Technical Support Downloads

Splunk Version 3.x

3.3 RPM Spec files

32 bit RPM spec file
64 bit RPM spec file
Copies of our 3.3 RPM spec files to facilitate creation of custom RPM packages built off of the rar installs.

3.2 Light weight forwarder config

manage_config.py.gz
In version 3.2 the command ./splunk set server-type forwarder will result in an error.

INSTALLATION

• Right click on the manage_config.py.gz, select "Save Target As" and save the file to your local system
• Copy the new manage_config.py.gz to your Splunk instances $SPLUNK_HOMElib/python2.5/site-packages/splunk/clilib/ directory
• Uncompress the file

3.1.4 updated sendemail.py

sendemail.py
Version 3.1.4 included a copy of $SPLUNK_HOME/etc/searchscripts/sendemail.py which prevented email attachements from containing the entire result set as seen when performing the saved search via the UI.

INSTALLATION

• Right click on the sendemail.py link, select "Save Target As" and save the file to your local system
• Copy the new sendemail.py to your Splunk instances $SPLUNK_HOME/etc/searchscripts/ directory

3.1.4 Dashboard does not render graph

odysseus.js.gz
Version 3.1.4 introduced a bug where certain reports will not render the proper chart or will not load at all.  In order to resolve this issue you will need to update a javascript file

INSTALLATION

• Right click on the odyssesu.js.gz link, select "Save Target As" and save the file to your local system
• Copy the file to your Splunk instances $SPLUNK_HOME/share/splunk/search_oxiclean/static/js/ directory
  
• Stop splunk
• Navigate to $SPLUNK_HOME/share/splunk/search_oxiclean/static/js/
• Move the odysseus.js to odysseus.js.bak
• Uncompress odysseus.js.gz
  
• Verify that the new file has the same ownership and permissions as the .bak file
  
• Start splunk
  
• Clear the browser cache on all systems that have accessed the dashboard
  

Splunk2Nagios Integration

splunk2nagios
This package contains the files needed to add to your already running nagios instance. Download the package, run the make file, customize it for your environment.

OPSEC LEA Integration

FW1-loggrabber
This package contains all the necessary files to create an OPSEC LEA bundle to drop into Splunk 3.0 or later. It functions on Linux and on Solaris with gmake and gcc installed.

INSTALLATION

In the working directory of the uncompressed archive execute

    make -f Makefile.linux install
or
    make -f Makefile.solaris install

depending on your platform. This will compile and link the necessary objects and create a Splunk bundle in the "lea-bundle" directory. If there are compliation errors, please contact Splunk support.

Once the make command has been successfully executed, copy the lea-bundle directory to your $SPLUNK_HOME/etc/bundles directory. The directory $SPLUNK_HOME/etc/bundles/lea-bundle should exist when this is done.

CONFIGURATION

There are three relevant configuration files in the lea-bundle directory.

Inputs.conf is a Splunk configuration file. See the Splunk documentation for information on how to modify this configuration. The default configuration will place any information from your Checkpoint target in the main index with sourcetype "opsec".

Lea.conf is the file containing connection information between the loggrabber agent and the Checkpoint target. The default configuration contains values for unauthenticated, clear sessions between the loggrabber agent and the Checkpoint target. Documentation for configuring a more secure channel on loggrabber agent's side is available in the doc directory. Substantial configuration is required on the Checkpoint side. Consult your Checkpoint documentation for that information.

Fw1-loggrabber.conf is the file containing information on how the actual log extraction should behave. Sensible defaults are selected. Do not adjust the LOGGING_CONFIGURATION value from "screen" unless appropriate configuration changes are made to inputs.conf. It is recommended to set SHOW_FIELDNAMES to "yes". This will enable Splunk to more easily operate on the data.

To communicate with more than one Checkpoint target create multiple instances of the bundle in $SPLUNK_HOME/etc/bundles.

