Splunk Base : SplunkGeneral

Masking credit card numbers

cjs226 — Fri, 08 Apr 2011 13:02:49 PDT

While I'm able to mask 16 digit numbers I would like a more sophisticated approach as there are some numbers in that range that are not credit card numbers that I don't want to mask, such as error codes. Is anyone utilizing the Luhn Algorithm (http://rosettacode.org/wiki/Luhn_test_of_credit_card_numbers) or something better than my current approach?

Live tail

jmarcus — Wed, 06 Apr 2011 20:48:14 PDT

Feeling like this is a really silly question, but I just installed 4.2 and bought a 500MB license. I was running 3.x and using Live Tail all the time.

I can't find live tail in 4.2 can someone point me to the URL path?

Thanks,
James

splunk2nagios when Splunk and Nagios not on the same machine

pchang — Thu, 31 Mar 2011 00:47:13 PDT

bump.

were you able to get this working?

Splunk deployment services

dbutch1976 — Wed, 30 Mar 2011 11:40:16 PDT

Hello,

I understand that the splunk forwarder requires several local permissions on a Windows machine:

Permission to log on as a service
permission to log on as a batch job
replace a process-level token
permission to act as an operating system
permission to bypass traverse checking

How can these permissions can be granted across an entire domain? A GPO is suggested as an answer however this is not feasible since a GPO will overwrite any existing local permissions on a local machine as described here:

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1da524c5-6680-4c0a-8411-e8f243f41ea1

How have other large enterprises addressed this problem?

Splunk deployment services

dbutch1976 — Tue, 22 Mar 2011 07:23:50 PDT

Lol, sorry, didn't realize it was a complete doc. Thanks.

Splunk deployment services

rachel — Mon, 21 Mar 2011 13:18:01 PDT

i'm a little confused--did you not read the rest of the topics in that chapter?

when you load that topic, look to the left. there is a Table of Contents which shows you where you are in the manual. the topic you linked is the introduction to an entire chapter about the deployment server and how to use it.

Splunk deployment services

dbutch1976 — Mon, 21 Mar 2011 10:41:47 PDT

Hello,

I'm looking for some in depth information about Splunk Depoyment services. So far I've only been able to find the following:

http://www.splunk.com/base/Documentation/4.2/Deploy/Aboutdeploymentserver

I'd like to get into the specifics of how I should plan to roll Splunk out, and how to perform a deployment but the link seems pretty basic. Is there another source for more in depth info?

Thanks.

Convert from Trail to Free License

mntbighker — Tue, 15 Mar 2011 15:25:30 PDT

The instructions for switching to the free license don't work if you can't get into the web interface. Like when the default password fails to work on a fresh installation. Everything else works but I can't see the web interface (just the login screen) and I can't convert the client to LightForwarder.

change back to default value after refresh

TescoDotcom — Thu, 03 Mar 2011 02:31:30 PST

Was there a resolution on this to disable custom viewstates per user?

I'm having problems where I would like to update the global viewstates via admin however this only applies changes to that individual users rather than into the default viewstate.

Joshua

Is it possible to show image link in front of Splunk ?

hudson — Sun, 13 Feb 2011 19:30:51 PST

I have log included image info. Is it possible to show the image link in front of Splunk's search ? tks

Hudson

[Revised on Sun, 13 Feb 2011 19:34:31 -0800]

if there is tutorial or sample to study and it will be grateful , tks

Web Service Doesnt Start

dwilcox — Sun, 13 Feb 2011 13:59:04 PST

The above solution worked for me as well. Win2008

[Revised on Sun, 13 Feb 2011 13:59:19 -0800]

THANKS!!

search for 200 hundred errors on multiple web servers with regex

sethrei — Mon, 31 Jan 2011 13:04:12 PST

I'm looking to do something like ...

host="web10|web9|web11" sourcetype="access_combined" status=200 |stats count by clientip

how does one specify multiple hostnames ?

Thanks.

Reference sheet for beginners

rachel — Wed, 26 Jan 2011 10:17:24 PST

yes, they are from 2006. Splunk is now at 4.1.6. it was at 2.0 when the last post was added. if you're looking for getting started info, i recommend walking through the User Tutorial:

http://www.splunk.com/base/Documentation/latest/User/WelcometotheSplunktutorial

there is also a cheatsheet for the search language here:

http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet

Reference sheet for beginners

Engineer88 — Mon, 24 Jan 2011 07:51:52 PST

None of the links in this topic work.

