The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: SplunkAdministration
Topics 1–20 of 1256
| Topic | Author | Replies | Latest Post |
|---|---|---|---|
|
More comprehensive Credit Card masking
(Not tagged)
I've seen more than one question about how to mask credit card numbers at index time. Most of the answers seem to be pegged to specific patterns found in specific logs that folks have.
Not trusting developers to log things according to spec, I wanted to have a more comprehensive solution in hand ...
|
5
|
10 months ago... | |
|
Recovering from catastrophic crash
(Not tagged)
So we had a catastrophic crash on our Splunk server and had to restore from back up, but after the restore the Splunkd daemon kept crashing. If we do a new install it works fine, but then we can't access our 23gig of DB's with very important data. Is there a way to import our old DB's so that the data ...
|
–
|
11 months ago... | |
|
Splunk With Cisco ACS
(Not tagged)
Hi,
I need to integrate Splunk with Cisco ACS for the user authentication. I could not able to find the specific topic for this integration.
Could any one help on this.
Thanks in Advance.....
|
1
|
11 months ago... | |
|
error when triggering script by a saved search
(Not tagged)
Hi,
anybody seen this error message before?
I get this error in the splunkd.log everytime the saved search tries to run the perl script.
ERROR script - External search command 'runshellscript' returned error code 1. Script output = "Traceback (most recent call last):
File "/opt/splunk/bin/runScript.py", ...
|
1
|
11 months ago... | |
|
Default password fails
(Not tagged)
I have installed splunk on about 10 Linux boxes in the past week. 2 have been 64bit kernels. The second 64bit one installs and appears to start normally. But the default user:pass refuse to work? Anybody have any idea what might be going on?
[Revised on Fri, 25 Feb 2011 17:59:43 -0800]
I can set up ...
|
3
|
11 months ago... | |
|
Intermediate Forwarder Cooked Event Data Filter
(Not tagged)
Hi,
We have a 4.1.6 light forwarder sending to a 4.1.7 intermediate forwarder to a 4.1.7 indexer in default cooked format.
Try as I might the below filter will not work on the intermediate forwarder.
The default SOURCE_KEY = _raw concerns me.
Will the filter be matched on cooked event data?
Thanks.
props.conf
[source::WinEventLog:Security]
TRANSFORMS-null ...
|
1
|
11 months ago... | |
|
Active Directory Authentication
(Not tagged)
Version of Splunk splunk-4.0.2-64889
O/S CentOS release 5.3 (Final)
I can get get SPlunk to list the AD users under Manager - Users, but even logged in as the failsafe uid (which has admin rights), it says I dont have permission to alter any attributes. However, a few issues arise.
1. the failsafe ...
|
4
|
11 months ago... | |
|
Remove host data
(Not tagged)
Thanks in advance for any help... new Splunker here.
In the Search | Summary view | Hosts, I have hosts for which I no longer need to retain logs. Is there a clean way to remove all log data for a particular host?
Thanks,
Brian
|
1
|
11 months ago... | |
|
Windows 2008 Event Descriptions not displayed
(Not tagged)
Somehow i can't see the event descriptions on Splunk from Windows 2008 servers:
{{
10/14/09 03:56:06 PM
LogName=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=5156
EventType=0
ComputerName=NT150.my.domain
TaskCategory=None
OpCode=None
RecordNumber=6989
Keywords=None
Message=The ...
|
11
|
11 months ago... | |
|
Migrating to different Environment.
(Not tagged)
Hi,
I am having splunk in one environment(network) with forwarders and have configured lot of searches, alerts and System Configurations ( in Splunk -> Manager ) .. Now I want another very similar setup on another network? Is it possible to export the configurations of the existing Environment ...
|
1
|
11 months ago... | |
|
splunk error
(Not tagged)
I have got next message
"received event for unconfigured/disabled index='_audit' with source='source::audittrail' host='host::ieprodweb01' sourcetype='sourcetype::audittrail'.(I got that message on Forwarder server and Receiver server)
I think I have got that message when I have configured Light ...
|
1
|
11 months ago... | |
|
Unable to add Data Inputs due to error
(Not tagged)
I am currently in the process of testing out the latest release of Splunk and this is also my first time using the software. I am testing it in an environment with two virtual servers running XP Pro. Currently one has the Splunk service installed on it and the other has just the OS and other stuff. ...
|
14
|
11 months ago... | |
|
How can I read a MySQL table as a Splunk input?
(Not tagged)
I have a MySQL table which acts as a log of certain application events, complete with a datetime field for event timestamp. Is it possible to configure Splunk to effectively tail this table and interpret rows as loggable events?
|
3
|
12 months ago... | |
|
Splunk - Cannot Update Permissions - Error
(Not tagged)
Hi,
If this has been asked & answered on the forum I apologize...
Fresh install of Splunk 4.1.5 (85165) on Windows Server 2K8 R2 - Also tried on a win 7 32 bit workstation with same result.
When attempting to change permissions (or where the object should appear) under - Splunk > Manager » ...
|
3
|
12 months ago... | |
|
monitor apache access log on my linux splunk server
(Not tagged)
I have a linux server with apache installed.I will like to monitor its access logs on my splunk serverrunning on linux.How to do it
|
1
|
12 months ago... | |
|
Audit index has ldap user info. I would like to see ldap Full Name field
(Not tagged)
I am searching through the _audit index and I am seeing a lot of nice stuff. The problem I am having is it uses the user id for the audit information. That is fine but I would like to be able to see the Full Name from ldap as well. Is there a way to pull that information from ldap within my query...
|
1
|
12 months ago... | |
|
how do i convert the Enterprise licence to free
(Not tagged)
Hi
My manager>>licence page shows
Product: Enterprise Days remaining: expired
License level: 500 MB Peak usage: 38.008 MB
version:splunk-4.0.5-69401
i would like to convert this to the free one . how do i do that ?
Thanks
|
2
|
12 months ago... | |
|
Can't download apps within Splunk
(Not tagged)
Hi,
Just installed Splunk on Ubuntu Server, 64 bit. Everything looks good but I can't download the apps (http://xxx.xxx.xxx.xxx:8000/en-GB/app/launcher/home). I get "Invalid username or password" error when I enter my www.splunk.com credentials. I've logged out and back in to the Splunk website to ...
|
–
|
12 months ago... | |
|
Reading Exchange log files only 15 days or newer?
(Not tagged)
With limited resources but many Exchange servers, I wish to only index the last 15 days of message tracking logs and new logs as they come in for a few days. However, these live log directories contain 90 days of logs and the splunk server and license cannot handle this amount of input. What is the ...
|
–
|
12 months ago... | |
|
F5 LTM
(Not tagged)
How are people getting their log information to splunk?
|
3
|
12 months ago... |