Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About eckdale
eckdale
Path Finder
Member since:
04-20-2011
10-17-2022
Community Statistics
| Posts | 19 |
| Solutions | 1 |
| Karma Given | 11 |
| Karma Received | 4 |
| Member Since | 04-20-2011 |
Activity Feed
- Karma What is the recommended Stripe size for Splunk when cutting your RAID settings? for danny12345. 01-14-2021 11:53 AM
- Karma Re: Health warning - The percentage of small of buckets created (40) over the last hour is very high ... for louismai. 06-05-2020 12:50 AM
- Karma Re: After Updating the Add-on for Windows receive error "Could not load lookup=LOOKUP-app4_for_windows_security" for napomokoetle. 06-05-2020 12:50 AM
- Karma Compatibility with RSA Authentication Manager 8.3 for hmallett. 06-05-2020 12:49 AM
- Karma Re: Postfix Logs for Drainy. 06-05-2020 12:46 AM
- Karma Re: Deprecated machineTypes -v- machineTypesFilter for jbsplunk. 06-05-2020 12:46 AM
- Karma Re: SA-ldapsearch - NameError: name 'JAVA_HOME' is not defined for krugger. 06-05-2020 12:46 AM
- Karma Re: Syslog Server to Splunk showing incorrect host - During Splunk test before implementation for Ayn. 06-05-2020 12:46 AM
- Karma App for Windows Infrastructure 1.0.1 for rmsit. 06-05-2020 12:46 AM
- Karma Splunk App for Windows Infrastructure - LDAPSearch performance for dstaulcu. 06-05-2020 12:46 AM
- Got Karma for Deprecated machineTypes -v- machineTypesFilter. 06-05-2020 12:46 AM
- Got Karma for Deprecated machineTypes -v- machineTypesFilter. 06-05-2020 12:46 AM
- Got Karma for Deprecated machineTypes -v- machineTypesFilter. 06-05-2020 12:46 AM
- Got Karma for Re: Deprecated machineTypes -v- machineTypesFilter. 06-05-2020 12:46 AM
- Karma Re: How to monitor root owned logs while running Splunk as a non-root user for rvany. 06-05-2020 12:45 AM
- Posted Re: Compatibility with RSA Authentication Manager 8.3 on All Apps and Add-ons. 04-10-2020 10:14 AM
- Posted Re: Why am I getting different results for the same search on Splunk Search. 07-15-2019 01:33 PM
- Posted Re: Why am I getting different results for the same search on Splunk Search. 07-15-2019 01:27 PM
- Posted Why am I getting different results for the same search on Splunk Search. 07-15-2019 12:32 PM
- Tagged Why am I getting different results for the same search on Splunk Search. 07-15-2019 12:32 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 3 |
04-10-2020
10:14 AM
Or v8.4 for that matter
... View more
07-15-2019
01:33 PM
Per your instruction I took a look at Inspector (should have done this originally) and it does indicate: "Some transactions have been discarded. To include them, add keepevicted=true.
Adding that to the query does in fact resolve the issue.
... View more
07-15-2019
01:27 PM
So that's good to know. I'll inspect the job and look into search.log for more details.
Two questions then:
If I can't use transaction to group multiple events then what do I use?
My single-instance Splunk Enterprise server has 256GB of memory and appears to use very little of that memory. Am I really exhausting resources?
... View more
07-15-2019
12:32 PM
If I run the same search using two different time windows I consistently get different results.
I'm looking to count the number of email messages sent. The search query is simple:
index="linux" sourcetype="syslog" | transaction queue_id
When i search for a time range of 19:00:00 to 19:30:00 I get the following results (note from 19:21 on there are zero results):
If I then search for 19:21:00 to 19:22:00 I get the following results (note: now where are 245 events):
... View more
10-06-2017
08:28 AM
I understand that approach but do each of those apps E.G. DS-all_department-Input-windows_security contain the entire folder and file structure of the Splunk_TA_windows app. I.E. Are you copying Splunk_TA_windows, renaming the directory to DS-all_department-Input-windows_security and then dropping a custom local/inputs.conf ?
Or does the app DS-all_department-Input-windows_security just contain the custom local/inputs.conf?
... View more
09-11-2015
07:39 AM
Installed the update and the lookups are building as I type this. Thanks so much for the continued effort.
... View more
08-24-2015
10:04 AM
BTW: Just wanted to say thanks for the time you've dedicated to this.
... View more
08-24-2015
09:53 AM
Unfortunately both lookups are failing. In the context of the app i searched for:
tag=web
which returned several million matched events.
