Technical Support Downloads

These downloads are not tested or warrantied. They are offered on an as-is basis to help you use Splunk. See the full legal disclaimer below.


Splunk Version 3.x

UTF-16 to UTF-8 Converter

utf16-to-utf8.py.gz
This script converts multiple UTF-16 encoded files to UTF-8 encoded files allowing Splunk to index the files. For each specified UTF16 filename, filename-utf8 is created in the same directory.

Usage

python utf16-to-utf8.py file1 file2 file3 file4...

3.3 RPM Spec files

32 bit RPM spec file
64 bit RPM spec file
Copies of our 3.3 RPM spec files to facilitate creation of custom RPM packages built off of the rar installs.

3.2 Light weight forwarder config

manage_config.py.gz
In version 3.2 the command ./splunk set server-type forwarder will result in an error.

INSTALLATION

  • Right click on the manage_config.py.gz, select "Save Target As" and save the file to your local system
  • Copy the new manage_config.py.gz to your Splunk instances $SPLUNK_HOMElib/python2.5/site-packages/splunk/clilib/ directory
  • Uncompress the file

3.1.4 updated sendemail.py

sendemail.py
Version 3.1.4 included a copy of $SPLUNK_HOME/etc/searchscripts/sendemail.py which prevented email attachements from containing the entire result set as seen when performing the saved search via the UI.

INSTALLATION

  • Right click on the sendemail.py link, select "Save Target As" and save the file to your local system
  • Copy the new sendemail.py to your Splunk instances $SPLUNK_HOME/etc/searchscripts/ directory

3.1.4 Dashboard does not render graph

odysseus.js.gz
Version 3.1.4 introduced a bug where certain reports will not render the proper chart or will not load at all.  In order to resolve this issue you will need to update a javascript file

INSTALLATION

  • Right click on the odyssesu.js.gz link, select "Save Target As" and save the file to your local system
  • Copy the file to your Splunk instances $SPLUNK_HOME/share/splunk/search_oxiclean/static/js/ directory
  • Stop splunk
  • Navigate to $SPLUNK_HOME/share/splunk/search_oxiclean/static/js/
  • Move the odysseus.js to odysseus.js.bak
  • Uncompress odysseus.js.gz
  • Verify that the new file has the same ownership and permissions as the .bak file
  • Start splunk
  • Clear the browser cache on all systems that have accessed the dashboard

Splunk2Nagios Integration

splunk2nagios
This package contains the files needed to add to your already running nagios instance. Download the package, run the make file, customize it for your environment.

OPSEC LEA Integration

FW1-loggrabber
This package contains all the necessary files to create an OPSEC LEA bundle to drop into Splunk 3.0 or later. It functions on Linux and on Solaris with gmake and gcc installed.

INSTALLATION

In the working directory of the uncompressed archive execute

    make -f Makefile.linux install
or
    make -f Makefile.solaris install

depending on your platform. This will compile and link the necessary objects and create a Splunk bundle in the "lea-bundle" directory. If there are compliation errors, please contact Splunk support.

Once the make command has been successfully executed, copy the lea-bundle directory to your $SPLUNK_HOME/etc/bundles directory. The directory $SPLUNK_HOME/etc/bundles/lea-bundle should exist when this is done.

CONFIGURATION

There are three relevant configuration files in the lea-bundle directory.

Inputs.conf is a Splunk configuration file. See the Splunk documentation for information on how to modify this configuration. The default configuration will place any information from your Checkpoint target in the main index with sourcetype "opsec".

Lea.conf is the file containing connection information between the loggrabber agent and the Checkpoint target. The default configuration contains values for unauthenticated, clear sessions between the loggrabber agent and the Checkpoint target. Documentation for configuring a more secure channel on loggrabber agent's side is available in the doc directory. Substantial configuration is required on the Checkpoint side. Consult your Checkpoint documentation for that information.

Fw1-loggrabber.conf is the file containing information on how the actual log extraction should behave. Sensible defaults are selected. Do not adjust the LOGGING_CONFIGURATION value from "screen" unless appropriate configuration changes are made to inputs.conf. It is recommended to set SHOW_FIELDNAMES to "yes". This will enable Splunk to more easily operate on the data.

To communicate with more than one Checkpoint target create multiple instances of the bundle in $SPLUNK_HOME/etc/bundles.

Terms and conditions for tools and sample programs

DISCLAIMER OF WARRANTIES

Permission is granted to copy this Tools or Sample code for internal use only, provided that this permission notice and warranty disclaimer appears in all copies.

THIS TOOLS OR SAMPLE CODE IS LICENSED TO YOU AS-IS. SPLUNK, INC. AND ITS SUPPLIERS AND LICENSORS DISCLAIM ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, IN SUCH SAMPLE CODE, INCLUDING THE WARRANTY OF NON-INFRINGEMENT AND THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL SPLUNK, INC. OR ITS LICENSORS OR SUPPLIERS BE LIABLE FOR ANY DAMAGES ARISING OUT OF THE USE OF OR INABILITY TO USE THE TOOLS OR SAMPLE CODE, DISTRIBUTION OF THE TOOLS OR SAMPLE CODE, OR COMBINATION OF THE TOOLS OR SAMPLE CODE WITH ANY OTHER CODE. IN NO EVENT SHALL SPLUNK, INC. OR ITS LICENSORS AND SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, LOST PROFITS OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF SPLUNK, INC. OR ITS LICENSORS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.