The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: Posted by Burana400
| Topic | Author | Replies | Latest Post |
|---|---|---|---|
|
fschange whitelist
In: SplunkAdministration
(Not tagged)
Change filter=etc to filters=etc but it still doesn't work
[fschange:/etc]
hashMaxSize=512000
fullEvent=true
index=main
pollPeriod=60
recurse=false
filters=etc
[filter:whitelist:etc]
regex1=.*passwd
regex2=.*pam\.conf
Tried ...
Hi I'm trying touse fschange monitor with whitelisting. Input.conf: [fschange:/etc] hashMaxSize=512000 fullEvent=true index=main pollPeriod=60 recurse=false filter=etc [filter:whitelist:etc] regex1=.*passwd regex2=.*pam\.conf I've ... |
6
|
41 months ago... | |
|
Strange Events
In: SplunkAdministration
(Not tagged)
Nope... this is on a Unix Box and I checked that the is no \x0 character in the file....
|
3
|
43 months ago... | |
|
REPEAT_MATCH does not repeat
In: SplunkAdministration
(Not tagged)
I have something like this in my logs:
bw_relayhost_abc.ch@test.ch=adjsfsdfsf bw_relayhost_cde.ch@test2.ch=adjsfsdfsfbw_relayhost_abc.ch@test.ch=adjsfsdfsf
My ...
|
3
|
43 months ago... | |
|
Help with transaction
In: SplunkAdministration
(Not tagged)
I want to search for following transaction:
Logfile1:
20081104 23:55:17 6E/28-07006-952A0194 ECINFO ...
|
1
|
43 months ago... | |
|
Fields with data and spaces
In: SplunkReporting
(Not tagged)
I have the same problem.
The interactive field extraction proposes I should use something like:
[smtp_subject]
REGEX ...
|
15
|
43 months ago... | |
|
Multi-Value fields
In: SplunkAdministration
(Not tagged)
I tried to index some multi-value fields
transforms.conf:
[mgr-subject]
REGEX = Subject:\s(.*)
FORMAT ...
|
1
|
44 months ago... | |
|
Preprocessing a log file
In: SplunkAdministration
(Not tagged)
From props.conf:
invalid_cause = <string>
* Can only be set for a [<sourcetype>] stanza.
...
I have tried the unarchive_cmd command and it does absolutly nothing. How can I debug what the problem ... |
5
|
44 months ago... | |
|
Multiline match
In: SplunkAdministration
(Not tagged)
Hmm, but I was not looking for a multi-valued field, instead I was looking for fields in multiline events.
It ...
Yeah, but this was a question about multiline match :-) I'm trying to index mail headers like this: Received: from host.domain.com (111.11.1.111 by host2.domain.com ... |
3
|
44 months ago... | |
|
Repeating Entries
In: SplunkGeneral
(Not tagged)
Hi
Syslog and ipfilter are aggregating repeating entries
Like "Last message was repeated x times" ...
|
1
|
49 months ago... | |
|
Search modifiers
In: SplunkPreview
(Not tagged)
Stranger than fiction...
I tried a simple [tail:///var/adm/messages] in a separate bundle.
The ...
On Preview 3 Solaris/SPARC it seems like the search modifiers maxresults and readlimit do not work. Without ... |
1
|
53 months ago... | |
|
Suggestion: Audit for Windows Registry
In: SplunkPreview
(Not tagged)
Auditing the windows registry would be a neat function.
I'm thinking about a feature similar to ...
|
1
|
53 months ago... | |
|
WinEventLog
In: SplunkPreview
(Not tagged)
Hi Ledio
I'm running WinSplunk on WinXP just to get a feeling.
About additional fields to be extracted, ...
How does the WinEventLog processor work? I guess some fields are extracted automatically (event metadata ... |
9
|
54 months ago... | |
|
multikv.conf example
In: SplunkPreview
(Not tagged)
Still no multikv.conf.example in Preview 3 :-(
Anyone? Can anybody give me a multikv.conf example? I guess this can be used for "iostat"-like output? Would ... |
2
|
54 months ago... | |
|
File System Monitor
In: SplunkPreview
(Not tagged)
I've installed Preview 3. Thanks for fixing the bugs so far...
Unfortunatly, I've found a new one:
On ...
Thanks Rob White/Blacklisting seems to work now. I have a new problem with following stanza: [fschange:/etc] pollPeriod=60 fullEvent=true recurse=false signedaudit=false followLinks=false The ... More to come... :-) Shouldn't it be possible to set also set host and sourcetype in the fschange ... I have another problem: Sun Dec 16 19:19:49 2007 action=update, path="/home/myhome/mdf.zip", isdir=0, ... Never mind, just found the deletion event... BTW: I've just deleted a monitored file. Shouldn't it create some kind of event for this? Or is this ... First kudos to you! It's really great having access to preview functions... I've got a problem with ... |
9
|
54 months ago... | |
|
Fixed fields extraction
In: SplunkAdministration
(Not tagged)
Is there another update regarding this bug? It should be possible to index fields containing spaces....
Just wanted to ask if you found out if this is a bug or not... Cheers Burana Do you have an update on this issue? Thanks! Thanks Alex for your efforts. I was able with some effort to write a single effort. I'm still convinced, ... Hi Alex The sample I've sent you had 4 spaces, yes, but the problem is not solved...but I'm getting ... New case opened CASE [10275] I have opened a case (no answer yet). I've played a little bit around with the regex and the logfile. If ... I'm having trouble with extracting a log file with fixed fields... The log file has following format ... |
15
|
56 months ago... | |
|
Reporting zero events
In: SplunkReporting
(Not tagged)
I just found out that I have to add "where count < 1" to my query.
The problem seems to be, that a ...
I'm trying to report based on missing events. My report looks currently like this sourcetype::nb enddaysago::1 ... |
2
|
56 months ago... | |
|
Multiline syslog event
In: SplunkGeneral
(Not tagged)
Is there a way to tell splunk to read ahead?
In Syslog I often see multiline events like this:
Oct ...
|
–
|
57 months ago... | |
|
Sucking config files in
In: SplunkGeneral
(Not tagged)
I just found the error. The parameter CHECK_METHOD = entireMD5 should read CHECK_METHOD = entire_MD5
Thanks ...
The entireMD5 sound logical, but it doesn't work. -I added a hash to the end of the file => an event ... The settings under the config bundle already contain the CHECK_METHOD and DATETIME_CONFIG settings. ... Now that I played a little bit with this feature I found two little glitches... I tailed /etc/hosts ... Thanks for your answer. It seems that in 3.0 there are a lot of new properties available... There ... I'm trying to suck configuration files into splunk. I want to do this with the batchloader. The batchloader ... |
12
|
59 months ago... | |
|
Authorization
In: SplunkRequest
(Not tagged)
Are there any plans to implement authorization into splunk? (=> e.g. who is allowed to see what logfiles).
I ...
|
1
|
59 months ago... | |
|
Splunk-2-Splunk over TLS/SSL
In: SplunkRequest
(Not tagged)
Any update on this topic? Is TLS/SSL coming in 3.0 oder 3.1?
While SSH tunneling is nice, it is still an additional thing to administrate. I guess it would not be ... |
3
|
65 months ago... |