Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About splunktrainingu
splunktrainingu
Communicator
Member since:
04-23-2020
07-31-2025
Community Statistics
| Posts | 66 |
| Solutions | 4 |
| Karma Given | 10 |
| Karma Received | 3 |
| Member Since | 04-23-2020 |
Activity Feed
- Karma Re: Search for client disconnects from Indexer? for richgalloway. 07-08-2024 12:40 PM
- Posted Re: Search for client disconnects from Indexer? on Getting Data In. 07-08-2024 11:24 AM
- Posted Re: Search for client disconnects from Indexer? on Getting Data In. 07-08-2024 10:17 AM
- Posted Search for client disconnects from Indexer? on Getting Data In. 07-08-2024 09:38 AM
- Posted Re: Counting how many days users logged into the server for the last 12 months on Splunk Search. 02-14-2024 07:07 AM
- Posted Re: Counting how many days users logged into the server for the last 12 months on Splunk Search. 02-14-2024 07:06 AM
- Karma Re: Counting how many days users logged into the server for the last 12 months for yuanliu. 02-14-2024 07:06 AM
- Posted Re: Counting how many days users logged into the server for the last 12 months on Splunk Search. 02-13-2024 09:34 AM
- Posted Counting how many days users logged into the server for the last 12 months on Splunk Search. 02-09-2024 02:12 PM
- Posted Re: Splunk file and directory monitoring on Getting Data In. 11-23-2022 12:30 PM
- Posted Re: Splunk file and directory monitoring on Getting Data In. 11-23-2022 08:09 AM
- Posted Splunk file and directory monitoring- Am I configuring correctly? on Getting Data In. 11-22-2022 05:13 PM
- Tagged Splunk file and directory monitoring- Am I configuring correctly? on Getting Data In. 11-22-2022 05:13 PM
- Tagged Splunk file and directory monitoring- Am I configuring correctly? on Getting Data In. 11-22-2022 05:13 PM
- Got Karma for Hot buckets fix?. 03-22-2021 08:39 AM
- Posted Re: Permissions for apps and .conf files on Deployment Architecture. 01-07-2021 09:46 AM
- Posted Permissions for apps and .conf files on Deployment Architecture. 01-06-2021 06:10 PM
- Posted Re: Why do I need to unbind the mgmt port in order to restart splunk? on Deployment Architecture. 01-04-2021 12:38 PM
- Posted Re: Why do I need to unbind the mgmt port in order to restart splunk? on Deployment Architecture. 12-29-2020 03:54 PM
- Posted Why do I need to unbind the mgmt port in order to restart splunk? on Deployment Architecture. 12-28-2020 04:43 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
07-08-2024
11:24 AM
So there is no way to monitor the splunkd.log on the UF from the Splunk Indexer?
... View more
07-08-2024
10:17 AM
Would this be logged into the metrics log on the UF? I could monitor for no logs, I have done that in the past.
... View more
07-08-2024
09:38 AM
Is there a way to monitor disconnects on a host (with a deployed universal forwarder) that cannot reach the Indexer? We have an on prem solution. Simply trying to use this host to monitor if network A can reach network B because the host is in Network A and the index is in network B.
... View more
Labels
- Labels:
-
host
-
indexer
-
Linux
-
universal forwarder
02-14-2024
07:07 AM
I am sorry this didn't work for me and I tried to get it to work. But I already have a solution.
... View more
02-14-2024
07:06 AM
Thank you for explaining this. I didn't know about this syntax.
... View more
02-13-2024
09:34 AM
What does the "1d@d" for span mean?
... View more
02-09-2024
02:12 PM
Hello,
I am trying to count how many days out of the last 12 months our users logged into two of our servers. And in the end I want it to display the days out of the 12 months the users logged in. SO if a user logged in 4 time in one day it should count it as 1 day.
I have tried the "timechart span=1d count by Account_Name" this looked promising but timechart groups Account_names in OTHER field that is misleading because there are other accounts in that field.
index=windows source="WinEventLog:Security" EventCode=4624 host IN (Server1, Server2) Logon_Type IN (10, 7)
| eval Account_Name = mvindex(Account_Name,1)
| timechart span=1d count by Account_Name
| untable _time Account_Name count
... View more
11-23-2022
08:09 AM
Thank you I checked the splunkd.log and found out it doesn't have permissions but I already knew that. I am just trying to understand why? This doesn't make sense. Splunk user is part of ADM group, ADM group is applied to the file while can't splunk user read the file. What am I missing here? Insufficient permissions to read file='/var/log/test-combo.log' (hint: Permission denied , UID: 1001, GID: 1001).