Splunk Version 2.x

Determine Daily Usage

Splunk Usage Script
This script will determine the approximate daily usage of your Splunk index.

• Download the file to your $SPLUNK_HOME/var/log/splunk directory and uncompress.
  
• Change the permissions of the file splunkUsage so that it can be executed (chmod +x splunkUsage)
• Run the script (./splunkUsage)

The script will read your splunkd.log, calculate the daily uasge, and output the results to stdout.  You can pipe the results to a flat file if you want to keep a permanent record.

Since this works by reading your splunkd.log if you perform a ./splunk clean all on the instance your splunkd.log will be reset and the previous counts will be lost.

LDAP Timeout

LDAP Timeout fix for FreeBSD:
LDAP Timeout fix for Linux:
LDAP Timeout fix for Mac Intel:
LDAP Timeout fix for Mac PowerPC:
LDAP Timeout fix for Solaris x86:
LDAP Timeout fix for Solaris SPARC:
Splunk Server 2.2 has a problem with LDAP its LDAP connection management such that authentication stops working if the LDAP server times out the connection. This hotfix contains a solution for that problem.

• Obtain the archive appropriate for your platform. Place it in your $SPLUNK_HOME directory. (Default: /opt/splunk)
  
• If rollback capability is desired, copy the file $SPLUNK_HOME/lib/libframework.so.0.0.0 someplace safe.
  
• Stop Splunk. (Default: /opt/splunk/bin/splunk stop)
  
• Expand the archive. (tar xvf $HOTFIX_FILE.tar) You should see the file $SPLUNK_HOME/lib/libframework.so.0.0.0 be replaced.
  
• Start Splunk. Product should behave as before. The LDAP authentication functionality should persist longer than the timeout configuration of your LDAP server.
  If for any reason rollback is desired, stop Splunk and replace the $SPLUNK_HOME/lib/libframework.so.0.0.0 file with the one saved away in step 2. Restart Splunk and the original functionality will be restored.

Disable the use of SQLlite in your index

Disable the use of SQLlite in your index:
Splunk Server 2.2 uses SQLlite in the indexing of your data. Using SQLlite adds overhead to the processing of your data which can adversly impact the performance of your Splunk install. This instructions will move your index away from using SQLlite in favor of a flat file format.

• Stop your Splunk instance
  
• Save migration.tar.gz to your $SPLUNK_HOME/var/lib directory
  
• Navigate to your $SPLUNK_HOME/var/lib directory
  
• Source $SPLUNK_HOME/bin/setSplunkEnv
  
• Expand the archive. (tar -xzf migration.tar.gz)
  
• Run the command python sqlmigrate.py
  
• Verify that the newly created files are owned by the same user that owns all of the other Splunk files
• Edit $SPLUNK_HOME/etc/myinstall/pluginConfs/multiIndexer.xml by appending: <useSqlLite>false</useSqlLite> right below the opening <config></config> tag
• Navigate to your $SPLUNK_HOME/bin/ directory
  
• Open the file splunk and comment the following lines:
  #for i in `find $DB_DIR | grep WordData`; do
  # $SPLUNK_HOME/bin/sqlite3 $i "reindex keyvaluepairs_t"
  #done
  
• Start Splunk and make sure everything looks ok
  

Splunk Chroot Package

Splunk Chroot Package: The chroot is a seperate download from the splunk server. It likely will change infrequently and every time you update Splunk you do not need to update the chroot.
Install the chroot environment by untaring splunkchroot where every you have room ( the package is approximately 280M )

• Download the Splunk tar installer for your operating system from here
  
• Move the newly downloaded installer to the chrooted path
  
• Install the Splunk Server - it is easiest to use the tar version of Splunk server. Download the splunk.tar distribution and uninstall in /opt. It is easiest if you install Splunk at /opt/splunk but its not necessary.
  
