The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: Posted by araitz
| Topic | Author | Replies | Latest Post |
|---|---|---|---|
|
Unable to add Data Inputs due to error
In: SplunkAdministration
(Not tagged)
Yes, there is no magic way to get logs off of linux machines without installing a forwarder on them. ...
|
14
|
23 months ago... | |
|
How to view from other machines?
In: SplunkAdministration
(Not tagged)
http://www.splunk.com/base/Documentation/4.0.9/Admin/WhatsSplunkWeb
|
2
|
23 months ago... | |
|
props vs CSV file
In: SplunkAdministration
(Not tagged)
TIME_PREFIX=\d+\.\d+\.\d+\.\d+\,
TIME_FORMAT=%d/%m/%Y,%T
|
3
|
23 months ago... | |
|
LDAP Authentication: Trusted Domain User
In: SplunkAdministration
(Not tagged)
I do not think it is on the roadmap - we use openLDAP for authentication rather than any AD-specific ...
Splunk does not support domain trust relationships or multiple domain forests. |
3
|
23 months ago... | |
|
fail to set up MySQLdb
In: SplunkGeneral
(Not tagged)
Per the answers post, did you unset the required env variables? It does not look like you did based ...
According to the Splunk Answers thread above, it is not supported to install 3rd party python modules ... |
7
|
23 months ago... | |
|
Error configuring imap app
In: SplunkApplications
(Not tagged)
Not enough information - you might try posting the version of splunk, the imap.conf, etc.
|
4
|
23 months ago... | |
|
Really Basic Syslog Facilities Question
In: SplunkGeneral
(Not tagged)
I think you mean priority rather than facility. Yes, in most cases, local7 (aka debug) will encapsulate ...
|
2
|
23 months ago... | |
|
Trying to accomplish a couple of things but failing in all..
In: SplunkAdministration
(Not tagged)
I'll be frank - I've never used the sourcetype learning rules. I would instead recommend using props ...
Why are you using MORE_THAN? You can just set sourcetype=access_common or whatever you want. You ... |
7
|
23 months ago... | |
|
how to raise the auto-finalized's time limit
In: SplunkAdministration
(Not tagged)
I think you are using Splunk 4.1 beta. This will happen when you click on a source/sourcetype/host ...
|
1
|
23 months ago... | |
|
Timezone Weirdness
In: SplunkAdministration
(Not tagged)
Actually, I think there is a bug with setting TZ on IIS logs, I have a few customers who can't get it ...
You cannot use "sourcetype=" in props.conf - this will be ignored by Splunk, and if this is at the top ... |
8
|
24 months ago... | |
|
Juniper Netscreen TCP Syslog messages not breaking properly
In: SplunkAdministration
(Not tagged)
Looks like support sorted you out - for the record, the solution was:
<code>
[netscreen_syslog]
LINE_BREAKER=(\\x00)<\d+> ...
Why is your LINE_BREAKER a binary null? This would seem to be the most obvious issue. Try: <code> [netscreen_syslog] MAX_TIMESTAMP_LOOKAHEAD ... Can you post your inputs.conf and props.conf? |
3
|
24 months ago... | |
|
Email report only if there are results
In: SplunkSearchAndAlert
(Not tagged)
Searches (with the exception of subsearches) are rendered left to right.
In your search, you are ...
This is a very very inefficient search, as you are passing ALL access-log events from the past day to ... What is the first part of the search? |
6
|
24 months ago... | |
|
Domain Service Account Permissions/Rights
In: SplunkAdministration
(Not tagged)
Yeah, agree with G, don't muck with all that. As with almost any application that needs to do anything ...
1) Splunk will need read access to any flat files (e.g. windowsupdate.log) that you wish for it to monitor 2) ... |
6
|
24 months ago... | |
|
Limitation in character length in a search?
In: SplunkSearchAndAlert
(Not tagged)
Need more information - what does this session id look like? How are you searching for it?
|
1
|
24 months ago... | |
|
Error: Unable to find pipeline with name udp..
In: SplunkGeneral
(Not tagged)
What OS? What port? What user is Splunk running as? Have you enabled lightweight forwarder mode?
|
4
|
24 months ago... | |
|
Find list of what logs are going into splunk per server
In: SplunkAdministration
(Not tagged)
Splunk does not keep three-dimensional metadata, so this is going to take a while and be very expensive ...
|
1
|
24 months ago... | |
|
Combine conditions in props.conf?
In: SplunkAdministration
(Not tagged)
Nope, there is not. Can you describe the reason you would like to do this?
|
1
|
24 months ago... | |
|
Error while loading shared libraries libpcre.so.0
In: SplunkAdministration
(Not tagged)
Can you verify that you didn't accidentally upgrade 64-bit with 32-bit?
|
5
|
24 months ago... | |
|
can I skip header lines for an input file
In: SplunkAdministration
(Not tagged)
On the inputs side, you will need to add crcSalt=<SOURCE> to force Splunk to use the file name to disambiguate ...
|
1
|
24 months ago... | |
|
Dynamic Meta Data Assignment
In: SplunkAdministration
(Not tagged)
(?m)^((.*)|(.*[\r\n].*))[\r\n]key1=.*$
Can you post your props.conf and a full sample event too? |
9
|
24 months ago... |