Hello,

In the Forum are so many questions about installing Splunk in a environment.
I have make a PPT for typical Scenarios for this questions.

Splunk install Scenarios.pdf

I hope it will be usefull.

regards Alexander

When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry...

Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the… Continue

My company has a demo VM running WebSphere Portal, and I also put Splunk on that server to help me troubleshoot it remotely much more efficiently. However, the only public traffic allowed into that VM is over ports 80 and 443.

That VM already has an instance of Apache (IBM HTTP Server actually) running, and the WebSphere plugin makes it function as a reverse proxy to WebSphere Application Server. It's configuration handles it's own set of URIs, so I needed to make Apache handle the ones for Spl… Continue

As you know, there is a License pane in Splunk Manager (admin interface) that lets you know your "peak daily volume", and that figure is compared against your license volume. (free, or enterprise)

In the Splunk search app, (as of version 4.0.5) there is an "Index Activity" status dashboard in the search app (http://yoursplunkserver:8000/en-US/app/search/index_status). It does give you more information such as:

• Top five sourcetypes (by total KB indexed) in the last 24 hours


• In

… Continue

Splunk has graciously included the websphere_trlog_sysout and websphere_trlog_syserr source types out of the box. They seem to handle the log entries very well.

However, due to the way IBM writes out these logs when they get rolled, you will also need to include the following line in your inputs.conf for your WAS logs:

crcSalt = <SOURCE>

Otherwise, Splunk will think it has already processed the log and ignore the new ones WebSphere AppServer creates. The Splunk docs describe the crcSalt… Continue