Questions tagged [splunk]
Splunk is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources.
76
questions
75
votes
16
answers
62k
views
Alternatives to Splunk?
I'm pretty impressed with Splunk, especially version 4. Pretty graphs, alerting (Enterprise only), and fast, accurate, searching. It's a great product.
However, the cost just way too high to consider ...
49
votes
2
answers
99k
views
Splunk is fantastically expensive: What are the alternatives? [duplicate]
Possible Duplicate:
Alternatives to Splunk?
This has been discussed, but it has been several months, so it may be time to revisit it:
Earlier discussion RE Splunk alternatives
For the record, ...
18
votes
4
answers
3k
views
Monitoring production server [closed]
We have 3 dedicated server, splitted in several VPS using openVZ.
We're using munin to monitor the VPS with the production sites, and monit on some one of the VPS to make sure it restarts the service ...
13
votes
4
answers
5k
views
Thoughts on Free Splunk
I am considering implementing Splunk at my company but am leery about the financial investment. I noticed there is a free version of Splunk that seem to be good enough.
Can anyone tell me if you are ...
12
votes
6
answers
6k
views
Is anybody using Splunk in a large-scale production environment? [closed]
I've been watching the videos at splunk.com and really it's hard to believe that one can get all those features for free, there's still that "where's the catch?" in the back of my head.
So it'd be ...
7
votes
5
answers
3k
views
Would you use Splunk?
I'm watching the video at http://www.splunk.com and as someone who is newer to IT management this seems like a great solution to get me started. But I have concerns. I just moved from cPanel and I ...
5
votes
2
answers
3k
views
Splunk UniversalForwarder fails with " DetermineContextForAllProducts failed witht: 0x65b"
I am attempting to deploy the Splunk UniversalForwarder as an SCCM application using an MSI Deployment Type to a small group of testing servers and am encountering an uncharacteristically confusing ...
3
votes
1
answer
2k
views
Splunk File & Directory Data Inputs
I've installed Splunk (4.1.5(85165) on windows) and have uploaded some logs without any issues.
I now want to monitor a linux server, but I'm having problems adding the datasource and always get the ...
3
votes
1
answer
1k
views
Using the Augeas INI lens without a header
I am using the IniFile module with augeas to create a Splunk management lens. This works well for all files containing section headers like a normal INI file but there are a couple files that don't ...
3
votes
5
answers
2k
views
thought on real time web analytics
we have a few web servers and am planning to create a dashboard to show the real time stats ip address,geo-location and other custom data based on database lookups. Splunk sort of fits perfectly but ...
2
votes
4
answers
2k
views
Using Puppet to incrementally add lines to a file, from multiple classes
I am trying to use Puppet to automatically configure Splunk monitoring. This involves adding a list of file paths to a Splunk configuration file (inputs.conf).
Each role (webserver, db, etc.) in our ...
2
votes
3
answers
315
views
Any QUICK hints for starting off with Splunk
Just downloaded a trial of Splunk, and am thinking of using it to monitor a Windows server base, with the associated apps, e.g.:
o Windows event logs / WMI queries (for Windows O/S, SQL Server, ...
2
votes
1
answer
742
views
Will Splunk update the index if an already indexed file is edited?
Our Splunk server indexes the audit logs from its clients. Once a week we audit these logs through a Splunk search. My question is, if someone edits the entries in a log file that is already indexed, ...
2
votes
4
answers
26k
views
Splunk How do I get syslog to send data into splunk from remote machines
If I install the splunk forwarder, I can get the remote data into my splunk install, and index my logs, and searching is great. But I have a number of router devices and other devices that run syslog, ...
2
votes
2
answers
1k
views
format of the log file format for splunk
The current log file name I have is: catalina.2010-02-24.log.
I want to add this for splunk indexing, but i am running into problems, since there is no static file name, since everyday tomcat renames ...
2
votes
1
answer
249
views
How do I exclude messages from indexing on Splunk Cloud?
I see from this question and answer on Splunk's own Q&A site that it's possible to exclude certain messages from indexing on a Splunk instance.
I have a Splunk Cloud instance where the only way ...
2
votes
2
answers
402
views
Alternative solution to replace aging swatch
We are using swatch installation to sort through 3-5 gig worth of networking syslog and alert us on patterns , we are using splunk to index and search the data but splunk alerting capabilities are ...