Howto - Use Splunk on one Linux server to analyse syslogs on remote Linux server

rachel — Wed, 19 Jan 2011 10:45:44 PST

1) i'd recommend posting this on answers.splunk.com; it supersedes this forum and is very active. you may get some better/more detailed responses than:

2) have you looked into Splunk forwarders?
http://www.splunk.com/base/Documentation/latest/Admin/Aboutforwardingandreceiving
this allows you to install an agent on the syslog aggregation host and forward the data you want to a different server that is running a full copy of Splunk and doing the indexing. this way, not only can you keep the load off the old hardware, but you can also filter out the data you're not interested in indexing in Splunk before it hits the indexer.

Howto - Use Splunk on one Linux server to analyse syslogs on remote Linux server

treimers — Fri, 14 Jan 2011 12:26:58 PST

Hi all --

I've Google'ed about, and checked documentation, but I can't find exactly what I'm after here -
Plenty of documentation exists on how to get Splunk to analyse syslog when the syslog is +local+ to the same *nix or Windoze server

I can't find some notes on how to do this:

1. Splunk running on a Linux server
2. Syslogs coming from many hosts to a _different_ Linux server.

I cannot run Splunk directly on that server running syslog, because it runs it up to 80-90% CPU, and interferes with the effectiveness of the Nagios running on that server. (Old hardware)

I cannot immediately reconfigure all 200+ hosts in my network to syslog to some new address - key hardware requires a reboot in order to make the change, which affects production for users.

For now, I'd like to simply get Splunk on the first Linux server to looking at the various files in /var/log on the syslog Linux server.

What am I misunderstanding about how I get Splunk to look at remote files?

Same sort of question arises, for IIS/Apache files on a remote server?

Why Splunk at all?

mcafeesecure — Fri, 14 Jan 2011 09:23:01 PST

I have been in the process of implementing a series of searches that have the same excludes as logwatch, so far this is a big project, but not entirely undo-able. It seems to me that the next logical step for splunk would be this. Why would I want 500 logwatch messages every day, when I could have a summary in one email?

Comparing 2 events based on a common value of 2 different fields.

damianshaw — Thu, 30 Dec 2010 23:25:15 PST

Thanks on both counts, I had a look at diff before but it doesn't seem quite what I am looking after as I'm trying to compare 2 different events, not the same one.

Comparing 2 events based on a common value of 2 different fields.

rachel — Thu, 30 Dec 2010 16:40:56 PST

hi damianshaw, i recommend you ask this question over at answers.splunk.com (it's much more active than this forum), but in the meantime, it's possible that the delta search command can help you accomplish what you're interested in:

http://www.splunk.com/base/Documentation/latest/SearchReference/Delta

Comparing 2 events based on a common value of 2 different fields.

damianshaw — Thu, 30 Dec 2010 06:38:36 PST

Hi,

I have 2 events that have the same value for different fields, i.e I have an event with field1 and another event with field2 and value of field1 = value of field2

I want to plot a graph of the difference in timestamps of events where value of field 1 = value of field 2. Is this possible?

mySQL slow query log

missinglink — Wed, 22 Dec 2010 05:00:54 PST

Thanks for sharing...

How to automate Splunk association/correlation of syslog IPs with "Whois" info?

rpetty12 — Mon, 06 Dec 2010 23:59:56 PST

to Splunkalicious

What did you have to in Smoothwall to get the snort logs to forward to your Splunk server since there is no syslog-ng application?

network logging

rwallace — Wed, 01 Dec 2010 07:42:07 PST

Ok, I'll try it over there. Thanks for the heads up.

network logging

rachel — Tue, 30 Nov 2010 17:28:22 PST

hey there! i recommend you ask your questions over at answers.splunk.com, it's much more active than these forums.

Missing events in default syslog indexing

rachel — Tue, 30 Nov 2010 17:28:01 PST

hey there! i recommend you ask your questions over at answers.splunk.com, it's much more active than these forums.

