splunkninja

The dojo of Splunk. Learn, share, teach, mentor.

Michael Wilde
  • Male
  • Dripping Springs, TX
  • United States
Share 
Share on Twitter
Share on Facebook

Michael Wilde's Friends

Michael Wilde's Discussions

Splunk 4.0 coming soon

Started Jun. 22, 2009

Handling Inputs - Blacklisting

Started Jun. 12, 2009

StatsWow - simple things you can do with "stats" - security scenario

Started Jun. 4, 2009

 

Michael Wilde's Page

Gifts Received

Gift

Michael Wilde has not received any gifts yet

Give Michael Wilde a Gift

Latest Activity

Michael Wilde and David Winter are now friends
yesterday
Michael Wilde replied to nicholas Lehman's discussion 'Timestamping is the bane of my existance'
If your script is "post-able".. that'd be great... the "AS/400 question" comes up often and users would like to benefit from your experience.
on Monday
Michael Wilde replied to nicholas Lehman's discussion 'Timestamping is the bane of my existance'
Question for you: How'd you get the logs from the AS/400. Arent they in EBCDIC, if so did you convert them? Whats your strategy for AS/400. Please share. (might even be blog post worthy!)
on Monday
Michael Wilde left a comment for Bob Osgood
on Monday
Bob Osgood left a comment for Michael Wilde
on Monday
Michael Wilde replied to nicholas Lehman's discussion 'Timestamping is the bane of my existance'
You are correct. Monitor a directory will work just fine. I user a single file to answer your challenge. Glad it worked for you!
on Monday
Michael Wilde left a comment for Mike Ely
on Saturday
Michael Wilde replied to nicholas Lehman's discussion 'Timestamping is the bane of my existance'
This will work. First, create a props.conf in an appropriate directory (system level or app level), I'll make mine in $SPLUNK_HOME/etc/system/local/props.conf Add this to it: #my sourcetype will be called "as400" [as400] #I want splunk to bypass…
on Saturday
Mike Ely left a comment for Michael Wilde
on Saturday
Michael Wilde left a comment for April Jimmy
on Saturday
Michael Wilde left a comment for christophe le dorze
on Saturday
Michael Wilde left a comment for Mike Loven
on Saturday
Michael Wilde left a comment for Bob Osgood
on Saturday
Michael Wilde left a comment for Mohamed Elamin
on Saturday
Michael Wilde left a comment for Mike Ely
on Saturday
Michael Wilde replied to nicholas Lehman's discussion 'Timestamping is the bane of my existance'
Nicholas.. can we establish a pattern on what precedes the timestamp... like will it always be some number of digits, followed by a TPW, followed by your date pattern? If so.. this should be easy..
on Saturday

Profile Information

Are you an existing splunk user?
Licensed
What do you do for your day job?
Splunk Ninja - currently I work at Splunk as an SE.
Web / Blog Address
http://splunkninja.com

Michael Wilde's Videos

Michael Wilde's Blog

Michael Wilde

Reverse DNS Lookups for Host Entries

When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry...



Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the… Continue

Posted on December 15, 2009 at 10:41am —

Michael Wilde

Getting more intelligence on how much data splunk is eating.

As you know, there is a License pane in Splunk Manager (admin interface) that lets you know your "peak daily volume", and that figure is compared against your license volume. (free, or enterprise)

In the Splunk search app, (as of version 4.0.5) there is an "Index Activity" status dashboard in the search app (http://yoursplunkserver:8000/en-US/app/search/index_status). It does give you more information such as:


  • Top five sourcetypes (by total KB indexed) in the last 24 hours

  • In

Continue

Posted on November 6, 2009 at 8:24am — 1 Comment

Michael Wilde

Splunk for Blue Coat Proxy SG - Setup help!

Recently, I've seen a number of folks who have been trying to use the Splunk for Blue Coat Proxy SG app and the proxy together so the logs come in to Splunk and they are displayed properly in Splunk.




Check out this guide, I hope it helps!

Big props go out to SplunkNinja… Continue

Posted on September 25, 2009 at 1:00pm —

Michael Wilde

Splunk Ninja Episode - Fields of Dreams

I spend a great deal of time using, learning and demonstrating Splunk, and recently I had some questions from users on "what can I do with fields?", "how do i make them?", "how do I tweak them?". That inspired me to publish a new Splunk Ninja episode known as "Fields of Dreams".

In this episode, Splunk Ninja gives an all out tour of "fields" in Splunk 4.0, how they work, how to use them, some tips and tricks as well.

The ability for Splunk to handle multiple data formats all in a single search… Continue

Posted on September 11, 2009 at 7:14am —

Michael Wilde

The Search Cheatsheet (or) Field Conversion with Splunk

I'm working on a challenge with some "sendmail_syslog" data. Those are the logs generated by a sendmail mailer daemon. The log format looks like this:

Aug 23 11:42:59 splunk3 sendmail[1394]: n7NIgqtH001374: to=spamme@splunkit.com,
delay=00:00:04, xdelay=00:00:00, mailer=local, pri=30405, dsn=2.0.0, stat=Sent


When you index this type of data with Splunk it reads it just fine (as it does all text data). Conveniently, the search-time field extraction magic also takes those "key=value" pai… Continue

Posted on August 23, 2009 at 11:49am —

Comment Wall (7 comments)

You need to be a member of splunkninja to add comments!

Join splunkninja

At 9:42am on March 8, 2010, Bob Osgood said…
Thanks for the welcome. I am a total beginner at Splunk, but your site is really helpful. I do get the feeling it is geared more to experienced users. Do you know of any "Beginner"?

thanks
Bob
At 9:02pm on March 5, 2010, Mike Ely said…
Thanks for the welcome, Mike! I like what splunk can do, and only want to understand it better. Fortunately, I'm stubborn ;)
At 10:11am on August 18, 2009, Beth Mills said…
Hi Michael,

Thanks! I'm working with Maverick right now. We're still in the POC stage. I've got a hard sell on my hands as there are certain paradigms I'm trying to get people to look past.

-Beth
At 12:33am on August 18, 2009, Colin Durrant said…
Thanks Michael, I'll came back to you with questions if i need to. I would like to setup email alerting mind you so a how to would be great?

Thanks

Colin.
At 10:08am on July 14, 2009, Don Faulkner said…
Thanks for the greeting, Michael. Splunk's an awesome tool.
Looking forward to version 4!
At 10:04am on June 25, 2009, Bob Fox said…
that's how I do.
At 10:04pm on May 28, 2009, Glenn Evans said…
Glad to be here Mr Wilde.
 
 

About

Michael Wilde Michael Wilde created this Ning Network.
Create a Ning Network! »

Latest Splunk Community Postings

Latest Splunk Forum Posts

Really Basic Syslog Facilities Question

Really Basic Syslog Facilities Question

fail to set up MySQLdb

fail to set up MySQLdb

JSON Formatted Logs

Events

 

© 2010   Created by Michael Wilde on Ning.   Create a Ning Network!

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!