Back to the Blog

Splunk lost its keys

Posted by Kate Engel on Friday, August 2, 2013 - 14:55 Operational Intelligence Splunk, Splunk DeploymentServer

You have a working Splunk environment, and decide to utilize the deployment server functionality to make the deployment of apps and management of configuration files easier.

You start by setting up the serverclass.conf file for the forwarder as the following:

[global]
continueMatching = true
whitelist.0 = *
restartSplunkd = false
[serverClass:forwarder_serverclass]
whitelist.0 = *spkfwd*
[serverClass:forwarder_serverclass:app:forwarder_inputs]
[serverClass:forwarder_serverclass:app:forwarder_outputs]

 

Next, you set up the deploymentclient.conf on the...

read more

Splunk App for Enterprise Security and PCI Compliance Correlation Search Drill-downs

Posted by Anshu Rastogi on Monday, July 15, 2013 - 12:44 Operational Intelligence correlation searches, drill-down, Enterprise Security, PCI, Splunk, time range

Introduction

Welcome! In this post we'll talk about time ranges in correlation search drill-downs in two apps, the Splunk App for Enterprise Security (ES) and The Splunk App for PCI Compliance (PCI).

Correlation Searches and Drilling Down

Okay, so what exactly are we talking about regarding correlation searches and drilling-down? ...

read more

Splunk, Where's my Props?!

Posted by Neena Bhutiani on Tuesday, May 21, 2013 - 13:48 Operational Intelligence, Best Practices Best Practices, Data Inputs, Splunk

Here’s the scenario. You find the perfect app for your data. You onboard the data, configure all your files, look through all your dashboards to finally see the views you have been waiting for. Then your greatest fear is realized, your dashboards are not working! You trouble shoot the searches in your dashboards and the fields that are needed for this search do not exist. Where are your field extractions?

Once you see that everything seems to be configured right on your app, you go through the TA apps you installed to make sure everything is working together. Everything seems to be...

read more

Troubleshooting the Splunk App for Enterprise Security

Posted by Anshu Rastogi on Tuesday, May 7, 2013 - 16:29 Data Security, Operational Intelligence Security, Splunk

Intro

Welcome Splunkers! In this post, I'd like to talk about an issue I encountered recently when working on a Splunk App for Enterprise Security v2.2.1 (ES app) deployment and the approach I took in troubleshooting it. But before getting started, I'd like to congratulate Splunk and their Security Products team for winning the SC Magazine Award for "Best Security Information/Event Management (SIEM) Solution." Cheers to a job well done!

Initial Installation

As per...

read more

Taking a closer look

Posted by Ridwan Ahmed on Friday, May 3, 2013 - 15:00 Operational Intelligence search, Splunk

Ever have a well-formed search on Splunk that is running too slowly?  Of course, they can always go faster, but there are times when it really just seems like something is holding back your search speed. That leaves you wondering where in the chain of information transfer is the problem, really? And just when you're about to throw your arms up in despair: don't worry, job inspector is here!

The job inspector is one of those tools that Splunk provides which are often overlooked because of the plethora of other better-known tools. A quick glance at so many details in one...
read more

Passing Time

Posted by Rupak Pandya on Thursday, April 4, 2013 - 13:00 Operational Intelligence, Best Practices Best Practices, Big data, Machine data, props.conf, Splunk, Web Analytics, XML

System monitoring dashboards are something we are often asked to provide for our clients. Normally, this is a pretty straight forward task, but on a recent client engagement, I was presented with one requirement that was a bit out of the ordinary. This client was looking to monitor a set of ten desktops with a real-time dashboard that would display in their office. They wanted to see all of the standard metrics like cpu, memory, and disk. If there was a spike in a time chart for say % CPU Usage, they wanted to be able to click on the spike and drill down into another view. They wanted the...

read more

Simulating Data with the Splunk Event Generator

Posted by Kevin Chu on Friday, February 22, 2013 - 13:29 Operational Intelligence, Cool Tools, Development Cool Tools, Data Inputs, Development, Event Generator, eventgen, Splunk

While installing a new app to your Splunk search head can usually be considered a rather benign action, sometimes the introduction of a TA on your forwarders and indexers requires more attention.  This is commonly the case, especially if your production environment is guarded by change control.   The problem is that without the data generated by those inputs your newly installed app may not display properly, and without seeing your new app’s dashboards populated with data, you may not be able to conclude how useful it really is.  I suppose deploying a fully mirrored “dev” environment to...

read more

Getting a Pulse on Your System: How to Build a System Health Indicator in Splunk

Posted by Anshu Rastogi on Friday, February 1, 2013 - 15:28 Operational Intelligence, Development Dashboards, query, search, singlevalue, Splunk

Welcome Splunkers!  I hope everyone is having a great New Year.  We certainly are, here at Function1.  We just publicly released a beta version of our Splunk for Oracle WebLogic Server app to Splunkbase  as mentioned in a recent post.  As part of the Splunk products team at Function1, I'm always looking at new ideas and approaches in Splunk app development.  As Splunk apps become more robust, they will...

read more

WebLogic + Splunk = Splunk for Oracle WebLogic Server

Posted by Sandeep Khaneja on Tuesday, January 29, 2013 - 17:55 Operational Intelligence, Cool Tools Oracle WebLogic Server, Splunk

As many of you know, from our website and blogs, we Function1-ers provide world-class consulting services for a few Oracle enterprise products as well as Splunk. Having this unique blend of experience on the Function1 team, we often try to experiment with new ideas that would be helpful to both sets of clients. One such experiment has yielded our new 1.0 Beta release of the Splunk for Oracle WebLogic Server app....

read more

OH NO!! Splunking log files with multiple formats?? No problem!

Posted by Rupak Pandya on Thursday, January 24, 2013 - 14:07 Operational Intelligence, Best Practices Big data, Data Inputs, Machine data, props.conf, Splunk, Timestamps, Web Analytics

I was recently at a client site  for a two-week engagement assisting them with ramping up their Splunk installation, and I came across something particularly interesting. One of the log files the client wanted to index in Splunk contained four different log formats with four different timestamps. Take a look at a sample of the log:
Stay In Touch