To be clear, I have configured 175 unique sites in the WA_settings.csv file (all IIS) but there are hosts with sourcetype=iis data that I have intentionally not included. Is that a problem? I.E. If I have two hosts, one test and one production, forwarding sourcetype=iis data and only include one of them (production) in the WA_settings.csv file, will the lookups fail?
... View more
08-24-2015
09:14 AM
The double-backslashes, or escaped backslashes, in the manual search are there because Splunk seems to require them when searching for a string that uses backslashes (I assume this is part of Splunk's Linux heritage). The lack of escaped backslashes in the WA_settings.csv file is a direct result of how the app builds the file itself when using the Setup > Websites form.
I assumed the app handled the use of backslashes in some manner however I too had noticed this early on in my troubleshooting and manually modified the WA_settings.csv file to include the escaped backslashes with no success.
I've upgraded the app to v1.4 and now see green check marks under the 'Configured' heading on the Setup > Websites form however building lookups still fails with no results.
... View more
08-17-2015
10:16 AM
Having a bit of an issue getting the Splunk App for Web Analytics setup completed. Here's some details:
Installed Splunk App for Web Analytics v1.31 on Search Head (v6.2)
The 'Available host and source combinations' panel appears to be working properly. I.E. I see the host(s) and sources I care about listed.
The 'Setup new website' panel appears to be working properly. I.E. After adding a site it is listed in the 'Configured websites' panel and is added to the WA_settings.csv file. Here's an example of the wildcards I'm using:
key,value,source,host
site,"mysite.mydomain.com","H:\inetpub\logs\LogFiles\my-site\W3SVC**","mynode-01"
I have verified the Role being used to set up the app (Admin) has the proper index listed for both 'indexes searched by default' and 'indexes'. In fact I've simply added 'All non-internal indexes' to both.
The following manual searches all return results:
tag="web"
sourcetype="iis"
source="H:\inetpub\logs\LogFiles\my-site\W3SVC*\"
| tstats prestats=t count where index= by host,source | stats count AS events by host, source | search host=""* OR source=""*
It seems like everything is in place, but when I go to build the lookups nothing is returned. Any help to narrow down my configuration oversight would be much appreciated.
... View more
02-09-2015
02:37 PM
Looks like the problem was caused by another application being deployed that took precedence. I'd be willing to bet this is t-shooting inputs 101 kind of stuff.
... View more
02-09-2015
02:32 PM
As it turns out I enabled monitoring of IIS logs about 10 minutes ago on a test server, using the ellipsis, which was based on reading the following Splunk documentation: Specify input paths with wildcards.
The path to my IIS logs is very similar:
H:/inetpub/logs/Logfiles/%sitename%/W3SVC%ID%/
So the stanza in my inputs.conf looks like:
# IIS Monitoring --------------------------------------------------------------
[monitor://H:\inetpub\logs\LogFiles\...\*.log]
disabled = false
sourcetype = iis
index = iis-logs
While this works I guess it doesn't directly answer you question so maybe not so helpful?
... View more
01-26-2015
12:55 PM
I am attempting to enable several Windows perfmon inputs with mixed success. Inputs such as CPU, LogicalDisk, Memory, etc. all work as expected. However inputs such as .NET CLR Exceptions, .NET CLR Memory, ASP.NET, ASP.NET Applications, and Web Services don't seem to work at all.
A few more details:
Splunk v6.2
Remote system OS: Windows Server 2012 R2
Remote system has SplunkUniversalForwarder installed (v.6.2.1)
inputs.conf is being pushed by Splunk Deployment server.
