×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
eallanjr
Explorer
Member since: ‎01-11-2012
‎06-05-2020
Community Statistics
Posts 8
Solutions 1
Karma Given 1
Karma Received 4
Member Since ‎01-11-2012
Activity Feed
View All

Re: Why is a monitored file behaving like a batch ...

by in Getting Data In
‎10-20-2015 12:05 PM
‎10-20-2015 12:05 PM
Any file which is greater than 25 MB in size while processing in the Universal Forwarder will be automatically assigned to BatchReader. This is answered below already https://answers.splunk.com/answers/109779/when-is-the-batchreader-used-and-when-is-the-tailingprocessor-used.html ... View more

Re: How to prevent search head from searching peer...

by in Deployment Architecture
‎08-18-2014 01:11 PM
‎08-18-2014 01:11 PM
Setting it in the default stanza should enforce that restriction for all users. That might be something you can look into. ... View more

Re: cisco asa firewall logs

by in Getting Data In
‎06-21-2012 08:22 AM
‎06-21-2012 08:22 AM
Agreed - we also send to a centralized syslog server running a heavy forwarder. This allows us to do per-event filtering, since our network admins want to keep way more firewall logs than we actually wanted to index in Splunk (or have the licensing for!) ... View more

Re: tiered deployment server says deployment apps ...

by in Deployment Architecture
‎03-26-2013 03:52 PM
1 Karma
‎03-26-2013 03:52 PM
1 Karma
I'd like to see this "bug" fixed. Its annoying that you need to put it in etc/apps dir and not somewhere else as dictated by the targetrepositorylocation option. It's makes the tiered deployment servers "messy" as to what is a local app and what is deployed elsewhere. For all intents targetrepositorylocation is broken. What we've actually done is to make a deployment "bundle" dir inside the app itself that we then refer to as the repository location. ie. ~/etc/apps/deployment-apps/some_other_app_to_deploy and have "stateOnClient = disabled". ... View more

Re: searching for linux audit events?

by in Splunk Search
‎10-27-2016 06:55 PM
‎10-27-2016 06:55 PM
I took a look at the Splunk_TA_nix 5.1.2 script rlog.sh and made a change to it: I got rid of the grep -v part so the line that reads: awk -v START=$SEEK -v OUTPUT=$SEEK_FILE 'NR>START { print } END { print NR > OUTPUT }' $AUDIT_FILE | tee $TEE_DEST | /sbin/ausearch -i 2>/dev/null | grep -v "^----" no reads awk -v START=$SEEK -v OUTPUT=$SEEK_FILE 'NR>START { print } END { print NR > OUTPUT }' $AUDIT_FILE | tee $TEE_DEST | /sbin/ausearch -i 2>/dev/null This will give you a delimiter for the events which is the "----" Then I made my own sourcetype for this: [linux:audit] BREAK_ONLY_BEFORE = ---- DATETIME_CONFIG = MAX_TIMESTAMP_LOOKAHEAD = 23 NO_BINARY_CHECK = true TIME_FORMAT = %m/%d/%Y %T.%3 TIME_PREFIX = msg=audit\( category = Operating System description = Auditd Events disabled = false pulldown_type = true Seems to be working in my lab for now. Thanks @foxyfred for the idea. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All