cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
wcolgate_splunk
Splunk Employee
Member since: ‎06-01-2011
‎04-04-2023
Community Statistics
Posts 57
Solutions 8
Karma Given 13
Karma Received 23
Member Since ‎06-01-2011
Activity Feed
View All

Re: What is Splunk-MonitorNoHandle.exe?

by Splunk Employee in Getting Data In
‎04-04-2023 08:39 AM
‎04-04-2023 08:39 AM
Splunk-MonotorNoHandle.exe is a modular input. It is designed to monitor live IO writes to files without opening a Windows File Handle.  It can be configured by adding a stanza to etc\local\inputs.conf. If it has not been configured, it will by default, start-up and run it's introspection every 60 seconds. It can be disabled complete (i.e. never run) by setting its default stanza with the following keys: run_introspection = false disabled = true ... View more

Re: WinEventLog - Appliction and Services Logs

by Splunk Employee in Splunk Search
‎05-26-2022 01:35 PM
‎05-26-2022 01:35 PM
The syntax for Windows event log stanza is: [WinEventLog://<channel-name>] ... View more

Re: AD Monitor (admon) input not working with erro...

by Splunk Employee in All Apps and Add-ons
‎06-03-2021 10:45 AM
‎06-03-2021 10:45 AM
Also the error 0x20 can be decoded here:  https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/return-values   It means "no such object"  ... View more

Re: AD Monitor (admon) input not working with erro...

by Splunk Employee in All Apps and Add-ons
‎06-03-2021 10:23 AM
‎06-03-2021 10:23 AM
The docs say "fully qualified" A fully qualified Lightweight Directory Access Protocol (LDAP) name (for example: "LDAP://OU=Computers,DC=ad,DC=splunk,DC=com") that specifies where in the AD tree that Splunk Enterprise begins its indexing. The software starts there and enumerates down to sub-containers, depending on the configuration of the monitorSubtree setting. The value of startingNode must be within the scope of the DC you are targeting for Splunk Enterprise to get AD data.     ... View more

Re: RegMon Error

by Splunk Employee in Getting Data In
‎01-08-2019 10:01 AM
1 Karma
‎01-08-2019 10:01 AM
1 Karma
There is something in your inputs.conf file that is a bad regex. Can you post your inputs.conf? ... View more

Re: Splunk registry monitor (splunk-regmon) genera...

by Splunk Employee in Splunk Dev
‎04-17-2018 09:48 AM
‎04-17-2018 09:48 AM
In the cases of most modular inputs, interval is not what you think it is. Interval is how often to restart the mod input if it exits, either on purpose or on error/crash. For the registry monitor -- it runs continuously. There is a driver component and a usermode component. The driver monitors the registry for the key(s)/subkeys requested in the stanza (and by operation). The usermode component pulls that information from the driver. If you are getting too much data, maybe you are requesting too broad a collection to monitor. The registry is heavily used by everything in a windows OS. ... View more

Re: Having trouble getting started with the Java A...

by Splunk Employee in All Apps and Add-ons
‎12-13-2017 08:44 AM
‎12-13-2017 08:44 AM
So I can drop the JMX polling app (the mod input) once I can get the agent working? Sounds good. The java agent, with the byte code injection/tracing is where I want to end up. ... View more

Re: Having trouble getting started with the Java A...

by Splunk Employee in All Apps and Add-ons
‎12-12-2017 03:58 PM
‎12-12-2017 03:58 PM
I did not alter the jmx.xml file. Nothing in the instructions indicated I should mess with it for an out-of-the-box installation. I think that problem #1 is what is holding things back -- because even if #2 were true (i.e. not hitting any of the classes/methods) , my app would be generating output, but does not. The symptom looks like my app doesn't even run at all and hangs. When using just the monitor the JVM app (https://splunkbase.splunk.com/app/668/), my application runs and generates data, and the monitoring app does poll data from the JVM. Can your two apps be running at the same time? (i.e. the agent & the JMX monitoring?) ... View more