Missing events in default syslog indexing

djfisher — Tue, 30 Nov 2010 09:33:45 PST

Did you ever get an answer? I have having sorta the same issue.

IOerror [Errno 32] Broken pipe

network logging

rwallace — Tue, 30 Nov 2010 09:08:27 PST

Hi all -

I'm experiencing an issue where logging to splunk over the network (either via TCP or UDP) sometimes chunks multiple lines into the same log entry. Is there any way to force these entries to be split as splunk receives them from the port?

Show license: Segmentation fault

spy — Mon, 29 Nov 2010 04:09:33 PST

I use splunk with Free license and have already 3 License violations:
License violation #3 at Nov 18, 2010 12:04:13 AM
License violation #2 at Nov 14, 2010 12:00:28 AM
License violation #1 at Nov 10, 2010 12:02:35 AM

'/opt/splunk/bin/splunk show license' shows the following info:
Current Daily Usage Amount: 98613194
Expiration date: 2037-01-20T22:30:11+0300
Segmentation fault

What may be the cause of segmentation fault, and is there a known workaround?

Host monitoring

fisk12 — Sun, 07 Nov 2010 12:19:12 PST

Hello
I have just installed splunk on my work and have the firewalls and wireless stuff send syslog to it.
Im also looking for some monitoring of the server. Now i wonder if its best to put on something like ossec and integrate it with splunk or use splunks own tool for monitoring servers?
The same with nagios and have it send events with syslog to the splunk server or is splunks own tools for doing the same stuff as good?

Daily indexing volume limit exceeded

atrieger — Fri, 05 Nov 2010 16:42:03 PDT

I found this, might help:

http://answers.splunk.com/questions/322/what-happens-when-i-exceed-my-licensed-limit

Daily indexing volume limit exceeded

netspin — Wed, 03 Nov 2010 04:35:24 PDT

Can anyone help me?

Search by file name?

dgarstang — Sat, 30 Oct 2010 22:11:39 PDT

As an admin that's used to searching logs with /bin/less, ? and /, I find the Splunk web interface pretty confusing.

How can I limit searches in the web UI to specific source file names? In fact, I can't even see where Splunk even shows the name of the file that searches appeared in. This is really confusing. If I don't know what file a match was in, I really have no context of what I am seeing.

Doug.

Daily indexing volume limit exceeded

netspin — Tue, 26 Oct 2010 09:02:07 PDT

I install splunk with free licence and I send to it about 50 MB@day.
After some day I get this message on webGUI:
"Daily indexing volume limit exceeded"

What does this mean?
The index limit in free version is not 500 MB@day?

Thanks

rsyslog vs. syslog-ng

mkeys — Mon, 25 Oct 2010 12:29:17 PDT

I'm interested in what you found regarding this. I'm researching the pros/cons of using syslog/rsyslog/syslog-ng as an intermediate filter before it hits Splunk. Performance is certainly a consideration.
-Matt

Bug report: Adding more than one forwarder using WEB UI

matthewhaswell — Fri, 22 Oct 2010 07:30:18 PDT

Splunk 4.1.5 on Windows 2003 32bit (however don't think it's to do with the 2003 or 32 bit - possibly with windows or with WEB UI).

Added a bunch of lightforwarders to our two main splunk systems... one received traffic and the other didn't.

Checked and I could ping and telnet to both on port 9997 (the port we use for receiving).

These errors in splunkd.log:

10-22-2010 14:52:26.699 ERROR TcpOutputProc - the 'defaultGroup' property contains an invalid group name - rnln-unixmon01.teamphone.priv_9997 - skipping
10-22-2010 14:52:26.699 INFO TcpOutputProc - Will retry at max backoff sleep forever
10-22-2010 14:52:26.699 INFO TcpOutputProc - Using clear text for server rnln-unixmon01.teamphone.priv:9997
10-22-2010 14:52:26.699 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher=
10-22-2010 14:52:26.699 INFO TcpOutputProc - initializing single connection with retry strategy for rnln-unixmon01.teamphone.priv:9997
10-22-2010 14:52:26.699 INFO TcpOutputProc - attempting to connect to rnln-unixmon01.teamphone.priv:9997...
10-22-2010 14:52:26.699 INFO TcpOutputProc - Will retry at max backoff sleep forever
10-22-2010 14:52:26.699 INFO TcpOutputProc - Using clear text for server tpln-scom01.teamphone.priv:9997
10-22-2010 14:52:26.699 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher=
10-22-2010 14:52:26.699 INFO TcpOutputProc - initializing single connection with retry strategy for tpln-scom01.teamphone.priv:9997
10-22-2010 14:52:26.699 INFO TcpOutputProc - attempting to connect to tpln-scom01.teamphone.priv:9997...
10-22-2010 14:52:26.699 INFO loader - Instantiated plugin: controlqueueoutputprocessor