2
votes
2
answers
2k
views
How can I configure logs as data source from remote unix server in splunk?
How can I configure splunk with log files residing on remote unix servers?
Normally I log into putty to a linux server, from there I ssh into another company server and I navigate through directories ...
2
votes
3
answers
4k
views
Azure NSG not allowing traffic
I am having an odd issue.
I have a Windows server in Azure which I have installed Splunk on and I can't get to the web UI.
I created it from the default template and I have deleted it and tried to ...
2
votes
4
answers
2k
views
Running a reverse proxy in front of Splunk 4.x
So, I have previously installed Splunk 3.x behind a reverse proxy and downloaded the latest version (4.0.6 at time of typing) expecting it to be as easy to use as before. Sadly this was not the case. ...
1
vote
1
answer
236
views
Weird DF ourput in Red Hat 5.4 - Used < Size, but 0 available?
I have a server with two LUN's mounted from a local SAN. I have a configuration file in place for the vendor software we're using (splunk) that defined the size of the second LUN, but I had ...
1
vote
2
answers
306
views
Is it possible to perform reverse lookups on syslogs without Splunk?
Splunk has this capability via its Google Maps addon that allows you to map IP addresses that show up in your syslog. That way you can pinpoint geo locations of attacks such as scans.
Do you guys ...
1
vote
2
answers
7k
views
how to monitor web app availability with splunk?
I've recently downloaded and installed a Splunk 4.0.4 Server Enterprise trial (running on Windows Server 2008 if that matters), and now I want to set it up to monitor a few web pages in addition to ...
1
vote
2
answers
172
views
Splunk Enterprise - Configure to drop specific events
I have a simple Splunk set-up. about 120 or so Linux servers (that are all basically appliances) w/ universal forwarder installed, and a single Linux server running Splunk Enterprise acting as the ...
1
vote
3
answers
9k
views
Splunk SAML SSO from an IdP with Apache mod_mellon fails
I am trying to configure SSO from an IdP to Apache with mod_mellon and mod proxy to splunk.
Environment: Ubuntu 14.04; Apache 2.4.7; mod-auth-mellon 0.7.0.
Apache configured with the mellon-...
1
vote
2
answers
1k
views
Splunk form search with multiple variables
I'm using Splunk 3.4.10 with the free license on a CentOS machine. I've created a saved form search called "Trace Mail" that I hope to use to trace a single message through my mail servers as it gets ...
1
vote
1
answer
1k
views
Splunk splitting multi-line log events by date
I have a mostly default Splunk config that is properly splitting most of my log messages from a standard Java application. We don't override any of the defaults concerning line breaks, line merging, ...
1
vote
2
answers
483
views
Syslog-ng multiple filters
I am fairly new to syslog-ng and I have the following issue.
I have a Checkpoint firewall that sends the logs to a Splunk server. Due to the huge amount of data sent by the firewall, I tried to filter ...
1
vote
1
answer
1k
views
Does Splunk have a "heartbeat" feature?
I run an application with fairly chatty logs, which we are forwarding to Splunk. Users are building custom alerts (as well as searches and even dashboards) for themselves.
We are increasingly relying ...
1
vote
1
answer
1k
views
How to process core-dumps with Splunk?
We are managing an application, which some times crashes and dumps core. We have a script, which outputs the application's stack from the core -- and some other details useful for debugging.
Can ...
1
vote
1
answer
81
views
Segmenting syslog logs and access to those logs
I'm trying to figure out if what I'm trying to accomplish is possible or not.
What I want is to have all my devices send logs to a syslog server, then have Splunk pull logs for everything EXCEPT my ...
1
vote
1
answer
219
views
Splunk SNMP Modular Input
I just installed this app and found it simple to setup...but I most be doing something wrong. I've created Trap information on my two UPS devices and haven't had any luck bringing them into Splunk. I ...
1
vote
0
answers
241
views
How do you monitor an external domain trust?
We have multiple external domain trusts with different companies, and while I know how to validate the trust in "Windows Domains and Trusts", I am wondering if anyone knows how to monitor it ...
1
vote
0
answers
158
views
Using Splunk DB Connect 3 in a large environment with connection pool
I am wondering if anyone can speak from experience with using DB Connect for a large number of sql server instances, each of which installed (so about 2,000 separate instances total). We currently use ...
