The dojo of Splunk. Learn, share, teach, mentor.

All Blog Posts (14)

Install Scenarios for Splunk

Hello, In the Forum are so many questions about installing Splunk in a environment. I have make a PPT for typical Scenarios for this questions. Splunk install Scenarios.pdf I hope it will be usefull. regards Alexander Continue

Added by Alexander Szoenyi on February 4, 2010 at 1:19am — No Comments

Reverse DNS Lookups for Host Entries

When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry...

Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the… Continue

Added by Michael Wilde on December 15, 2009 at 10:41am — No Comments

Configuring Apache as a reverse proxy to Splunk

My company has a demo VM running WebSphere Portal, and I also put Splunk on that server to help me troubleshoot it remotely much more efficiently. However, the only public traffic allowed into that VM is over ports 80 and 443. That VM already has an instance of Apache (IBM HTTP Server actually) running, and the WebSphere plugin makes it function as a reverse proxy to WebSphere Application Server. It's configuration handles it's own set of URIs, so I needed to make Apache handle the ones for Spl… Continue

Added by Dave Jones on November 16, 2009 at 6:46am — 6 Comments

Getting more intelligence on how much data splunk is eating.

As you know, there is a License pane in Splunk Manager (admin interface) that lets you know your "peak daily volume", and that figure is compared against your license volume. (free, or enterprise) In the Splunk search app, (as of version 4.0.5) there is an "Index Activity" status dashboard in the search app (http://yoursplunkserver:8000/en-US/app/search/index_status). It does give you more information such as:

Top five sourcetypes (by total KB indexed) in the last 24 hours
In

… Continue

Added by Michael Wilde on November 6, 2009 at 8:24am — 1 Comment

Using the websphere_trlog_sys* source types

Splunk has graciously included the websphere_trlog_sysout and websphere_trlog_syserr source types out of the box. They seem to handle the log entries very well. However, due to the way IBM writes out these logs when they get rolled, you will also need to include the following line in your inputs.conf for your WAS logs: crcSalt = <SOURCE> Otherwise, Splunk will think it has already processed the log and ignore the new ones WebSphere AppServer creates. The Splunk docs describe the crcSalt… Continue

Added by Dave Jones on October 2, 2009 at 11:00am — No Comments

Splunk for Blue Coat Proxy SG - Setup help!

Recently, I've seen a number of folks who have been trying to use the Splunk for Blue Coat Proxy SG app and the proxy together so the logs come in to Splunk and they are displayed properly in Splunk.

Check out this guide, I hope it helps! Big props go out to SplunkNinja… Continue

Added by Michael Wilde on September 25, 2009 at 1:00pm — No Comments

Splunk and SQL Injections - an Introduction

SQL Injections: The Splunk Method for Auditing your Application Security Model. Unless you have had your head in the sand, SQL Injections have made a fierce comeback to the top of the threat vector charts this year. According to the WHID (Web Hacking Incidents Database ), SQL injection is still king of the attack vectors, accounting for 19 percent of attacks, followed by authentication abuse (11 percent), content spoofing (10 percent), DDoS/brute force (10 percent), configuration/admin er… Continue

Added by Kung FuSchnickens on September 24, 2009 at 7:38am — 1 Comment

Splunk Ninja Episode - Fields of Dreams

I spend a great deal of time using, learning and demonstrating Splunk, and recently I had some questions from users on "what can I do with fields?", "how do i make them?", "how do I tweak them?". That inspired me to publish a new Splunk Ninja episode known as "Fields of Dreams". In this episode, Splunk Ninja gives an all out tour of "fields" in Splunk 4.0, how they work, how to use them, some tips and tricks as well. The ability for Splunk to handle multiple data formats all in a single search… Continue

Added by Michael Wilde on September 11, 2009 at 7:14am — No Comments

Upgraded to 4.0

OK so I have finally upgraded to version 4.0 and now I am kicking myself that I didn't do it sooner! I mean I should have known that if someone known as the splunk ninja recommends you to upgrade your Splunk install then you REALLY should listen to him! It would seem that the event segmentation works much better and now it is behaving how I would expect. I must admit that I was getting a little confused with the field allocation seemingly changing all the time but 4 seems to be solid as a rock. Continue

Added by Ben Corbett on September 4, 2009 at 12:06am — 3 Comments

Isilon Logs

Just looking at how to point our Isilon logs at Splunk. As of version 4.7.6 of OneFS, Isilon have implemented the function isi_log_server to specify a remote logging server


Usage: isi_log_server COMMAND [ARGUMENTS ...]

Commands:

help
Print this help and exit.

list
List all configured remote servers.

clear
Clear all configured remote servers.

add HOST [FILTER]
Add remote logging to hostname HOST. If logging is already
configured for HOST, the configuration will be replaced.
If

… Continue

Added by Ben Corbett on August 28, 2009 at 8:00am — No Comments

Installed Splunk a week ago and it's already proving useful

So I initially came across Splunk when seeing a banner ad on a blog site (may have been www.techrepublic.com) and I was inquisitive as to what the hell it was. After passing it over to a colleague to check out he informed me that it looked really great and we could definitely benefit from implementing it. He set up the server but for a variety of reasons we never really embraced it. It wasn't until recently that I decided to dive in and check it out. I decided to ditch the VM that we had been u… Continue

Added by Ben Corbett on August 27, 2009 at 10:48am — 2 Comments

The Search Cheatsheet (or) Field Conversion with Splunk

I'm working on a challenge with some "sendmail_syslog" data. Those are the logs generated by a sendmail mailer daemon. The log format looks like this: Aug 23 11:42:59 splunk3 sendmail[1394]: n7NIgqtH001374: to=spamme@splunkit.com, delay=00:00:04, xdelay=00:00:00, mailer=local, pri=30405, dsn=2.0.0, stat=Sent When you index this type of data with Splunk it reads it just fine (as it does all text data). Conveniently, the search-time field extraction magic also takes those "key=value" pai… Continue

Added by Michael Wilde on August 23, 2009 at 11:49am — No Comments

Applied Splunk: Transaction Search Operator - Linking Events Together

The "|transaction" command is a powerful search operator that allows the linkage of events together in to one large "meta-event". Most commonly, events can be linked together by fields they have in common. (Sendmail messages are linked by their "Queue ID, or qid") In sendmail logs, using the transaction search operator allows an entire mail conversation to be linked together in a single event; resulting in a nice packet of information for each mail message that a mail admin can better work with.… Continue

Added by Michael Wilde on May 15, 2009 at 7:55am — No Comments

New version of Splunk Firefox / Flock Toolbar is out!

At last, our good friends at Splunk have update their toolbar that plugs in to Firefox 3 and Flock 2 (I know it works on Flock, because thats my browser of choice). 1. Whats the tool bar all about?. It allows you to do the following 2. Search a Splunk Server right from the toolbar 3. View alerts on a splunk server 4. Auto-refresh the Splunk server's page you might be on 5. "Right Mouse -- Search Splunk" functionality on whatever's selected in the browser… Continue

Added by Michael Wilde on May 5, 2009 at 10:22pm — 1 Comment