Turned out to be that I was adding both servers on the same line separated by commas as suggested by the WEB UI help text.... as this:

tpln-scom01.teamphone.priv:9997, rnln-unixmon01.teamphone.priv:9997

I *think* it's because I had a space after the comma. However both servers appeared fine in the list of servers to forward to. Only by taking out the broken rnln-unixmon01 one and re-adding it by itself did it work.

Now I have to go back and fix 10 of those servers - still - at least I hadn't rolled it out to the next 40. :)

Will try both servers separated by comma without a space when I roll out the next one but thought I would let you know.

Matt

view log file of our choosing

zsyed — Mon, 18 Oct 2010 10:40:48 PDT

Is it possible in splunk to

View the most recent log file in its entirety
View the any log file of our choosing, in its entirety
View a comprehensive listing of all log files (filenames with complete system information such as timestamps.. etc etc)

splunk - through proxy

khuneo — Thu, 07 Oct 2010 08:43:06 PDT

Hi keithc,

Can you please explain in steps what you did from scratch that overcome this problem. I am having a similar issue, we recently installed Splunk on our server which is already running our main site. I've installed splunk on port 8000 and on wordpress mu, installation seemed to work fine without any errors, but when I try to access the interface through my browser, it gives the following error:

The connection has timed out

The server at servername.hostname.com is taking too long to respond.

* The site could be temporarily unavailable or too busy. Try again in a few
moments
* If you are unable to load any pages, check your computer's network
connection
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web

I know its not a network issue. Any help would be appreciated,
thanks.

Oldest Windows Last Logon

jgigliotti — Wed, 06 Oct 2010 18:35:22 PDT

I am pulling Active Directory logs and am trying to figure out a way to list all user and computer objects that have logged on in a 24hr period against each DC

Any ideas? Thanks.

Cisco ASA: Extract Fields and count the values with rex

syslogd — Tue, 05 Oct 2010 07:26:51 PDT

Hallo,

my Cisco ASA logs the following message:

<172>Oct 05 2010 15:57:06: %ASA-4-106023: Deny tcp src outside:11.12.14.14/1193 dst inside:22.11.4.1/445 by access-group "outside1" [0x0, 0x0]

I want to extract the following fields (<xxx>):

<172>Oct 05 2010 15:57:06: %ASA-4-106023: Deny tcp src <roule>:<srcIP>/1193 dst inside:<dstIP>/445 by access-group "outside1" [0x0, 0x0

Then i want to count the fields by:

rule + srcIP + dstIP

Can you help me?

Thanks

Thomas

Trying to create a very simple email notification

balt — Mon, 04 Oct 2010 10:23:35 PDT

Found out how to get the results using the table command:

sourcetype="BITS_Billing_Logger" action="update" | sort by modtime | table modtime host path uid action

However the email (Outputting inline in html format) still puts the fields in whatever random order it desires. Any help would be greatly appreciated.

Trying to create a very simple email notification

balt — Mon, 04 Oct 2010 09:34:24 PDT

I am struggling with something that common sense tells me should be an incredibly simple thing to do in Splunk: I am attempting to send the results from a saved search in an email on a 24hour basis that shows all alterations done using fs_change.

The search works beautifully in the search application, however the email that is sent contains fields that I do not want and is missing fields that I do.

The saved search is as follows:

sourcetype="BITS_Billing_Logger" action="update" | Fields _date host path uid action

The search reports back the information I want, however the email that is sent with the results included in the email does not contain the date, but instead the time in some god awful format.

