About jterry

jterry · ‎10-11-2016

are there any ERROR's in splunkd.log?

jterry · ‎10-11-2016

could you please clarify "nothing happens" ? could this be a firewall issue? If this is nix, you could perhaps verify that data reaching the UDP port w/tcpdump. Have you checked splunkd.log for errors/warnings?

jterry · ‎10-11-2016

can you please add some specifics w/regards to where splunk is running and where the data that you're trying to index is?

jterry · ‎10-11-2016

you could also use a scripted input that just "grep"s the stuff you want indexed.

jterry · ‎10-11-2016

i'm guessing that splunk can't parse the PFsense timestamp. You may need to update/modify the sourcetype def.

jterry · ‎10-11-2016

sounds strange. for starters, can you check splunkd.log for errors and/or warnings?

jterry · ‎10-11-2016

i'm not familiar w/PFsense & the log format it emits but it sounds like the fields are not being recognize/parsed correctly by Splunk. In the absence of a TA that might supply the needed sourcetype definition, you may have to define one.

jterry · ‎10-11-2016

typically, in a case like this, i try to run the script by hand w/the effective UID of the same user that owns the splunkd process. If the script(s) are having problems running as non-root (or otherwise), there should be some indication in STDOUT, if not, then splunkd.log should contain some info.

jterry · ‎10-11-2016

what does your search look like? Are you specifying the wineventlog index? (index=wineventlog *)

jterry · ‎06-02-2016

hm, ok. can you post the results of the search ("index=_internal ERROR") & we'll go from there.

jterry · ‎06-02-2016

version upgrade, though license upgrade is always an option. If you're not using the latest version then i recommend upgrading the version. i sympathize w/you but i assure you it does work "out of the gate".

jterry · ‎06-02-2016

really only looking for "ERROR" log entries, not "INFO". Also note that the search: "index=_internal ERROR" is a directive to show all "ERROR" events from the _internal index. What about that upgrade option?

jterry · ‎06-02-2016

splunkd.log would be the likely place imo. You could also try this search: "index=_internal ERROR"

jterry · ‎06-02-2016

ugh, well there's no "grep" in windows but i'm pretty sure $SPLUNK_HOME/var/log/splunk is still there. i'm not much of a windows user but i think the explorer has some "find in file" functionality. Also, if you're not running the latest version of SL then i'd recommend upgrading.

jterry · ‎06-02-2016

Assuming your cron scripts/actions can get the files off the hosting system & on to a system that splunk has access to, you could configure a local dir input on the splunk server (or forwarder, etc) & associate the desired metadata to any data that's indexed from that source. The cron actions could then just put the data there.

jterry · ‎06-01-2016

Not sure about being able to deploy a script via REST to a cloud instance but the webhook alert action might work for you: http://docs.splunk.com/Documentation/Splunk/latest/Alert/Webhooks

jterry · ‎06-01-2016

any chance of this being a time-zone issue? Perhaps check to see whether the splunk account profile you're using has a different timezone setting than the firewall system.

jterry · ‎06-01-2016

not currently but probably/maybe someday soon.

jterry · ‎05-31-2016

also, could you check for ERROR's in the logs?... cd $SPLUNK_HOME/var/log/splunk ; grep ERROR *

jterry · ‎05-12-2016

Splunk Light is probably the way to go. refer to the docs on scripted inputs

Posts	63
Solutions	3
Karma Given	2
Karma Received	5
Member Since	‎05-19-2011

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

Re: Error when uploading data "Upload failed with ...

Re: Use UDP to index rest api logs

Re: Why am I not seeing Application and Service lo...

Re: Pulling specific security logs to save memory ...

Re: Why is the timing off between the actual log's...

Re: Splunk stops displaying logs while still recei...

Re: How to troubleshoot why my PFsense logs are no...

Re: Is it possible to use the Splunk Add-on for Un...

Re: How to troubleshoot why a Windows universal fo...

Re: License Expired

Re: License Expired

Re: License Expired

Re: License Expired

Re: License Expired

Re: How can I pull logs from a shared hosting acco...

Re: Can custom alert scripts be added to Splunk Li...

Re: Why is Splunk assigning the wrong date for my ...

Re: Can the Splunk Light Cloud service be upgraded...

Re: License Expired

Re: How to monitor jobs from MySQL table using Spl...