splunkninja

The dojo of Splunk. Learn, share, teach, mentor.

Michael Wilde
  • Male
  • Dripping Springs, TX
  • United States
Share
Share on Twitter
Share on Facebook

Michael Wilde's Friends

Michael Wilde's Discussions

The "I suck at regex" class at Splunk User conference
1 Reply

Started this discussion. Last reply by Mark Sleeper Jul 26.

Splunk 4.0 coming soon

Started Jun. 22, 2009

Handling Inputs - Blacklisting
1 Reply

Started this discussion. Last reply by Rob Jahn Apr 1.

Michael Wilde's Events

 

Michael Wilde's Page

Gifts Received

Gift

Michael Wilde has not received any gifts yet

Give Michael Wilde a Gift

Latest Activity

Mark Sleeper replied to Michael Wilde's discussion 'The "I suck at regex" class at Splunk User conference'
Hi Michael, I tried to respond to this already and I'm not sure it went through, so if this is a repeat please forgive. I have been using Splunk for a little while and have written a few scripts using regex to make it automate some reports. I would…
on Monday
Michael Wilde left a comment for Erin Sweeney
June 28
Michael Wilde is attending Erin Sweeney's event
August 9, 2010 at 8am to August 11, 2010 at 5pm
It's only your first time once... Be there for the first Splunk Worldwide Users' Conference. Register today: http://www.splunk.com/goto/conference
June 28
Michael Wilde commented on Erin Sweeney's event '.conf: Splunk's Worldwide Users' Conference'
Duh.. why didn't i think of posting that. Wilde = tarded.
June 28
Michael Wilde replied to Joe Rizzo's discussion 'sum fields in same event'
Have you considered using " | makemv" to turn that event in to a multi-value field, so you end up with a=1 a=2 b=2 b=2 and then do an | eval a = a+a | eval b = b + b
June 28
Michael Wilde added a discussion
The "I suck at regex" class at Splunk User conference
I'm planning on doing a really fun regex class during Splunk's user conference.... the premise is: Some people out ther don't think this class should happen.  So if it was off the schedule, and i held it on my own time in a Suite at the Palace Hote…
June 28
Michael Wilde added a blog post
Finally Ning let me put a captcha on user signup, so that dang medical spam problem should disappear now. Hey its 2010, and finally i get to control spam... gee thanks Ning..
June 5
Bob Munson commented on Michael Wilde's blog post 'Splunk for Blue Coat Proxy SG - Setup help!'
Thanks for the info. My customer wants to setup an SSL connection so when I get it working, I send an update.
May 1
Michael Wilde commented on Michael Wilde's blog post 'Splunk for Blue Coat Proxy SG - Setup help!'
Bob. This is actually not syslog. While it is TCP, it's a push in to Splunk. My friend at BlueCoat helped we set up this method as he said BC isn't that great at syslogging. If you know otherwise let me know and we'll update the guide.
April 29
Bob Munson commented on Michael Wilde's blog post 'Splunk for Blue Coat Proxy SG - Setup help!'
Two questions. 1 As it is this just seems to be setting up syslog on a new port. What do we gain over using 514? 2 Would it be easy to secure this with SSL?
April 29
Michael Wilde added a blog post
Sorry about the spam on the blogs. Working with NING to solve that. I'm happy to elevate the privileges of certain users if you'd like to help police the site. Just send me a note!
April 28
Michael Wilde commented on Michael Wilde's blog post 'Getting more intelligence on how much data splunk is eating.'
Steve... If you want to alert on the actual violation, so you know when it happens, this search should work. Maybe run that search every day and alert if number of events are greater than zero. index=_internal source=*license_audit.log LicenseMana…
April 18
Michael Wilde commented on Michael Wilde's blog post 'Getting more intelligence on how much data splunk is eating.'
Tony... you should be able to just add "useother=f" to your timechart command.
April 18
Steve commented on Michael Wilde's blog post 'Getting more intelligence on how much data splunk is eating.'
I have been trying to figure out how to create an alert that would notifiy me when I have exceeded my license limit. I have a saved search that reports on license usage, but in setting up the search, I am not sure what value to alert on (i.e. what i…
April 13
Michael Wilde replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
James' question is answered over here. http://splunkninja.com/forum/topics/need-regex-help-please
April 6
Michael Wilde replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Thats pretty sweet... I like that idea of limiting it to between one and three characters. I've seen some other ones the limit it to the actual possible digits in an IP... i'm still trying to understand the cryptic nature of them. (([2]([0-4][0-9]|…
April 6

