Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Andi Susanto's Discussions
Correlation between different source that have different value key
1 Reply
Hi,I have difficulties on using search to correlate these two events from two different sourcetype.For example (this is not a real production events, but I will use to describe my minds)First event…Continue
Tags: correlation
Started this discussion. Last reply by Michael Wilde Nov 3, 2011.
Splunk read the Domino NSF file log
1 Reply
Hi,Can someone share about how to integrate Splunk with Domino?I need Splunk to reach the message log in domino format ( .NSF ) in realtime method; i mean, no manual activity, like manually…Continue
Started this discussion. Last reply by Michael Wilde Feb 11, 2010.
Splunk as NMS
Hi all,Do you have Splunk app that modified as NMS? User can monitor network activity by Splunk. For Monitoring network trafic, like ManageEngine OpManager or Net-flowThanks for sharingContinue
Started Feb 9, 2010
Splunk for Squid
Hi All,Do you have :Splunk for Squid ; for monitoring all proxy activity (top user, top website, etc)Please be kind to share with me :) ThanksContinue
Started Feb 9, 2010
Andi Susanto's Page
Gifts Received
Andi Susanto has not received any gifts yet
Latest Activity
Michael Wilde replied to Andi Susanto's discussion 'Correlation between different source that have different value key'
Andi..
How do you know user 00001 is in fact, "joe".. do you have a list somewhere. If you do, you can use a lookup to map userid to a username. You might create a "users.csv" file and upload it in…
Correlation between different source that have different value key
Hi,I have difficulties on using search to correlate these two events from two different sourcetype.For example (this is not a real production events, but I will use to describe my minds)First event get from ssl vpn log:Sourcetype=vpn user_id=00001 action=allow login_time=10-10-2011 11:22:05 logout_time=12-10-2011 src_ip=222.232.10.11Second event get from data center access door log:Sourcetype=door user=joe action=allow access_time=10-oct-2011 11:23:00 logout_time=10-oct-2011 14:55:20 For this…See More
Discussion posted by Andi Susanto
Andi Susanto replied to Agus Budi Harto's discussion 'Splunk Monitoring not Working'
I have same problem too....
maybe about time problem.
anybody can help?
Andi Susanto replied to Andi Susanto's discussion 'Splunk with SCOM'
I use SCOM R2.
I think about using script to mining data from SCOM database (MSSQL Server) and get the specific table that SCOM use to record the log or data about servers it manage, but not to sure if this can done, since i don't know exactly…
Kung FuSchnickens replied to Andi Susanto's discussion 'Splunk with SCOM'
I don't know customers who are pulling SCOM alert data into Splunk specifically, but I am familiar with other customers writing a file as an output which is then ingested by SCOM as one way. This won't persist alert data however. A second…
Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'
Mirroring the database while its being written to wouldn't make sense, however you can have events cloned to backup Splunk server at index time. That has worked for three years.
Michael Wilde replied to Andi Susanto's discussion 'Splunk read the Domino NSF file log'
Andi..
Since an NSF file is a binary database, what you might consider doing is taking the console log and sending it to a text file:
Enable the Console Log via notes.ini (CONSOLE_LOG_ENABLED=1) or from the server console (start consolelog). You…
Andi Susanto replied to Andi Susanto's discussion 'HDD full issue for indexing'
Oh, i see...it clear now...but i think mirroring will be a good feature too in Splunk :)
thanks.
Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'
No. In that case, you might want to consider using a forwarder using splunk's AutoLB (auto load balancing), to send to randomly available Splunk servers and use distributed search (a Licensed feature)
Andi Susanto replied to Andi Susanto's discussion 'Splunk with SCOM'
Any answer for this topic?
Andi Susanto replied to Andi Susanto's discussion 'HDD full issue for indexing'
Hi, thanks for responses
for number 1 question, can Splunk set to "automatically" index data to another place when the default storage full? example, in normal condition, Splunk sets to index at C:\Program Files\Splunk\Database\mydb ;…
Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'
1. A single Splunk index sits in a directory path. If you wanted to move Splunk's entire data store (All indexes), to a different Hard drive. Stop Splunk. Move the $SPLUNK_HOME/var/lib/splunk directory to another location. Edit the…
Andi Susanto replied to Andi Susanto's discussion 'HDD full issue for indexing'
Thanks for your explanation...
but i have one more question :)
1. when the HDD full, Splunk will stop indexing; How to tell Splunk to index data to another place (for example, to other PC in network or maybe to another HDD partition) ?.
2. if i…
Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'
Retention Policy in splunk can be set on a per index basis, determined by the age of the data, or the size of the index (or i believe a combination of both).
Most users store their data in the default index, known as "main"
To change the…
HDD full issue for indexing
Hi,I wanna ask about indexing.For Example, if I have 10 GB HDD, and have Splunk 500 MB license; I set the max free space for Splunk to stop indexing when the free space of HDD is 2 GB (2000 MB) -- set from Manager - System Settings. If one day, the free HDD space is 2GB, Splunk will pause to index.For my scenario,Let say the administrator never monitor the space for unknown reasons... :)How about the new data? they may not indexed by Splunk and return to device, and because the device has…See More
Discussion posted by Andi Susanto
Profile Information
- Are you an existing splunk user?
- Free
- What do you do for your day job?
- System Engineer
Comment Wall
- No comments yet!
© 2012 Created by Michael Wilde.