... View more
11-22-2022
05:13 PM
Hello having some confusing problems with Splunk permissions that I am trying to understand. Little background we upgrade our index/deployment server from Debian to ubuntu.
here is the problem I am seeing after this upgrade.
I was monitoring a file in var/log/test-combo.log and everything worked before hand on debian 11. Now I am not getting any of the data from this file ingested into my index but I can see fresh logs.
The file is owned by syslog and the group is adm.
My splunk user: uid=1001(splunk) gid=1001(splunk) groups=1001(splunk),4(adm)
I wanted to do a test and I went under Data Inputs > Files & Directories > New Local File & Directory > Browse > Var > Log the strange thing was that I can see half of the logs and half of the directories under there. All the directories and files that I can root:root and had other: r-- set permissions the file in question (test-combo.log) didn't have other:r-- permissions set.
So why is splunk able to see files with these permissions
# file: vpn.log # owner: root # group: root user::rw- group::rw- other::r--
and not able to see files with this permission
# file: test-combo.log # owner: syslog # group: adm user::rw- group::r-- other::---
is it because other is not set to read perms? What would be the significance of setting other to read?
... View more
Labels
- Labels:
-
data
01-07-2021
09:46 AM
I did leave splunk to manage the operative side. But there was an app pushed form my server to another client that had 700. I am asking what the permissions need to be exactly.
... View more
01-06-2021
06:10 PM
Hello I created an app, and now I am trying to figure out the permissions it needs because it is getting deployed on my client server with permissions drwx------ What is the recommended settings on the directory and the .conf files being deployed?
... View more
Labels
01-04-2021
12:38 PM
Splunkd.pid did not exist in the directory /opt/splunkforwarder/var/run/splunk/ I got this when I ran the command ps -eaf |grep splunkd
splunk 18031 17753 0 12:29 pts/4 00:00:00 grep splunkd
... View more
12-29-2020
03:54 PM
That is not the case, I tried with my username and then I tried with the owner username.
... View more
12-28-2020
04:43 PM
I was under the impression that port 8089 is used to manage the apps on your endpoints using the Settings > Forwarder Management. This is what happens when I tried to restart splunk forwarder ./splunk restart
Pid file "/opt/splunkforwarder/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied
Pid file "/opt/splunkforwarder/var/run/splunk/splunkd.pid" unreadable.: Permission denied
splunkd.pid file is unreadable.
Pid file "/opt/splunkforwarder/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Splunk> Like an F-18, bro.
Checking prerequisites...
Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied
Checking mgmt port [8089]: Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied
not available
ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port.
Would you like to change ports? [y/n]: n
Exiting.... I am currently testing with a one of the Linux servers, I have my "deploymentclient.conf" file in splunkforwarder/etc/system/local/ and it is set to port 8089. My main server is a single deployment on prem. I am not sure what I am doing wrong? I tried to mimic the set up of my windows servers because they have a "deploymentclient.conf" file in their splunkforwarder/etc/system/local directory.
... View more
12-21-2020
05:00 PM
Hello the issue I am having is with the following command: ./splunk restart When I try to restart I get the following message: As Su user:
Failed to run splunk as SPLUNK_OS_USER. This command can only be run by bootstart user.
without su user:
please run 'splunk ftr' as boot-start user I am not understanding what it is asking me to do... I want to mention that puppet is the tool we use to deploy the UF to our linux servers. I am trying to restart the UF because I want to see if the linux server will use the splunk server as a deploymentserver by adding a deploymentclient.conf file to SplunkUniversalForwarder/etc/system/local.
