Activity Feed
- Karma Re: NetApp Data ONTAP: App is indexing events, but no information is appearing in dashboards. for jcoates_splunk. 06-05-2020 12:47 AM
- Got Karma for Re: License Pool daily volume allocation not working running Splunk 6.0.4 on Linux Redhat. 06-05-2020 12:47 AM
- Got Karma for Re: License Pool daily volume allocation not working running Splunk 6.0.4 on Linux Redhat. 06-05-2020 12:47 AM
- Got Karma for What files contain the configs for Splunk web to do http or https?. 06-05-2020 12:47 AM
- Got Karma for Re: What files contain the configs for Splunk web to do http or https?. 06-05-2020 12:47 AM
- Got Karma for Re: What files contain the configs for Splunk web to do http or https?. 06-05-2020 12:47 AM
- Got Karma for Does NetApp ONTAP 2.0.1 need intermediate forwarders?. 06-05-2020 12:47 AM
- Got Karma for How does a customer set up Support Portal account?. 06-05-2020 12:47 AM
- Got Karma for NetApp Data ONTAP: App is indexing events, but no information is appearing in dashboards.. 06-05-2020 12:47 AM
- Got Karma for Splunk TA for Unix/Linux: Where can I find download for version 5.0.2 ?. 06-05-2020 12:47 AM
- Karma Re: How to get Windows domain log in data for ChrisG. 06-05-2020 12:46 AM
- Karma Re: Universal Forwarder Error during install for linu1988. 06-05-2020 12:46 AM
- Got Karma for Re: Universal Forwarder install- can't browse log file location. 06-05-2020 12:46 AM
- Got Karma for Re: Override Sourcetype. 06-05-2020 12:46 AM
- Posted Re: Windows events: Why no data in the "Message" field? on Getting Data In. 03-10-2015 10:25 AM
- Posted Re: How do I change the user Splunk runs as? on Security. 02-02-2015 01:39 PM
- Posted Re: How do I change the user Splunk runs as? on Security. 02-02-2015 10:46 AM
- Posted How do I change the user Splunk runs as? on Security. 01-30-2015 04:37 PM
- Tagged How do I change the user Splunk runs as? on Security. 01-30-2015 04:37 PM
- Posted Re: If I disable an index, will events for that index stop being counted against the license? on Installation. 10-30-2014 12:52 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 |
03-10-2015
10:25 AM
I talked to support and apparently when reading windows events from a file, the message data is not collected. I did not find a fix for this, but you may also want to consult support.
... View more
02-02-2015
10:46 AM
Yes. Documentation says, "before you start Splunk Enterprise for the first time, change the ownership of the $SPLUNK_HOME directory to the desired user."
But Splunk was started as root-user and has been running as root-user. So will the "chown" command work after Splunk was started and running as root-user?
... View more
01-30-2015
04:37 PM
I have installed Splunk 6.0.4 as a root user on Linux 64bit RH 6.4. However, now I would like to change the user Splunk runs as to a non-root user. Is this possible and how would it be done?
-Thanks!
... View more
10-30-2014
12:52 PM
Thanks aholzer. That's exactly how I thought it would work, but wanted confirmation.
... View more
10-30-2014
11:19 AM
Also, any suggestions on what events to discard from NetApp: ONTAP data would be appreciated.
... View more
10-30-2014
11:15 AM
This seems like a silly question, but I just want confirmation. I have a huge amount of events coming in for "ontap" index and it is causing license warnings. I would like to halt the indexing of these events until I can properly restrict the amount of events I am receiving. Will disabling the "ontap" index stop these events from being counted against the license?
Thanks.
... View more
Labels
- Labels:
-
license
10-30-2014
09:53 AM
Thanks. I will try re-installing.
... View more
09-30-2014
03:53 PM
1 Karma
I have a customer that has an enterprise license and support contract. How do they go about setting up their support portal account?
... View more
09-30-2014
09:49 AM
Thanks mcronkrite. I'll install the TA_Windows and see if it makes a difference.
... View more
09-29-2014
10:34 AM
I have the Splunk App for Windows Infrastructure installed on the Indexer/Search Head and on the Heavy Forwarder. Do I also need Splunk Add-on for Microsoft Windows installed on the Indexer/Search Head?
Thanks.
... View more
09-23-2014
01:20 PM
I can confirm that there is no blacklisting. I think it may have to do with the REGEX for reporting the message, but I have no REGEX knowledge/experience.
