cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
knewter
Engager
Member since: ‎05-10-2013
‎06-05-2020
Community Statistics
Posts 15
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎05-10-2013
Activity Feed
View All

Re: Splunk app forActive Direcoty - All data are g...

by in All Apps and Add-ons
‎07-18-2013 08:51 AM
‎07-18-2013 08:51 AM
From what I've seen the best way to install the AD app is to leave everything default. Also, this blog post is very helpful. http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/ ... View more

Re: Splunk app forActive Direcoty - All data are g...

by in All Apps and Add-ons
‎07-18-2013 08:41 AM
‎07-18-2013 08:41 AM
Have you tried using btool to see if there is another inputs.conf taking precedence? What results do you get when you rund the following command: ./splunk cmd btool inputs list --debug ... View more

Re: DB Connect Tail Command not updating

by in Splunk Search
‎06-22-2013 07:37 AM
‎06-22-2013 07:37 AM
I ran the btool command earlier and it shows the output.format in there. /opt/splunk/etc/apps/dbx/local/inputs.conf output.format = kv /opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp = 1 /opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.column = created_on /opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.format = MM/dd/yyyy HH:mm:ss.SSS It's like Splunk doesn't see those lines. The strange thing is it was working a few days ago. ... View more

Re: DB Connect Tail Command not updating

by in Splunk Search
‎06-21-2013 03:27 PM
‎06-21-2013 03:27 PM
I've restarted splunk but I'm still receiving the errors. ... View more

Re: DB Connect Tail Command not updating

by in Splunk Search
‎06-21-2013 10:32 AM
‎06-21-2013 10:32 AM
Strange when I look at the inputs.conf file it's there. Should I just re-save the config file ? ... View more

DB Connect Tail Command not updating

by in Splunk Search
‎06-21-2013 09:37 AM
‎06-21-2013 09:37 AM
I am using a tail db command to pull events from a Oracle database every hour. I was able to pull in all of the data the first time it ran but I haven't received any new events. When I looked at the log file I'm receiving the following error message: 2013-06-21 10:48:53.060 dbx5648:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit 2013-06-21 10:49:31.963 dbx9326:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit 2013-06-21 10:49:33.123 dbx4360:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit 2013-06-21 11:21:22.312 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://DB_Audit/DB_Audit_Tail]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://DB_Audit/DB_Audit_Tail 2013-06-21 11:23:16.671 dbx7573:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit 2013-06-21 11:23:18.714 dbx179:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit 2013-06-21 11:30:16.066 dbx5726:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit 2013-06-21 11:30:17.237 dbx373:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit Any idea what this error is? Thanks, ... View more

Re: Splunk for Active Directory

by in All Apps and Add-ons
‎06-18-2013 09:07 AM
‎06-18-2013 09:07 AM
I believe so. It's just taking forever to pull in the WinEventLog:Security logs. It's taken over a day to get the prior days events. I was trying to figure out the settings to send only new data but I haven't got that worked out yet. Everything else seems to be coming in fine. ... View more

Re: Universal Forwarder Installation

by in All Apps and Add-ons
‎06-16-2013 03:53 PM
‎06-16-2013 03:53 PM
Thanks for your quick response. I've updated my original question with a sample of my inputs.conf from btool. In looking at several of the stanza's the sourcetype doesn't appear to be set. Is that normal? I also looked at my Splunk Deployment app and it does see the forwarder and it says that it's active so it must be communicating something. I'm wondering if there is an error in the sourcetype? ... View more

