The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde replied to Nikita's discussion Count failures and success via transaction"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
Michael Wilde's Discussions
The "I suck at regex" class at Splunk User conference
3 Replies
Started this discussion. Last reply by Phillip Manning Jul 30, 2010.
Splunk 4.0 coming soon
Started Jun 22, 2009
Handling Inputs - Blacklisting
1 Reply
Started this discussion. Last reply by Rob Jahn Apr 1, 2010.
Gifts Received
Michael Wilde has not received any gifts yet
Michael Wilde's Page
Latest Activity
Michael Wilde replied to Nikita's discussion Count failures and success via transaction"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
Michael Wilde replied to Ray Seals's discussion Rex, Regex and Field Extraction Question"Look closely at your capturing group--anything between the parens...
"Called Party Number i" | rex "'\d{5,10}'(?<dialednumber>)"
See how you have the field name "dialednumber" but then immediately…"
Michael Wilde commented on Michael Wilde's video
Splunk Ninja - Basic Training: Splunk & LDAP Authentication
"Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…"
Splunk Ninja - Basic Training: Splunk & LDAP Authentication
"I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???"
Michael Wilde commented on Mike Hartford's blog post tees for the holy day"Update... what size were you looking for. Rumor has it there's been a stash uncovered."
Michael Wilde commented on Mike Hartford's blog post tees for the holy day"i checked at Splunk HQ. It looks like batbelt is out of production. If i had one myself, i'd ship it to you... (i'll ask around and see if anyone has one stashed)."
Pero Peric replied to Michael Wilde's discussion New Splunk Taglines""Ohh Splunk! Stop staring at my l(.)(.)gs, you perv!"
:D"
Emmanuel Pleshe replied to Michael Wilde's discussion New Splunk Taglines"So, do you know if there is a way to get the entire list of taglines? I've been poking around the web and can't seem to find one."
Michael Wilde replied to Andi Susanto's discussion Correlation between different source that have different value key"Andi..
How do you know user 00001 is in fact, "joe".. do you have a list somewhere. If you do, you can use a lookup to map userid to a username. You might create a "users.csv" file and upload it in…"
Michael Wilde posted a pageSplunkNinja - Music Broadcast
Whatever Wilde's currently playing on his iTunes.
if (WIDGETBOX) WIDGETBOX.renderWidget('2629fd74-9010-4cb0-a184-c9bcb0f89adb');
Get the MP3 Player widget and many other great free widgets at Widgetbox! Not seeing a widget? (More info)
Michael Wilde replied to Perry's discussion Regex help"Perry... think it out... talk it out.. like this..
a backslash, ( followed by any character that is not a backslash ), followed by a backslash.
I put the parens around the phrase above, because we'll use that as a capturing…"
Profile Information
- Are you an existing splunk user?
- Licensed
- What do you do for your day job?
- Splunk Ninja - currently I work at Splunk as an SE.
- Web / Blog Address
- http://splunkninja.com
Michael Wilde's Videos
Michael Wilde's Blog
Spam problem should be nixed...
Finally Ning let me put a captcha on user signup, so that dang medical spam problem should disappear now. Hey its 2010, and finally i get to control spam... gee thanks Ning..
Posted on June 5, 2010 at 7:39pm
BLOG SPAM - APOLOGIES.. and help?!?!
Sorry about the spam on the blogs. Working with NING to solve that. I'm happy to elevate the privileges of certain users if you'd like to help police the site. Just send me a note!
Posted on April 28, 2010 at 12:26pm
Reverse DNS Lookups for Host Entries
When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry...
Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the enrichment of events in Splunk with data from… Continue
Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the enrichment of events in Splunk with data from… Continue
Posted on December 15, 2009 at 10:41am
Getting more intelligence on how much data splunk is eating.
As you know, there is a License pane in Splunk Manager (admin interface) that lets you know your "peak daily volume", and that figure is compared against your license volume. (free, or enterprise)
In the Splunk search app, (as of version 4.0.5) there is an "Index Activity" status dashboard in the search app (http://yoursplunkserver:8000/en-US/app/search/index_status). It does give you more information such as:
In the Splunk search app, (as of version 4.0.5) there is an "Index Activity" status dashboard in the search app (http://yoursplunkserver:8000/en-US/app/search/index_status). It does give you more information such as:
- Top five sourcetypes (by total KB indexed) in the last…
Posted on November 6, 2009 at 8:24am — 4 Comments
Splunk for Blue Coat Proxy SG - Setup help!
Recently, I've seen a number of folks who have been trying to use the Splunk for Blue Coat Proxy SG app and the proxy together so the logs come in to Splunk and they are displayed properly in Splunk.
Check out this guide, I hope it helps!
Big props go out to SplunkNinja community member and Blue Coat Pre-Sales… Continue
Check out this guide, I hope it helps!
Big props go out to SplunkNinja community member and Blue Coat Pre-Sales… Continue
Posted on September 25, 2009 at 2:00pm — 3 Comments
Comment Wall (9 comments)
- At 11:04pm on May 28, 2009,
Glenn Evans said… - Glad to be here Mr Wilde.
- At 11:04am on June 25, 2009,
Bob Fox said… - that's how I do.
- At 11:08am on July 14, 2009,
Don Faulkner said…
- Thanks for the greeting, Michael. Splunk's an awesome tool.
Looking forward to version 4!
- At 1:33am on August 18, 2009,
Colin Durrant said… - Thanks Michael, I'll came back to you with questions if i need to. I would like to setup email alerting mind you so a how to would be great?
Thanks
Colin.
- At 11:11am on August 18, 2009,
Beth Mills said… - Hi Michael,
Thanks! I'm working with Maverick right now. We're still in the POC stage. I've got a hard sell on my hands as there are certain paradigms I'm trying to get people to look past.
-Beth
- At 9:02pm on March 5, 2010,
Mike Ely said… - Thanks for the welcome, Mike! I like what splunk can do, and only want to understand it better. Fortunately, I'm stubborn ;)
- At 9:42am on March 8, 2010, Bob Osgood said…
- Thanks for the welcome. I am a total beginner at Splunk, but your site is really helpful. I do get the feeling it is geared more to experienced users. Do you know of any "Beginner"?
thanks
Bob
- At 11:15am on April 15, 2011, Garth Jordan said…
- Hey Mike. Watched the Splunk & LDAP Authentication video. Did not work for me. Using Windows 2008 R2. I get 'LDAP-auth': Malformed search filter: objectClass=user. If I leave it out it works fine. Reason for watching the video is that only users that can login are Domain Admin. If they are regular users they can't login. Any suggestions? Is this a Splunk or AD problem? Thanks.
- At 5:01am on April 20, 2011, Garth Jordan said…
- Yeah, that would be great if you could give me access so I can check out the settings. Thanks again.
© 2012 Created by Michael Wilde.
