone who contributed answers.
... View more
10-15-2014
07:26 AM
Thanks very much Jeremiahc4. The "list monitor" command showed me what I was looking for.
... View more
10-15-2014
07:12 AM
Is there an option / utility in Splunk which shows which files / directories are being monitored?
I looked at the "S.o.S." app, but could not see what I am looking for there either.
Thanks.
... View more
10-15-2014
06:52 AM
Chanfoli - this did not work. Files are still not being picked up. Thanks.
... View more
10-15-2014
06:49 AM
Must be because of the brackets. I have the value of "SOURCE" on the crcSalt parameter.
Thanks.
... View more
10-15-2014
06:49 AM
Jeremiah - yes. I have crcSalt =
I am not sure why it dropped on the initial post.
... View more
10-14-2014
02:50 PM
I have a directory with a list of files as follows:
/var/log/xxxxx/job01_SubsLoadAdHocBC01.log
/var/log/xxxxx/job01_SubsLoadDataChangeBC01.log
/var/log/xxxxx/job01_SubsLoadDistributionChangeBC01.log
/var/log/xxxxx/job01_SubsLoadMarketBC01.log
/var/log/xxxxx/job01_SubsPrepareBC01.log
/var/log/xxxxx/job01_SubsQuickJobsBC01.log
/var/log/xxxxx/ScheduleSplit.log
/var/log/xxxxx/job02_SubsLoadAdHocBC02.log
/var/log/xxxxx/job02_SubsLoadDataChangeBC02.log
/var/log/xxxxx/job02_SubsLoadDistributionChangeBC02.log
/var/log/xxxxx/job02_SubsLoadMarketBC02.log
/var/log/xxxxx/job02_SubsPrepareBC02.log
/var/log/xxxxx/job02_SubsQuickJobsBC02.log
My inputs.conf file:
[monitor:///var/log/xxxxx]
index = test
crcSalt =
sourcetype = test
disabled = false
blacklist = (/nodeagent|/dmgr|/ffdc)
whitelist = (ScheduleSplit\.log$|job*\.log$)
However, none of the files are being indexed. There are events in those files for today.
I added the "crcSalt = " parameter, but that did not help.
The only relevant messages I see in the splunkd.log are as follows:
0-14-2014 15:41:56.843 -0400 WARN ulimit - Core file generation disabled
I am not sure what that means.
Any help would be appreciated. Is this a problem with the "whitelist" statement?
Steve Rogers
... View more
03-12-2014
12:22 PM
I am running Splunk v 6.0.1 build 189883. The Deployment Monitor App is at version 5.0.2. However, when I launch the Deployment Monitor App I get the following message: "This app is not compatible with your version of Splunk. To use this App, please upgrade to Splunk 5.0 or newer"
... View more
03-12-2014
10:32 AM
Is there a version of this app that is compatible with Splunk version 6?
... View more
01-13-2014
08:15 PM
I tried the first sarch solution but it gave me 147 results. However, in the Deployment Monitor it shows 377 forwarders (which I think is correct). The other searches return zero results.
I probably did not explain clearly - I am using the Deployment Monitor and it shows the result I am interested in under "All Forwarders" but with a maximum of 50 per page. I am trying to get a report or search that shows all the Forwards in a single page or allows me to export the entire list. Thanks.
... View more
01-13-2014
04:15 PM
lguinn, thanks for your prompt response. I will experiment with the various options and post my results. Thanks very much.
... View more
01-13-2014
03:00 PM
1 Karma
Is there a way to get a report of "All Forwarders" in Splunk. I am trying to get this information in a format that I can export to a spreadsheet (needed to verify that all our inventoried hosts are reporting to Splunk). I am using the Deployment App, but the best I can do is only see 50 entries per page and there is no "export" function. I tried some searches based on research of the doc and answers on the forum but to no avail. Any help would be appreciated.
How can I find what search the Deployment Monitor is using for this "All Forwarders" dashboard?
... View more
- Tags:
- forwarders
