Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Support for DSEE

tophdog
New Member
‎07-16-2010 08:54 PM

Hiya,

I work on a very large, maybe the largest unclassified DSEE implementation in existence. I'm starting to look at Splunk for managing all the log data for this implementation.

Question 1: What work already exists for Sun DSEE 6.x?

Thanx,

Chris

Tags (1)
0 Karma
Reply

tophdog
New Member
‎07-22-2010 03:39 AM

Heya Bill, thanks for that info!

I'm guessing now that the key I was missing there exactly was the transaction. I'm trying it now. Unfortunately, it seems to really slow down the searches. I'm waiting now for a search to come back (after configuring the transactiontypes.conf). The "scanned events" is increasing much slower with this transaction as part of the search. Without understanding much of the underlying database structure or how a search operates on a mechanical level with regards to I/O ops, etc, I can sense that this would be more expensive to do this collation.

I'd restart the search with a narrower time window except I seem to be in some kind of license Apollo13 right now. This search is running but I can't start a new one due to license violation... I need to re-up my trial I guess or go FREE maybe. In any case, I'll check up with in the morning and let you know how it goes.

I guess my next puzzle to try to solve once I get this rig working is how to distribute this kind of work.

CP

0 Karma
Reply

wdhathaway
Explorer
‎07-19-2010 01:15 AM

Something that has been helpful to me when dealing with DS logs in Splunk is defining transactions so I can search on something like a search filter, error code, or etime and then get all the operation + result pairings that match grouped together, or get all the transactions for that connection.

$ cat /Users/wdh/splunk/etc/system/local/transactiontypes.conf

[connection] 
fields = conn

[operation]
fields = conn,op

eof

Searches would look something like:

sourcetype="dsee_access" earliest=-15m | transaction name=operation | search uid=user.101

to see all op/result lines that contained that uid somewhere

or

sourcetype="dsee_access" earliest=-15m | transaction name=operation | search errno=123

to see everything that happened during any connection that had errno 123 occur

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...