• Adding Data Inputs - Once splunk is installed you are good to go. The trick is how to access data from with the chroot. If you want tail files you will need to hardlink them into the chroot. For example - if you want to index /var/log from within the chroot you would need to hardlink the files into .
  NOTE: You cannot hardlink a directory
  
• Starting Splunk - there are two ways to manage splunk. At the top level of the chroot are two scripts: splunk and dojail.sh. The splunk script will proxy all calls through the chroot. "/splunk start" will start splunk in the chroot. Same goes for all the cli calls. If you do not want to proxy through the top level script or otherwise want to test/fix things in the chroot then enter the chroot with > ./dojail bash At this point you will just bin in the chroot and can do as you wish. To setup and test its best to do from with the chroot.

XFS for Linux

XFS support for Linux: If you run 2.1.x or 2.2 on XFS filesystems, we are unable to optimize our indexes, which results in extreme slowness.
A replacement library is available for download which remedies this issue
NOTE: This library is only for Linux distros

• Install the new library xfs (with splunk stopped): cd $SPLUNK_HOME tar xvf st-5.0.7-xfs.tar
• Verify that it was properly installed by: ls -l lib/libsearchthing* You should see (among other lines): lib/libsearchthing.so -> libsearchthing.so.5.0.7
• If you have been running a previous version of Splunk and have lots of data indexed, then the you will notice many mergizzle processes running alongside splunk for a period of time. Performance may be impacted while mergizzle is running, but overall search performance should greatly improve once mergizzle finishes.

ZFS and VXFS for Solaris SPARC

ZFS and VXFS support for Solaris SPARC: If you run 2.1.x on ZFS or VXFS filesystems, we are unable to optimize our indexes, which results in extreme slowness.
A replacement library is available for download which remedies this issue
NOTE: This library is only for Solaris SPARC. Solaris x86 is not supported by this downloaded.

• Install the new library for zfs vxfs (with splunk stopped): cd $SPLUNK_HOME tar xvf st-5.0.6.tar
• Verify that it was properly installed by: ls -l lib/libsearchthing* You should see (among other lines): lib/libsearchthing.so -> libsearchthing.so.5.0.6
• You will need to run bin/splunk clean all -f to wipe the bad dbs and then restart splunk.

2.1.x to 2.2 User Migration

2.1.x to 2.2 User Migration: If you configured multiple users in your 2.1.x Splunk install those users will not be presented after upgrading to 2.2
The users are still stored in the authentication database. This script will allow your 2.2 install to read the users in.

• Uncompress the migrate_users.py script to the Splunk 2.2 machine's $SPLUNK_HOME directory.
• Source $SPLUNK_HOME/bin/setSplunkEnv into your shell's environment.
• Execute "python migrate_users.py $SPLUNK_HOME".

Terms and conditions for tools and sample programs

DISCLAIMER OF WARRANTIES

Permission is granted to copy this Tools or Sample code for internal use only, provided that this permission notice and warranty disclaimer appears in all copies.

THIS TOOLS OR SAMPLE CODE IS LICENSED TO YOU AS-IS. SPLUNK, INC. AND ITS SUPPLIERS AND LICENSORS DISCLAIM ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, IN SUCH SAMPLE CODE, INCLUDING THE WARRANTY OF NON-INFRINGEMENT AND THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL SPLUNK, INC. OR ITS LICENSORS OR SUPPLIERS BE LIABLE FOR ANY DAMAGES ARISING OUT OF THE USE OF OR INABILITY TO USE THE TOOLS OR SAMPLE CODE, DISTRIBUTION OF THE TOOLS OR SAMPLE CODE, OR COMBINATION OF THE TOOLS OR SAMPLE CODE WITH ANY OTHER CODE. IN NO EVENT SHALL SPLUNK, INC. OR ITS LICENSORS AND SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, LOST PROFITS OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF SPLUNK, INC. OR ITS LICENSORS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

close

Splunk.com