Re: Having trouble getting started with the Java A...

by Splunk Employee in All Apps and Add-ons
‎12-12-2017 12:24 PM
‎12-12-2017 12:24 PM
log file: ((changed the extension to satisfy the upload constraints)) link text properties file: ((changed the extension to satisfy the upload constraints)) link text CLI: java.exe -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -javaagent:splunkagent.jar=splunkagent.properties -jar C:\wrk\git\simdata\build\libs\simdata-1.0-alpha.jar --scene C:\wrk\git\simdata\demo\src\main\resources\app-management-simple.json --simulation C:\wrk\git\simdata\demo\src\main\resources\app-management-simple.simulation ... View more

Having trouble getting started with the Java Agent

by Splunk Employee in All Apps and Add-ons
‎12-12-2017 10:06 AM
‎12-12-2017 10:06 AM
I would like to instrument my Java application. While I was successful with the monitoring the JVM application (https://splunkbase.splunk.com/app/668/), I'm having a difficult time getting the Java Agent app working. My environment is Windows 10 Pro, JDK and JRE 1.8. My java app generates data over HEC to splunk. And I want to splunk my splunk app. I've followed the instructions in the readme (I removed out the .properties file from the .jar and edited it locally). But running the app with the java agent produces no output, neither by my app, nor by the java agent. Without the java agent, my app generates data as expected. I've enabled DEBUG in the agent, and it does read the properties and spits out some data to the log file at what looks like a polling interval; but other than that, nothing else is going on. BTW, the agent is supposed to be target HEC for data, not TCP. Did any one else have any issues right out of the box? Anything the community learned that might help me debug my situation? ... View more

Re: Running Universal Forwarder with non-administr...

by Splunk Employee in Getting Data In
‎10-25-2017 08:26 AM
‎10-25-2017 08:26 AM
Anand: Would you like to follow up on your issue directly? ... View more

Re: Home Monitor: Has anyone tried to add support ...

by Splunk Employee in All Apps and Add-ons
‎02-15-2017 03:58 PM
‎02-15-2017 03:58 PM
There are definitely some tweaks that will be necessary. I ran through some of the overview dashboards, with the following results: Bandwidth overview: all 3 panels show "no results found" Home network overview: my public IP: 0.0.0.0, Total Events and inbound events show data, as does devices on the network (5) .. but that seems wrong. I got many many devices on the network :-). All other panels say "no results found". Check for intrusions: none (that might be right ;-)). Blocked traffic: Only the top ports request panel shows data, all other panels say, "no results found" network event overview: shows a graph of my two subnets, all other panels say, "no results found" Network inbound: has all panels reporting data! Network outbound: all panels say, "no results found". I didn't try the device specific/experimental/etc... ... View more

Home Monitor: Has anyone tried to add support for ...

by Splunk Employee in All Apps and Add-ons
‎01-19-2017 10:11 AM
1 Karma
‎01-19-2017 10:11 AM
1 Karma
Has anyone tried to add support for Ubiquiti routers? Before I trudge through the syslog output that I've already captured and try to figure out the right props and transforms, I thought I'd ask to see if someone has already done so. ... View more

Re: How to add _meta Tags to modular inputs, i.e. ...

by Splunk Employee in Getting Data In
‎09-07-2016 08:28 AM
‎09-07-2016 08:28 AM
Here is a sample using the windows specific modular input splunk-winevtlog.exe's .conf file: [default] host = Win2k8sup04 [WinEventLog] _meta= global::fromUF-master [WinEventLog://System] disabled = 0 _meta= test::SystemUF [WinEventLog://Security] disabled = 0 [WinEventLog://Application] disabled = 0 _meta= test::ApplicationUF global::fromUF The behavior in this example is: The System stanza gets only one field test (it overrides the default). The Security stanza gets only one field global (as set by default) The application stanza gets both fields test and global (it overrides the default). ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-04-2023 11:59 AM
Karma from