... View more
Labels
12-02-2020
01:40 PM
Hello, I am working with a Linux system and a universal forwarder. Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-12-amd64
Architecture: x86-64 when I checked opt/splunkforwarder/etc/system/local and ran ls -l I noticed that root root had permission in there as well as splunk splunk. Should splunk splunk own everything in the universal forwarder directory? -rw-r--r-- 1 root root 283 Apr 30 2020 inputs.conf
-rw------- 1 root root 45 Apr 21 2020 migration.conf
-rw-r--r-- 1 root root 222 Apr 23 2020 outputs.conf
-r--r--r-- 1 splunk splunk 265 Mar 30 2020 README
-rw------- 1 splunk splunk 431 Sep 23 2019 server.conf
-rw-r--r-- 1 splunk splunk 65 Jun 3 13:38 user-seed.conf
-rw-r--r-- 1 root root 40 Sep 23 2019 web.conf
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
10-02-2020
04:44 PM
Thank you! from now on I am going to use this! It was so easy to see for some reason there was a inputs.conf in SplunkUniversalforwarder/etc/app/splunkuniversalforwarder/local/inputs.conf I used the command splunk btool inputs list --debug
... View more
10-01-2020
04:00 PM
1 Karma
Hello, I been trying to figure this out for the past 2 days now and I cannot seem to find which config file is making my host send logs to index=main. I have 4 other machines in forward management that have the same application sending logs to the correct index except for this system. It seems to send Application logs to index=main but all other security logs go to index=windows. I double checked the apps folder on that machine and compared it with a machine that is not sending to index main and also did the same in the etc/system/local. This is a single deployment we have a single search head and single indexer.
... View more
Labels
- Labels:
-
forwarder
-
monitoring console
09-23-2020
05:49 PM
Thank you for this. I was able to do this on the Universal forwarder though. If I drop it on the UF does it dropt hem to null queue as well?
... View more
09-21-2020
02:01 PM
I am currently trying to filter EventCode 4703. I wanted to do this via blacklist but not fully block the EventCode but simply do like a regex to filter on Account Names ending in $ and drop those logs from sending to splunk. Also I am trying to filter 4688 and 4689. I was following this, https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147 , guide but it doesn't seem to work for me.
... View more
Labels
- Labels:
-
blacklist
-
inputs.conf
-
universal forwarder
09-14-2020
10:15 AM
Yeah I was confusing powershell logging with cmd. They are both turned on through the GPO but it seems like I need to go into inputs.conf for powershell logging and make a stanza.
... View more
09-11-2020
12:23 PM
I was following this guide on adding command line logging to my GPO. I verified that the current GPO has these settings. You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking. You must enable the Include command line in process creation events GPO setting. You can find this setting in the following GPO container: Computer Configuration\Administrative Templates\System\Audit Process Creation. Alternatively, you can enable this setting in the local system registry by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ ProcessCreationIncludeCmdLine_Enabled registry key value to 1. Here is what I did to test, I simply created a directory, deleted it, also ran ipconfig, net share and was unable to find those commands expect for ipconfig in the logs. Is there anything else I need to do maybe in the input.conf file? EDIT: Seems like mkdir and rmdir do not show up in the logs but all others do. Does anyone know why?
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
-
Windows
08-12-2020
02:44 PM
@to4kawa Do I need to make a a stanza for each field I am extracting?
... View more
08-12-2020
10:39 AM
@gcusello 1. yes, the log comes in json format. 2. I do not know what you mean by network input. This is what I have done Data Input > Files and Directory > /var/log/vpn.log > continuous monitoring. This means I can search the data in my index. 3. When I went to search the data there was no extraction done on the data so I couldn't search those fields. Only fields I can search are the host, source, index, and sourcetype which are added by splunk I would assume. So I pretty much I have a raw json log with no extractions. 4. Delimiters does NOT work because it extracts the field like this into my "interesting fields" when using a comma session.saml.last.attr.friendlyName.eduPersonAffiliation":"| student | member | staff | employee | alum |" This is not helpful at all because it is putting the field name and the data together as a field extracted . If I decided to change the delimiter to the colon it will then put the assigned data of the previous field name with an upcoming field name together. If I use quotation marks as the delimiter it creates 53 fields some of which are not needed because it creates a colon as a field and I cannot remove them. 5. All of the fields are always populate the problem that I am experiencing is when I use the regex method which I thought would be better because I can choose what fields to extract. If I want to extract the field name "session.user.ipgeolocation.continent":"NA" and rename it to "continent" well it only works on two of the logs even though it exists in all of the logs. I want all of my fields extracted to work on all of the logs not just the two logs.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-31-2025
03:07 PM
|
Karma given to