Profile Information

Are you an existing splunk user?
Licensed
What do you do for your day job?
Splunk Ninja - currently I work at Splunk as an SE.
Web / Blog Address
http://splunkninja.com

Michael Wilde's Videos

Michael Wilde's Blog

Michael Wilde

Spam problem should be nixed...

Finally Ning let me put a captcha on user signup, so that dang medical spam problem should disappear now. Hey its 2010, and finally i get to control spam... gee thanks Ning..

Posted on June 5, 2010 at 6:39pm —

Michael Wilde

BLOG SPAM - APOLOGIES.. and help?!?!

Sorry about the spam on the blogs. Working with NING to solve that. I'm happy to elevate the privileges of certain users if you'd like to help police the site. Just send me a note!

Posted on April 28, 2010 at 11:26am —

Michael Wilde

Reverse DNS Lookups for Host Entries

When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry...



Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the… Continue

Posted on December 15, 2009 at 10:41am —

Michael Wilde

Getting more intelligence on how much data splunk is eating.

As you know, there is a License pane in Splunk Manager (admin interface) that lets you know your "peak daily volume", and that figure is compared against your license volume. (free, or enterprise)

In the Splunk search app, (as of version 4.0.5) there is an "Index Activity" status dashboard in the search app (http://yoursplunkserver:8000/en-US/app/search/index_status). It does give you more information such as:


  • Top five sourcetypes (by total KB indexed) in the last 24 hours

  • In

Continue

Posted on November 6, 2009 at 8:24am — 4 Comments

Michael Wilde

Splunk for Blue Coat Proxy SG - Setup help!

Recently, I've seen a number of folks who have been trying to use the Splunk for Blue Coat Proxy SG app and the proxy together so the logs come in to Splunk and they are displayed properly in Splunk.




Check out this guide, I hope it helps!

Big props go out to SplunkNinja… Continue

Posted on September 25, 2009 at 1:00pm — 3 Comments

Comment Wall (7 comments)

You need to be a member of splunkninja to add comments!

Join splunkninja

At 9:42am on March 8, 2010, Bob Osgood said…
Thanks for the welcome. I am a total beginner at Splunk, but your site is really helpful. I do get the feeling it is geared more to experienced users. Do you know of any "Beginner"?

thanks
Bob
At 9:02pm on March 5, 2010, Mike Ely said…
Thanks for the welcome, Mike! I like what splunk can do, and only want to understand it better. Fortunately, I'm stubborn ;)
At 10:11am on August 18, 2009, Beth Mills said…
Hi Michael,

Thanks! I'm working with Maverick right now. We're still in the POC stage. I've got a hard sell on my hands as there are certain paradigms I'm trying to get people to look past.

-Beth
At 12:33am on August 18, 2009, Colin Durrant said…
Thanks Michael, I'll came back to you with questions if i need to. I would like to setup email alerting mind you so a how to would be great?

Thanks

Colin.
At 10:08am on July 14, 2009, Don Faulkner said…
Thanks for the greeting, Michael. Splunk's an awesome tool.
Looking forward to version 4!
At 10:04am on June 25, 2009, Bob Fox said…
that's how I do.
At 10:04pm on May 28, 2009, Glenn Evans said…
Glad to be here Mr Wilde.
 
 
 

Videos

Latest Splunk Community Postings

Latest Splunk Forum Posts

Adding additional servers to *Nix app?

Create new Field and Assign existing field in transforms.conf

How do I remove Sources?

Clear Windows Logs?

Create new Field and Assign existing field in transforms.conf

© 2010   Created by Michael Wilde.   Powered by .

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!