1
vote
2
answers
2k
views
Benefits of using WEF instead of SIEM collectors
Aside from the deployment overhead of a log collector agent on servers from which I want to collect events (using GPO, SCCM etc.), are there any added benefits for using Windows Event Forwarding to my ...
1
vote
0
answers
696
views
How do audit file permissions changes over CIFS?
I have a few windows file servers but am slowly changing to Freenas/ZFS boxes which are working much better however I can't figure out how to audit when people change permissions to critical folders.
...
1
vote
1
answer
93
views
Splunk 6: “Cannot preview on this Splunk instance”
I have a distributed Splunk 6 environment with which I am working through the installation of a new Technology Add-on. On my forwarder I am trying to add a new Data Input... Settings > Data inputs > ...
1
vote
1
answer
736
views
Capturing Regex in Splunk
I'm trying to grab the directory paths of GET requests and count them in Splunk using this capturing regex.
index=main sourcetype="access_combined_wcookie" | rex "(?i)\"GET /(?P<MYDIR>\w+)/" | ...
1
vote
1
answer
69
views
Can I forward events from Splunk 3 to Splunk 4?
I've only used Splunk 4 before and I was wondering if setup a Splunk 3 server to forward to another Splunk 4 server. The reason I'd need to do this is because I have an old Mac OS X 10.4.11 PowerPC ...
1
vote
1
answer
2k
views
Simpana CommVault logs and Splunk
What is the best way to get CommVault log data into Splunk? I don't see a Splunk app developed for CommVault, and CommVault generates a lot of log data. It would be extremely beneficial to collect and ...
0
votes
1
answer
4k
views
How to configure SSL certificates for Splunk on port 8089?
I want to configure a certificate for Splunk so that I could make API requests to it on port 8089. Currently the following command fails because Splunk's default certificate is used, and the default ...
0
votes
1
answer
3k
views
HAProxy 503 Service Unavailable No servers avalible to handle this request
Hey I seem to have issues with HAProxy but can't seem to find the root of the problem.
Setup:
1 Load Balancer
3 Servers (Splunk Search Heads)
Both Load Balancer and the 3 servers are only accessible ...
0
votes
1
answer
917
views
Getting Splunk logs from a remote location
I currently have a server in my home lab running Splunk, really love it. I'm soon going to have another server in the EC2 cloud, and I'd love to be able to monitor that using Splunk, hopefully though ...
0
votes
1
answer
416
views
Installing Splunk on Godaddy server
Does anyone know if it is possible to install Splunk on a Godaddy server? I've downloaded the deb file on my server using wget (and obviously I have ssh access) but I'm struggling to install it as ...
0
votes
2
answers
1k
views
syslog or splunk forwarding over the internet
I have a web application that is split over a couple of sites in the US and the UK. When we have issues I would like to be able to view the collated error logs from the 2 sites.
So I was thinking ...
0
votes
1
answer
306
views
How to non-interactively add a Splunk forwarder?
I wish to create a script for setting up forwarding to a splunk server. Here's what I have so far:
./splunk add forward-server SPLUNK-IP-ADDRESS:SPLUNK-PORT
However, it asks for my credentials. How ...
0
votes
1
answer
336
views
Parsing or Reformatting Logs before feeding them to Splunk or Elastic Search
I have very complex log messages, that I want to reduce to the most important fields in order to save quota.
The log messages are multiline and there is a lot of redundant information in them. A ...
0
votes
2
answers
10k
views
How Fortigate 100D send log to Splunk
I have a Fortigate 100D with FortiOS 5.06 , this is my setting
config log syslogd setting
set status enable
set server “192.168.7.4″
set reliable disable
set port 515
set csv disable
set facility ...
0
votes
1
answer
623
views
Using ubuntu cloud-init to setup logging to splunk
I intend to start up ~100 EC2 spot instances using Canonical's Ubuntu images. I am using multipart cloud-init user-data to setup packages, scripts, etc.
I would like to know how I can tell rsyslog to ...
0
votes
2
answers
4k
views
Detect port scanning using splunk
i have setup a log server with splunk running on it.
i pinged one of the clients using backtrack....Does this also genrate log which is sent the log server??????
I wanted to detect port scanning ......