Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Atul Mistry's Discussions
splunk-search.exe process
3 Replies
Can someone tell me what the splunk-search.exe process is doing on a client that is configured for SplunkLightForwarder?I'm noticing that it starts up roughly every 30 seconds, and runs for for about…Continue
Started this discussion. Last reply by Michael Wilde Mar 25, 2010.
Need Help with Automate Archiving
4 Replies
I'm testing out automatic archiving, but i can't seem to get it to work.Here is what i'm doing:i added the following stanza to my etc\system\local\indexes.conf file[main]frozenTimePeriodInSecs = 3600…Continue
Started this discussion. Last reply by Atul Mistry Mar 4, 2010.
Reformatting the message in an WinEventLog:Application event
7 Replies
I have a situation where I need to combine events from an older version of an application with a newer one, while both are live in production. The newer version produces Windows Event log events in…Continue
Started this discussion. Last reply by Michael Wilde Jan 29, 2010.
Atul Mistry's Page
Gifts Received
Atul Mistry has not received any gifts yet
Latest Activity
Michael Wilde replied to Atul Mistry's discussion 'splunk-search.exe process'
Weird. Splunkd.log might contain some evidence of what was going on.
Atul Mistry replied to Atul Mistry's discussion 'splunk-search.exe process'
no saved searches, but I was able to resolve the issue by re-enabling the SplunkLightForwarder.
thanks,
Michael Wilde replied to Atul Mistry's discussion 'splunk-search.exe process'
Check to see if that forwarder has any scheduled searches running and disable them. Some apps have scheduled searches in them.
splunk-search.exe process
Can someone tell me what the splunk-search.exe process is doing on a client that is configured for SplunkLightForwarder?I'm noticing that it starts up roughly every 30 seconds, and runs for for about 2-5 seconds using 80-95% of the cpu during that time.is splunk-search.exe needed when running a SplunkLightForwarder? If it can't be disabled, can is it possible to throttle it back?thanks, See More
Discussion posted by Atul Mistry
Atul Mistry replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
i figured my time span was too short, so i reconfigured the archive settings to one day and hot span to 4 hours:
[main]
frozenTimePeriodInSecs=86400
maxHotSpanSecs=14400
coldToFrozenScript = WindowsCompressedExport.bat "$DIR"
Waited a…
Atul Mistry replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
i'm just using 1 hour for testing purposes. in production we will be using 45 days.
nothing in the splunkd.log jumps out at me. is there a component i should filter or focus in on?
i attached a 2 hour sampling of the splunkd.log.
Michael Wilde replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
Atul...
3600 seconds.. you really only want 1 hour worth of data in your indexer?. Whats splunkd.log saying.. check with this search:
index=_internal source="*splunkd.log"
Atul Mistry replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
i noticed a typo and made the following change.
[main]
frozenTimePeriodInSecs = 3600 coldToFrozenScript = WindowsCompressedExport.bat "$DIR"
and restarted splunk.
still no luck.
is the time period too short? do i need to set a tie…
Need Help with Automate Archiving
I'm testing out automatic archiving, but i can't seem to get it to work.Here is what i'm doing:i added the following stanza to my etc\system\local\indexes.conf file[main]frozenTimePeriodInSecs = 3600 coldToFrozenScript = WindowsCompressedExport.bat %DIR%i placed the WindowsCompressedExport.bat file in C:\Program Files\Splunk\bin (i also put it in C:\Program Files\Splunk\bin\scripts and C:\Program Files\Splunk\etc\system\bin to cover all of the bases)the script i'm using is a version off the…See More
Discussion posted by Atul Mistry
Atul Mistry replied to yanu pratomo's discussion 'take log windows to splunk without forwarder'
If you install the "Windows" app (http://www.splunk.com/apps/windows) on the linux server, you will see the windows specific sources and sourcetypes.
once you do that, splunk may be able to eat the *.evt files properly.
also, you may…
Michael Wilde replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
WIN!...
Atul Mistry replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
I found the reason the message was getting split, it was because it exceeds the 10000 default limit. I set the TRUNCATE = 0 and now the message stays together.
now that the messages are not getting split, xmlkv is working like a champ.
thanks for…
Atul Mistry replied to yanu pratomo's discussion 'take log windows to splunk without forwarder'
If you can place the log on a network drive that is accessible by the splunk server you should be able to eat the log without the forwarder.
Michael Wilde replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
Atul....
Splunk has a scrubber command built in. Dump that stuff to a file, run "/splunk anonymize file -source /path/to/[filename]"
It usually does a pretty good job of getting rid of PHI and other private…
Atul Mistry replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
unfortunately the events i'm having a problem with have PHI (protected health information), and I can't post it with out some scrubbing. i'll try what you suggested tonight. i'm going to Splunk Live today! If I still can't…
Michael Wilde replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
upload a sample of those events if you want... but what you will need to do is give Splunk some education on where to break your events.. most of the time its pretty smart, but I like that it lets me take over and tell it what to do when i want…
Profile Information
- Are you an existing splunk user?
- Licensed
- What do you do for your day job?
- Development Architect
Comment Wall
- No comments yet!
© 2012 Created by Michael Wilde.
