Take a look at the URL Tool Box or the URL parser in splunkbase
URL Parser
https://splunkbase.splunk.com/app/3396/
URL Toolbox
https://splunkbase.splunk.com/app/2734/
... View more
I believe this could be the TCP port you are using is 8000 which is the web interface. Try 8088. Also looks like you need to be using HTTPS not HTTP.
https://docs.docker.com/engine/admin/logging/splunk/#splunk-options
... View more
Docs Here.
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/SyslogTCP
Splunk Addon for Cisco IOS based devices:
https://splunkbase.splunk.com/app/1467/#/documentation
Considerations:
1. Best practice to send syslog to a centralized syslog server. Install a universal forwarder on the syslog server and tail syslog log files.
2. Create an Index to store the data and set Access Control / Retention
3. Any TA's or Splunk Apps you can use? https://splunkbase.com search for cisco.
Hope this helps.
... View more
Not sure how that would work. A single line for x number of message types won't work as a visualization. you could do a Stacked column Chart view instead of a line chart. Above should produce multiple lines each a different color and one line for each message type over time.
... View more
This can be caused by Network Connectivity or your indexing tier cannot keep up.
Take a look at your TCPIn and Indexing Queues on the Indexer.
https://wiki.splunk.com/Community:HowIndexingWorks
... View more
Have you seen the KV Store in Splunk? for a 3GB file you may benefit from leveraging splunk KV store. http://dev.splunk.com/view/SP-CAAAEY7
... View more
I would leverage Splunk Stream to capture the DNS Traffic: https://splunkbase.splunk.com/app/1809/
Can be installed on a Network Tap or on the 2012 DNS Server directly with the UF.
Otherwise, you can use the builtin analytic logging for DNS and have the UF tail the file.
... View more
If I am reading this correctly.... You made the changes, tried to reindex data you had indexed previously (historical) and these files did not index. Likely the Fishbucket thinks the files have been indexed before. See this post in answers:
https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html
... View more
Look at this link:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Forward_data_for_a_single_index_only
Outputs.conf: in “$splunkhome$/etc/system/local/outputs.conf
Something like what is below:
[tcpout]
defaultGroup = local
indexAndForward=true
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = alerts
[tcpout:whatever] -- Whatever it is set to now should work if it is already forwarding everything.
... View more
You should just need the timechart command.
See Below:
index=baz host=server1 message="Bar*" |timechart count(message) by message usenull=f useother=f
... View more
The default retention is 90 days for SplunkCloud. Additional Storage units can be purchased but you will have to get with a Splunk Sales team member for those details.
... View more
Take a look at the Splunk App for CEF:
https://splunkbase.splunk.com/app/1847/#/overview
http://docs.splunk.com/Documentation/CEFapp/1.0.0/DeployCEFapp/UsetheSplunkAppforCEF
From the documentation you can do the CEF Mappings then define the output to send to your ArcSight instance.
... View more