Inputs.conf:
# Performance Monitoring ------------------------------------------------------
[perfmon://CPU]
disabled = false
counters = % Processor Time; % User Time;
instances = *
interval = 10
object = Processor
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://LogicalDisk]
disabled = false
counters = % Free Space; Free Megabytes; % Disk Time; Avg. Disk sec/Read; Avg. Disk sec/Write; Avg. Disk sec/Transfer; Disk Reads/sec; Disk Writes/sec;
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://Memory]
disabled = false
counters = % Committed Bytes In Use; Committed Bytes; Available MBytes; Page Reads/sec, Page Writes/sec;
interval = 10
object = Memory
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://Network]
disabled = false
counters = Bytes Received/sec; Bytes Sent/sec; Bytes Total/sec;
instances = *
interval = 10
object = Network Interface
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://System]
disabled = false
counters = System Up Time; Processor Queue Length;
instances = *
interval = 60
object = System
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://.NET CLR Exceptions]
disabled = false
counters = # of Exceps Thrown / sec;
instances = _Global_
interval = 10
object = .NET CLR Exceptions
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://.NET CLR Memory]
disabled = false
counters = # Total committed Bytes;
instances = _Global_
interval = 10
object = .NET CLR Memory
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://ASP.NET]
disabled = false
counters = Application Restarts; Request Wait Time; Requests Queued;
instances = *
interval = 10
object = ASP.NET
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://ASP.NET Applications]
disabled = false
counters = Requests/Sec;
instances = __Total__
interval = 10
object = ASP.NET Applications
useEnglishOnly = true
index = perfmon-ent-wsl
[perfmon://Web Service]
disabled = false
counters = Get Requests/sec; Post Requests/sec; Current Connections;
instances = _Total
interval = 10
object = Web Service
useEnglishOnly = true
index = perfmon-ent-wsl
... View more
05-29-2014
03:29 PM
I found that by simply editing the 'indexes searched by default' of the applicable user role to include the indexes I cared about resolved the issue.
... View more
05-29-2014
01:23 PM
I think you've found the issue. If I search "index=winevents" I see the 4 unique sources that I thought were missing. If I search "source="WinEventLog:Application" I see the index=main. As a Splunk newbie I find the concept of Search & Report not actually searching all of the indexes strange... or maybe it would be more accurate to say that I find it strange that they Splunk App for Windows Infrastructure is placing Windows Event log data into more than one index.
... View more
05-29-2014
01:02 PM
I understand that the TA-DNSServer-NT6 app has specific inputs enabled what I don't understand is why I don't see the 'WinEventLog:DNS Server' as an indexed source unless I explicitly search for it.
... View more
05-29-2014
12:45 PM
Splunk newbie here.
I've installed the Splunk App for Windows Infrastructure to my central instance (indexer + search head) and deployed the following application to my 2008 R2 AD DCs: Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-NT6.
Everything appears to be in order but I am not seeing some expected sources in the index. Specifically if I go to Splunk Search and Reporting > Data Summary, I see:
WinEventLog:Application
WinEventLog:Security
WinEventLog:System
Perfmon:Memory
Perfmon:LocalNetwork
Perfmon:FreeDiskSpace
Perfmon:CPUTime
some more sources...
However if I enter the following search:
index=winevents source="WinEventLog:DNS Server"
Results are returned which confuses me because WinEventLog:DNS Server isn't listed as an indexed source.
... View more
02-24-2012
07:32 AM
1 Karma
Yes. sorry I should have noted that.
... View more
02-23-2012
08:45 AM
3 Karma
The Splunk v4.3 spec for serverClass.conf indicates that attribute 'machineTypes' has been deprecated and the preferred attribute is 'machineTypesFilter'. However it seems that with my configuration the deprecated attribute works and the new attribute does not. I.E. Deployment app gets deployed when using the deprecated attribute versus preferred attribute.
It should be noted that I am a Splunk novice. Here is a copy of my test serverClass.conf:
# -----------------------------------------------------------------------------
# File name: serverclass.conf
# Author: Slunk newbie
# Date: 02/22/2012 16:21:55
# Keywords: configuration
# Comments:
# $SPLUNK_HOME/etc/system/local/serverclass.conf
# -----------------------------------------------------------------------------
[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
# Server classes --------------------------------------------------------------
[serverClass:all-searchheads]
whitelist.0 = myhost.skunkworks.root.local
[serverClass:all-indexers]
whitelist.0 = myhost.skunkworks.root.local
[serverClass:all-forwarders]
blacklist.0 = vlab-mgmt-02.skunkworks.root.local
whitelist.0 = *
[serverClass:all-machinetypes]
whitelist.0 = *
[serverClass:all-adds]
whitelist.0 = addc-01.root.local
whitelist.1 = addc-03.skunkworks.root.local
# Applications ----------------------------------------------------------------
[serverClass:all-forwarders:app:universalfwd]
stateOnClient = enabled
restartSplunkd = true
[serverClass:all-forwarders:app:std-winevt-logs]
stateOnClient = enabled
restartSplunkd = true
machineTypesFilter = windows-x64, windows-x86, windows-intel
[serverClass:all-adds:app:ad-monitor]
stateOnClient = enabled
restartSplunkd = true
machineTypesFilter = windows-x64, windows-x86, windows-intel
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-17-2022
07:05 PM
|
