The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: Posted by lalleman
| Topic | Author | Replies | Latest Post |
|---|---|---|---|
|
Collect syslog from non-plunk AIX machine to AIX splunk machine.
In: SplunkAdministration
(Not tagged)
Here are some links I suggest.
High-level overview: http://www.splunk.com/base/Documentation/4.0.10/Admin/Aboutforwardingandreceiving
Here ...
Splunk gives you a bunch of options, here are a couple of approaches: 1.) You can use syslogd or ... |
3
|
23 months ago... | |
|
Splunk on cloned virtual machines
In: SplunkAdministration
(Not tagged)
That's a great question. I know I'll be running into that in the not too distant future.
This may ...
|
3
|
23 months ago... | |
|
indexing question
In: SplunkAdministration
(Not tagged)
The easiest way is to put {{index=firewall}} in your inputs.conf file for whichever input is getting ...
|
2
|
23 months ago... | |
|
Help with Sourcetype Config
In: SplunkAdministration
(Not tagged)
I think your regex is fine, and your transformation stanza looks correct too. I'm just thinking that ...
Can you post the relevant entry in inputs.conf? |
6
|
23 months ago... | |
|
Enable File System Change Monitor During Install
In: SplunkAdministration
(Not tagged)
We went with the approach of creating our own custom forwarding app, which generally works rather well. ...
|
2
|
23 months ago... | |
|
Warm to Cold based on time
In: SplunkAdministration
(Not tagged)
Keep in mind that you can manually move buckets between warm and cold if you really need to, so if you ...
|
4
|
23 months ago... | |
|
re-labeling host information
In: SplunkAdministration
(Not tagged)
If this data is limited to a specific bucket, you can use exporttool (use the "-csv" option) and importtool ...
|
3
|
23 months ago... | |
|
deployment server changes
In: SplunkRequest
(Not tagged)
Hmm.. I didn' start using the deployment feature until 4.0, and I'm still thinking this would be a ...
|
7
|
23 months ago... | |
|
Management Port 8089
In: SplunkAdministration
(Not tagged)
Hmm. Looks like the "splunk set splunkd-port" command actually updates the {{system/local/web.conf}} ...
Hmm. Looks like the "splunk set splunkd-port" command actually updates the {{system/local/web.conf}} ... Should be able to do that with a command like so: {{splunk set splunkd-port 12345}} Run this on ... |
5
|
23 months ago... | |
|
deleting events
In: SplunkAdministration
(Not tagged)
The {{delete}} operator does **not** reclaim disk space. See http://www.splunk.com/base/Documentation/latest/SearchReference/Delete
Any ...
|
3
|
23 months ago... | |
|
lower(fieldname) at time of extraction?
In: SplunkAdministration
(Not tagged)
Hmmm. Yeah, there are a handful of different approaches for this kind of thing, but nothing is completely ...
|
1
|
23 months ago... | |
|
Problem running fill_summary_index
In: SplunkAdministration
(Not tagged)
Best of luck.
If you are still running into trouble with this, I'd ask a more generic form of your ...
I'm trying to wrap my head around what your trying to get out of your data. Is this right: You are ... Here are a couple of thoughts... 1.) Make sure that your base search is working properly before ... Are you trying to save fields from your transaction, or the actual (_raw) event itself? Last I heard, ... Are you trying to save fields from your transaction, or the actual (_raw) event itself? Last I heard, ... I've run into this message before. I think it was simply due to a misconfiguration in my savedsearches.conf ... |
10
|
23 months ago... | |
|
Best practice for pre-filtering a bunch of msgs?
In: SplunkAdministration
(Not tagged)
I have a similar issue. I found that using syslog-ng to filter out messages is quite effective for ...
|
2
|
23 months ago... | |
|
duplicate events
In: SplunkAdministration
(Not tagged)
That seems weird. In my experience, splunk is really good with tailing log files and not duplicating ...
|
1
|
23 months ago... | |
|
Filter log content before forwarding
In: SplunkAdministration
(Not tagged)
Just a quick recommendation on your regex. You might want to introduce a space between the end of your ...
|
5
|
23 months ago... | |
|
Best way stop "sample_app" logs events from being forwarded to the primary indexer
In: SplunkAdministration
(Not tagged)
Good point about the {{local/app.conf}} file not being overwritten on upgrade. I hadn't thought of ...
I recently upgraded several forwarders to Splunk 4.0.10 and found that in doing so new events were sent ... |
2
|
23 months ago... | |
|
Number formatting
In: SplunkReporting
(Not tagged)
That worked like a charm. Thanks! (Thanks for the link sophy, I had actually printed a copy of that ...
That worked like a charm. Thanks! (Thanks for the link sophy, I had actually printed a copy of that ... Two questions, both relating to number formatting. I'm looking for some search command (or preferably ... |
3
|
24 months ago... | |
|
Reducing volume of Metrics events from forwarders
In: SplunkAdministration
(Not tagged)
If you haven't done so already. Upgrade to Splunk 4.0.10. The summary index no longer counts towards ...
Thanks for the info araitz. I wasn't sure if _internal counted towards the license or not. It's good ... Anyone know of a good way to cut back on the amount of Metrics data generated on a forwarding splunk ... |
6
|
24 months ago... | |
|
API reference docs?
In: SplunkDev
(Not tagged)
Does anyone know where the REST API docs are?
I have a printed (pdf) copy of the "Splunk Developers ...
|
8
|
24 months ago... | |
|
Transactions and Summary Indexing
In: SplunkReporting
(Not tagged)
Quick follow up for anyone following along with this thread....
I found that using a macro works ...
Found a solution. If anyone know of one that isn't quite as ugly, I'd appreciate knowing about it. Starting ... (For anyone following along. Please note that in the example where given by gkanapathy, "time" should ... Any ideas on what the best way is to do summary indexing on transactions that could last longer than ... |
7
|
25 months ago... |