The dojo of Splunk. Learn, share, teach, mentor.

Andi Susanto Jakarta Indonesia: Share; Share on Twitter; Share on Facebook

Blog Posts
Discussions (17)
Events
Groups
Videos

Andi Susanto's Apps (1)

Andi Susanto's Discussions

Splunk read the Domino NSF file log
1 Reply

Hi, Can someone share about how to integrate Splunk with Domino? I need Splunk to reach the message log in domino format ( .NSF ) in realtime method; i mean, no manual activity, like manually conve…

Started this discussion. Last reply by Michael Wilde Feb 11.

Splunk as NMS

Hi all,Do you have Splunk app that modified as NMS? User can monitor network activity by Splunk. For Monitoring network trafic, like ManageEngine OpManager or Net-flowThanks for sharing

Started Feb 9

Splunk for Squid

Hi All,Do you have :Splunk for Squid ; for monitoring all proxy activity (top user, top website, etc)Please be kind to share with me :) Thanks

Started Feb 9

HDD full issue for indexing
7 Replies

Hi,I wanna ask about indexing.For Example, if I have 10 GB HDD, and have Splunk 500 MB license; I set the max free space for Splunk to stop indexing when the free space of HDD is 2 GB (2000 MB) -- se…

Started this discussion. Last reply by Michael Wilde Feb 11.

View All

Andi Susanto's Page

Gifts Received

Andi Susanto has not received any gifts yet

Give Andi Susanto a Gift

Latest Activity

Andi Susanto replied to Andi Susanto's discussion 'Splunk with SCOM'

I use SCOM R2. I think about using script to mining data from SCOM database (MSSQL Server) and get the specific table that SCOM use to record the log or data about servers it manage, but not to sure if this can done, since i don't know exactly how t…

March 3

Kung FuSchnickens replied to Andi Susanto's discussion 'Splunk with SCOM'

I don't know customers who are pulling SCOM alert data into Splunk specifically, but I am familiar with other customers writing a file as an output which is then ingested by SCOM as one way. This won't persist alert data however. A second way, and o…

March 3

Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'

Mirroring the database while its being written to wouldn't make sense, however you can have events cloned to backup Splunk server at index time. That has worked for three years.

February 10

Michael Wilde replied to Andi Susanto's discussion 'Splunk read the Domino NSF file log'

Andi.. Since an NSF file is a binary database, what you might consider doing is taking the console log and sending it to a text file: Enable the Console Log via notes.ini (CONSOLE_LOG_ENABLED=1) or from the server console (start consolelog). You c…

February 10

Andi Susanto added 3 discussions

February 10

Andi Susanto replied to Andi Susanto's discussion 'HDD full issue for indexing'

Oh, i see...it clear now...but i think mirroring will be a good feature too in Splunk :) thanks.

February 8

Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'

No. In that case, you might want to consider using a forwarder using splunk's AutoLB (auto load balancing), to send to randomly available Splunk servers and use distributed search (a Licensed feature)

February 8

Andi Susanto replied to Andi Susanto's discussion 'Splunk with SCOM'

Any answer for this topic?

February 8

Andi Susanto replied to Andi Susanto's discussion 'HDD full issue for indexing'

Hi, thanks for responses for number 1 question, can Splunk set to "automatically" index data to another place when the default storage full? example, in normal condition, Splunk sets to index at C:\Program Files\Splunk\Database\mydb ; when drive C…

February 8

Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'

1. A single Splunk index sits in a directory path. If you wanted to move Splunk's entire data store (All indexes), to a different Hard drive. Stop Splunk. Move the $SPLUNK_HOME/var/lib/splunk directory to another location. Edit the $SPLUNK_HOME/etc/…

February 7

Andi Susanto replied to Andi Susanto's discussion 'HDD full issue for indexing'

Thanks for your explanation... but i have one more question :) 1. when the HDD full, Splunk will stop indexing; How to tell Splunk to index data to another place (for example, to other PC in network or maybe to another HDD partition) ?. 2. if i s…

February 7

Michael Wilde replied to Andi Susanto's discussion 'HDD full issue for indexing'

Retention Policy in splunk can be set on a per index basis, determined by the age of the data, or the size of the index (or i believe a combination of both). Most users store their data in the default index, known as "main" To change the retention…

February 7

Andi Susanto added a discussion

HDD full issue for indexing

February 4

Andi Susanto replied to yanu pratomo's discussion 'take log windows to splunk without forwarder'

Hi, 1. Ok, clear.. 2. Thx. 3. It's hard to say to them, because the never want to install anything on their operational server. But I'll try... 4. I worry about this, because the POC has already running for 2 weeks, and if i suggest to change th…

February 4

Andi Susanto replied to Andi Susanto's discussion 'Splunk with SCOM'

Hi Michael, thanks for reply, we need to pull all the event data directly from SCOM. Our client have many server that monitored by SCOM They really want to use Splunk to get the all server data that had pulled by SCOM. They want to combine, not…

February 4

Michael Wilde replied to Andi Susanto's discussion 'Splunk with SCOM'

Andi... Is your hope to pull all the event data directly from SCOM? Or are do you just need to get eventlogs from each server?

February 4