I'm seeing this in SPLUNK_HOME/etc/system/default/props.conf:
[source::WinEventLog...]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
**REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv**
KV_MODE=none
TRANSFORMS-FIELDS = strip-winevt-linebreaker
and in transforms.conf:
**[wel-message]**
REGEX = (?sm)^(?<_pre_msg>.+)\nMessage=(?.+)$
CLEAN_KEYS = false
**[wel-eq-kv]**
SOURCE_KEY = _pre_msg
DELIMS = "\n","="
MV_ADD = true
**[wel-col-kv]**
SOURCE_KEY = Message
REGEX = \n([^:\n\r]+):[ \t]++([^\n]*)
FORMAT = $1::$2
MV_ADD = true
... View more
09-23-2014
11:41 AM
No blacklisting was done manually. Could it have been blacklisted automatically by an app or config? I'm checking out the inputs/outputs/transforms files on the hvy forwarder now. Any suggestions on what I should be looking for? Thanks Jeff.
... View more
09-23-2014
11:26 AM
I have a heavy forwarder on a win2008R2 server. Windows security logs are being written to a file on that forwarder and then forwarded to Splunk enterprise instance. The problem I am having is that there is no information or data appearing in the "Message=" part of the event. Can anyone tell me why I am not getting this data and how I can fix it?
I have looked at the Windows logs on the forwarder and the "Message" information is there, but not showing in Splunk searches. Here is a sample of a Windows event as it shows in a Splunk search:
09/23/2014 10:32:21 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName=xxx.xxx.xxx
TaskCategory=User Account Management
OpCode=Info
RecordNumber=348148916
Keywords=Audit Success
Message=
Thank you for your help.
... View more
09-22-2014
04:25 PM
Can you tell me why I am getting no information in the "Message" part of the event? The actual Windows log has message information including account name, but that info is not being displayed in the Splunk event.
Example of my Splunk event:
09/22/2014 03:31:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName= XXX.xxxxx.XXX
TaskCategory=User Account Management
OpCode=Info
RecordNumber=346165397
Keywords=Audit Success
Message=
... View more
09-16-2014
10:36 AM
Thanks. I'll check the spaces.
I have 2 indexers and several heavy forwarders. This particular config is on the main indexer which also serves as the search head.
Thanks for the help!
... View more
09-15-2014
03:13 PM
I am working on what should be a very easy filter, but cannot get it to work. I want to filter out events with sourcetype="WinEventLog:ForwardedEvents". This is my props and transforms in $SPLUNK_HOME/etc/system/local.
props.conf
[WinEventLog:ForwardedEvents]
TRANSFORMS-wmi=wminull
transforms.conf
[wminull]
REGEX= .
DEST_KEY=queue
FORMAT=nullQueue
Any help you can give me is very appreciated.
... View more
08-12-2014
06:20 PM
That explains it. Thanks.
... View more
08-12-2014
03:57 PM
1 Karma
Documentation for Splunk TA for Unix says, "The latest version of the Splunk App and Splunk Supporting Add-on for Unix and Linux is 5.0.1. You can use that version of the app and supporting add-on with version 5.0.2 of the Splunk Add-on for Unix and Linux."
I cannot find a download for version 5.0.2. All links lead to version 5.0.3.
Where can I get version 5.0.2 of the Splunk Add-On for Unix???
Thanks.
... View more
08-08-2014
04:40 PM
I have installed the Splunk app for NetApp:ONTAP and I'm having a problem with some of my dashboards. More specifically, it seems I am missing the sourcetype "ontap:perf". I am also missing several sources such as AggrPerfHandler, VolumePerfHandler, LunPerfHandler and DiskPerfHandler.
Can anyone tell me how to get the "ontap:perf" sourcetype into Splunk or any ideas why I am missing it?
Thanks.
... View more
07-30-2014
04:21 PM
Except for the dashboards that need the "ontap:perf" sourcetype.
... View more
07-30-2014
04:18 PM
Sorry, my mistake. I still don't see a sourcetype of ontap:perf, but the dashboards all seem to function.
... View more
07-30-2014
04:13 PM
Did you add the index "ontap" to the list of indexes search by default?
I had no soucetype of "ontap:perf" until I added that index.
... View more
07-29-2014
05:23 PM
Thanks! That worked like a charm.
Above answer fixed the problem.
... View more
07-29-2014
04:49 PM
I don't know. Is there a file I can check to find that info?
... View more