Universal Forwarder Installation

by in All Apps and Add-ons
‎06-16-2013 02:11 PM
‎06-16-2013 02:11 PM
Quick question, I'm still getting my feet wet with Splunk but I was wondering how long does it typically take to receive data after installing a universal forwarder? Does it depend on the how much or type of data? I'm trying to setup a test environment for testing the Splunk for AD app. I have a Win 2008 R2 Box setup as a domain controller forwarding to a Splunk 5.0 instance on linux. I'm testing what happens when I modify the inputs.conf file. From what I'm seeing after I modify the inputs.conf file and restart the service it can take hours before any data is received. Is that normal? I've tried adjusting the input.conf files so I only get the new data but nothing seems to happen. I have done a default install of the Splunk for AD app in my Windows system. Installed the universal forwarder without selecting any inputs. After it was installed I stopped the service and copied the Windows, DNS and Domain Controller TA to the apps folder. Below is a sample output from the btool of some of the inputs that were enabled. The documentation stated if you didn't need to update the indexes then the default would work. That's what should be displayed below. Sample inputs.conf: C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf [WinEventLog:Key Management Service] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf counters = * C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = ******** C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf index = winevents C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf instances = * C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf interval = 10 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf object = Processor C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf queue = parsingQueue C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf sourcetype = "WinEventLog:Key Management Service" C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf [WinEventLog:Security] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf checkpointInterval = 5 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf counters = * C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf current_only = 0 C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_resolve_ad_obj = 1 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = ******** C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf index = perfmon C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf instances = * C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf interval = 10 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf object = Processor C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf start_from = oldest C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf [WinEventLog:Setup] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf checkpointInterval = 5 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf counters = * C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf current_only = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf disabled = 1 C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = ******** C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf index = perfmon C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf instances = * C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf interval = 10 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf object = Processor C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf start_from = oldest C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf [WinEventLog:System] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf checkpointInterval = 5 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf counters = * C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf current_only = 0 C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf disabled = 0 C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dc_name = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf host = ******** C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf index = perfmon C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf instances = * C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf interval = 10 C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\default\inputs.conf object = Processor C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf start_from = oldest ... View more

Re: Splunk for Active Directory

by in All Apps and Add-ons
‎06-13-2013 02:40 PM
‎06-13-2013 02:40 PM
Hmm, maybe it's the user I'm using then. I was just installing it with the Administrator account. ... View more

Re: Splunk for Active Directory

by in All Apps and Add-ons
‎06-13-2013 12:37 PM
‎06-13-2013 12:37 PM
I'm running it as local user at this point. I can get the AD data when I add the TA for domain controllers but I can't seem to get the WinEventLogs when I modify the the Windows_TA. Is there an order of precedence issue here between the inputs.conf files? ... View more

Splunk for Active Directory

by in All Apps and Add-ons
‎06-13-2013 08:20 AM
‎06-13-2013 08:20 AM
I'm having a good time trying to configure Splunk for Active Directory on a universal forwarder using the remote data collection option. What groups does the user need to be added to in order to get this option to work? I have tried adding them to everything and I keep getting an error. Is it possible to use the the local option? I'm also having trouble enabling the WinEventLogs using the Windows TA inputs.conf file. They appear to be enabled but I'm not receiving any events. Where is the correct place to enable those events? I have a Splunk indexer running on a Linux and one Domain Controller. Thanks ... View more

Re: TA for Windows AD

by in All Apps and Add-ons
‎06-06-2013 08:28 AM
‎06-06-2013 08:28 AM
Thanks for your quick response I was a little confused by the documentation. Basically I would copy over the correct TAs to the \SplunkUniversalForwarder\etc\apps folder and If I'm happy with the defaults then I'm done. ... View more

Re: TA for Windows AD

by in All Apps and Add-ons
‎06-06-2013 08:28 AM
‎06-06-2013 08:28 AM
Thanks for your quick response I was a little confused by the documentation. Basically I would copy over the correct TAs to the \SplunkUniversalForwarder\etc\apps folder and If I'm happy with the defaults then I'm done. ... View more

TA for Windows AD

by in All Apps and Add-ons
‎06-06-2013 07:59 AM
‎06-06-2013 07:59 AM
Hi everyone, Splunk newbie here. I'm currently trying to install the Splunk App for Active Directory version 1.2 and I wanted to make sure I understood the steps for configuring the Universal forwarder. Do I need to install the Splunk App for AD on the universal forwarder or just the Technology Add On that came with the app? Do I need to do any additional configuration at that point? Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to
View All