Assuming you have installed Splunk Enterprise in the default location ("C:\Program Files\Splunk"), which is also known as $SPLUNK_HOME path: Open Command Prompt Navigate to $SPLUNK_HOME\bin folder Issue the command splunk start and wait for the application to start. Normally, Splunk Enterprise setup would create a service (should be listed in Services.msc console) and set it to start Automatically at OS boot. Another 'legacy' service would be in 'Manual' mode and is not necessary to be started for Splunk to run properly. This service status can be safely ignored. Look forward to your comments/feedback/vote. Rgds, Mitesh. ... View more

The new version of Kaspersky Security Center 10.3.x can send the fresh (as well as historical data available in backend DB) to Splunk in CEF format. Just provide the IP address and port number of Splunk Indexer. Run the Console. Expand the node Reports and notifications → Events. Select Properties in the context menu. On the Exporting events tab, select the check box Automatically export events to SIEM system database. Select Splunk from the drop-down list and specify the address of your SIEM server. Click OK. Hope this helps. Regards, Mitesh. ... View more

The documentation of the App states : BEFORE YOU START USING THE APPLICATION, PLEASE CONTACT KASPERSKY LAB TO GET KASPERSKY THREAT FEED SERVICE AND ACCESS TO KASPERSKY THREAT INTELLIGENCE DATA FEEDS. Kindly reach out to anyone in Kaspersky Lab team in your region for obtaining trial access to the feed service. Kaspersky Threat Feed App for Splunk and Feed Service have the following system requirements. Supported operating systems: Linux x64 Software requirements: Splunk 6.2+ & Python 2.6, 2.7 Source URL: https://help.kaspersky.com/KFS/1.0/en-EN/98426.htm Make sure your system meets the stated requirements. Please share your experience. Mitesh. ... View more

In case, you do not find anything relevant to the context of the topic, feel free to use the Visio/OmniGraffle stencils to create your own diagrams. Contact me offline and I will be happy to help you as well. ... View more

Apart from the list of the questions, there are some more that would be useful for a Splunk Solution Architect: Is this a stand-alone Splunk instance or a distributed deployment. How are the Indexers placed (close of Application Servers or away in another DataCenter) By default, FWDR are configured for consuming 256kbps of bandwidth. Is this sufficient or can the customer/business unit allocate more? Do you need the logs in offline/archive format for Compliance/Regulatory reasons? If so, provision archival/backup storage accordingly. Are there any key terms within Application logs that should/can be discarded or route+filter special event logs to special index? Is there a plan to migrate the Application to a different platform (OS, language or on-premise-to-cloud, etc)? If so, get it documented right now. Suggest that OS and Network logs be collected/captured for better troubleshooting Application-related errors, latency problems, challenges/concerns in future. ... View more

In case, you are using the Common Information Model, then you can start your search as tag=Authentication . This will invoke the data from across all "relevant" indexes and will be much faster in returning results. ... View more

Here is the link: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/DashboardPDFs#Limitations_to_PDF_generation And this is the direct text for quick view: Limitations to PDF generation Integrated PDF generation functionality has a few limitations: PDFs for dashboards with multiple panels in a row might generate with only a single panel per row. You cannot generate PDFs of dashboards that are built using advanced XML or HTML. Splunk only supports PDF generation from dashboards built with simple XML. You cannot generate PDFs for forms. PDF generation ignores charting customizations that are not supported by the JSChart charting library. The finished PDF displays the panels as rendered in JSChart with the unsupported customizations removed. Hope this helps. Mitesh. ... View more

Have a look at the Fire Brigade App. You might find a lot of useful panels which can be re-used to fit your purpose. It comes with a TA to gather info from across other Splunk instances too. ... View more

If your download trial is over 60-day period, you cannot extend the trial duration by simply copying the license from another download trial or overwriting the existing Splunk instance with a fresh download copy. (this is most likely your case since you mentioned 'splunk.license' file name, commercial/paid enterprise license files are named differently.) Also a download trial only allows 3 warnings before it locks down your search (except searching _internal index). A reset license only allows to reset the count of the warnings but will not extend your trial license for another 60-day window. ... View more

I have updated the answer with path to the directory where the jar file needs to be copied. Hope this helps. Mitesh. ... View more

Couple of things: 1. Grab MS SQL Server JDBC Driver 4.0 from here. Extract and drop the sqljdbc4.jar file to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/bin/lib directory. 2. Restart Splunk. 3. Download the DB Connect App 2.0.4. 4. Configure MS SQL Server to use Mixed Authentication (try it before-hand via Management Console or CLI, your choice). More Troubleshooting steps can be referred here. If this answer has helped you, please vote and mark this as accepted answer. Thanks, Mitesh. ... View more

Check if this one works for you: ... | fieldformat time_field = strftime(time_field, "%H:%M:%S %d/%b/%Y") ... View more

+1 to what @Esix said. Additionally, there are times when firewalls and auth/transparent proxies play evil and restrict the connection. ... View more

There are handful number of apps which can help you with field extractions. Have a look at this list and pick what meets your requirement or is the closest. Mitesh. ... View more

One of the line in the message log reads "Connection refused.". Check: 1. MSSQL is set to use SQL Authentication. 2. JAVA_HOME is auto-detected by the app while setting it up after installation. 3. If using DBX 1.1.7, use jre7u or jre8u45 for DBX 2.0.x Pls share what OS/SQLver/JREv are you have in your setup. Mitesh. ... View more

@kobayashikenji I am bit curious to know about the purpose of force-stopping Splunk. 🙂 ... View more

AFAIK, cron does not go down to sub-minute resolutions/granularity. ... View more

Splunk Docs link for "Naming conventions for apps and add-ons on Splunkbase" : http://docs.splunk.com/Documentation/Splunkbase/latest/Splunkbase/Namingguidelines Mitesh. ... View more

You can kill all processes on 'splunkd' with kill `ps -ef | grep splunkd | egrep -v grep | awk '{print $2}'` But, just like @esix_splunk mentioned, make sure you restart Splunk with the correct user and that, using Splunk's native commands to Start/Stop/Restart the service is much cleaner. Mitesh. ... View more

Here is the doc link that explains how Splunk handles log file rotation. On the other hand, you can also add ignoreOlderThan = stanza in inputs.conf file, with value mentioned as {number}{unit} (without brackets). For example, "7d" indicates one week. Valid units are "d" (days), "h" (hours), "m" (minutes), and "s" (seconds). Let us know what worked for you so others visiting this post can learn/re-use. Regards, Mitesh. ... View more

You can use Whitelist stanza in your inputs.conf. You can add the keywords/event-codes that are part of the events you wish to capture. Here is the doc link for detailed explanation. Mitesh. ... View more

Or you can consider looking for details like 'passwords captured in plain text and stored in logs', SSN or Credit Card Numbers in your logs. ... View more