In addition instead of the fields I have specified it has the _time field as well as the _raw field, neither of which do I want in the email.

My question is simple, how do I get the output results in the body of the email to only include the fields that I desire?

Multi-line Windows event regex help

gregsternyc — Thu, 30 Sep 2010 15:08:41 PDT

Any idea if "Service Name: krbtgt" is at all useful information?? We get tons of these events but are not sure what to do with them...
Thanks,
Greg

Self-guided classes

gooza — Tue, 28 Sep 2010 22:48:06 PDT

I hope not

Field Extraction RegEx Help

russuhte — Thu, 23 Sep 2010 13:26:17 PDT

Hey guys,

I'm using a RegEx to pull out information from Cisco syslog messages from my 6500 series switches. I'm using this RegEx to grab the SyslogSeverity from the message itself: (?i)%[^\-]*\-(?P<SyslogSeverity>[0-7])(?=\-). This works for about 95% of the messages, but occasionally, Cisco will throw a message at me that doesn't get caught because it has an extra dash in it. Here is an example of a message that works great: %SPANTREE-2-BLOCK_BPDUGUARD. Here is an example of a message that doesn't get caught: %EARL_NETFLOW-SP-4-TCAM_THRLD. Note the extra dash.

I just can't seem to figure out the correct RegEx to grab both scenarios. Any help would be greatly appreciated.

Thanks,
Russ

Size of sourcetype query?

kwaingrow — Tue, 21 Sep 2010 16:58:08 PDT

We had a sudden drop in events being sent to splunk. Is anyone aware of a way to query a sourcetype by size so we can see which ones stopped sending to splunk?

Any help is greatly appreciated....

Splunk Mailing List

smaresca — Mon, 13 Sep 2010 09:57:30 PDT

I just wanted to share the beginning of a Splunk mailing list, hosted by the University of Connecticut.

Topics might include, but would not be limited to: sharing of crafted searches,scripts for integrating other systems into Splunk, automation of activity upon observed event, dashboard creation, Splunk forwarder usage, highly available configuration, and other discussion regarding deployment.

The mailing list is accessible for subscription at the following address:

https://listserv.uconn.edu/cgi-bin/wa?A0=SPLUNK-L
Alternatively, one may subscribe by sending an email to listserv@listserv.uconn.edu containing "SUB SPLUNK-L FirstName Lastname" in the body. No subject is required, and a signature should be omitted. A response will be sent in return with further instructions.

Please feel free to share this information with whomever else you feel might be interested. The list is just getting started, so anyone willing to join at this juncture will help get the ball rolling.

-Steve

Linux on PPC

bmaupin — Fri, 10 Sep 2010 12:43:54 PDT

I was looking for a Splunk PPC GNU/Linux client, and this was the only information I saw. Just thought I'd mention that I just talked to the Splunk folks and there is no Splunk PPC Linux build, so I'm guessing this is probably never gonna happen. Just thought I'd share that in case anyone still holding onto a PPC Linux machine was curious.

Mysterious IIS-2 sourcetype

choneycutt — Fri, 10 Sep 2010 08:52:57 PDT

Had similar experience. I initially set the sourcetype to automatic for my inputs. The data was then indexed and I ended up with sourcetype iis-2, iis-3.

So I then modified the inputs.conf file to manually set the sourcetype to iis. But my indexed data remained with iis-2 and iis-3.

According to the manual, changing sourcetype affects new data coming in after the config change, and not the indexed data.

So i then modified props.conf to rename the sourcetype for the already indexed data.

[iis-2]
rename = iis

Below is where I found it in the documentation:

Override automatic source type:
http://www.splunk.com/base/Documentation/latest/Admin/Bypassautomaticsourcetypeassignment

Renaming Source type:
http://www.splunk.com/base/Documentation/latest/Admin/Renamesourcetypes

Self-guided classes

myou — Thu, 02 Sep 2010 21:45:57 PDT

Is the concept of self-guided classes dead?

Deleted Events -- syslog

ejeanmaire — Thu, 02 Sep 2010 14:03:44 PDT

I use Splunk to manage all the syslogs for my various servers. I deleted the logs for the wrong IP address. Is it possible for me to reinstate, reindex, or unset the delete flag in the database for the syslog entries?