Back to the Blog

Using HTTP with a HTTPS Proxy Forwarder in Splunk

Posted by Kate Engel on Monday, October 28, 2013 - 14:32 Operational Intelligence Salesforce, Splunk, Splunk Indexer, TA-SFDC

I recently ran into an issue  with the Splunk Forwarder and found that we can solve it with a simple python script udpate.  This is applicable to the Salesforce app for Splunk, but could be applicable to other use cases as well.

Here, the requirement was to install the Salesforce TA into Splunk and configure the TA to pull data from Salesforce into Splunk. After downloading the TA and enabling the necessary inputs from Salesforce, I checked Splunk for data…nothing.

Why isn’t the Salesforce data coming into Splunk??

Next, I went to the internal logs in Splunk by...

read more

Off the beaten path - Splunk search head pooling without search head pooling?? Its possible...

Posted by Rupak Pandya on Tuesday, September 10, 2013 - 12:48 Operational Intelligence Big data, job server, performance, pooling, rsync, Search Head Pooling, Splunk

Recently I was working with a client that was Splunk savvy and they wanted to try to implement something that was, what I would consider, off the beaten path.

Here is the challenge:  

This client was looking for a way to be able to take advantage of having multiple search heads for high resource availability and resiliency, without taking a hit on performance. One approach to go about providing high availability and resiliency of search heads is to use a Splunk feature called...

read more

Think small, search faster

Posted by Ridwan Ahmed on Monday, August 19, 2013 - 15:03 Operational Intelligence search, speed, Splunk, tsidx

Compared to a few years ago, it is almost unbelievable that we are able to sift the amount of data we can, and the speed with which we can do it. But like the fast cars we drive today that are much faster than similar cars of yesteryear, we get used to the speed we have, and soon wonder: “can it go faster?”

Yes, but with some conditions.

Like Turbocharging, Supercharging, and enlarging the displacement in cars-- all valid ways to make a fast car go faster, --in Splunk there is Report Acceleration, Summary Indexing, and searching tsidx files.  Each has its own benefits and...

read more

Splunk lost its keys

Posted by Kate Engel on Friday, August 2, 2013 - 14:55 Operational Intelligence Splunk, Splunk DeploymentServer

You have a working Splunk environment, and decide to utilize the deployment server functionality to make the deployment of apps and management of configuration files easier.

You start by setting up the serverclass.conf file for the forwarder as the following:

[global]
continueMatching = true
whitelist.0 = *
restartSplunkd = false
[serverClass:forwarder_serverclass]
whitelist.0 = *spkfwd*
[serverClass:forwarder_serverclass:app:forwarder_inputs]
[serverClass:forwarder_serverclass:app:forwarder_outputs]

 

Next, you set up the deploymentclient.conf on the...

read more

Splunk App for Enterprise Security and PCI Compliance Correlation Search Drill-downs

Posted by Anshu Rastogi on Monday, July 15, 2013 - 12:44 Operational Intelligence correlation searches, drill-down, Enterprise Security, PCI, Splunk, time range

Introduction

Welcome! In this post we'll talk about time ranges in correlation search drill-downs in two apps, the Splunk App for Enterprise Security (ES) and The Splunk App for PCI Compliance (PCI).

Correlation Searches and Drilling Down

Okay, so what exactly are we talking about regarding correlation searches and drilling-down? ...

read more

Splunk, Where's my Props?!

Posted by Neena Bhutiani on Tuesday, May 21, 2013 - 13:48 Operational Intelligence, Best Practices Best Practices, Data Inputs, Splunk

Here’s the scenario. You find the perfect app for your data. You onboard the data, configure all your files, look through all your dashboards to finally see the views you have been waiting for. Then your greatest fear is realized, your dashboards are not working! You trouble shoot the searches in your dashboards and the fields that are needed for this search do not exist. Where are your field extractions?

Once you see that everything seems to be configured right on your app, you go through the TA apps you installed to make sure everything is working together. Everything seems to be...

read more

Troubleshooting the Splunk App for Enterprise Security

Posted by Anshu Rastogi on Tuesday, May 7, 2013 - 16:29 Data Security, Operational Intelligence Security, Splunk

Intro

Welcome Splunkers! In this post, I'd like to talk about an issue I encountered recently when working on a Splunk App for Enterprise Security v2.2.1 (ES app) deployment and the approach I took in troubleshooting it. But before getting started, I'd like to congratulate Splunk and their Security Products team for winning the SC Magazine Award for "Best Security Information/Event Management (SIEM) Solution." Cheers to a job well done!

Initial Installation

As per...

read more

Taking a closer look

Posted by Ridwan Ahmed on Friday, May 3, 2013 - 15:00 Operational Intelligence search, Splunk

Ever have a well-formed search on Splunk that is running too slowly?  Of course, they can always go faster, but there are times when it really just seems like something is holding back your search speed. That leaves you wondering where in the chain of information transfer is the problem, really? And just when you're about to throw your arms up in despair: don't worry, job inspector is here!

The job inspector is one of those tools that Splunk provides which are often overlooked because of the plethora of other better-known tools. A quick glance at so many details in one...
read more

Passing Time

Posted by Rupak Pandya on Thursday, April 4, 2013 - 13:00 Operational Intelligence, Best Practices Best Practices, Big data, Machine data, props.conf, Splunk, Web Analytics, XML

System monitoring dashboards are something we are often asked to provide for our clients. Normally, this is a pretty straight forward task, but on a recent client engagement, I was presented with one requirement that was a bit out of the ordinary. This client was looking to monitor a set of ten desktops with a real-time dashboard that would display in their office. They wanted to see all of the standard metrics like cpu, memory, and disk. If there was a spike in a time chart for say % CPU Usage, they wanted to be able to click on the spike and drill down into another view. They wanted the...

read more
Stay In Touch