Skip to main content

Questions tagged [splunk]

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources.

Filter by
Sorted by
Tagged with
75 votes
16 answers
62k views

Alternatives to Splunk?

I'm pretty impressed with Splunk, especially version 4. Pretty graphs, alerting (Enterprise only), and fast, accurate, searching. It's a great product. However, the cost just way too high to consider ...
MichaelGG's user avatar
  • 1,739
49 votes
2 answers
99k views

Splunk is fantastically expensive: What are the alternatives? [duplicate]

Possible Duplicate: Alternatives to Splunk? This has been discussed, but it has been several months, so it may be time to revisit it: Earlier discussion RE Splunk alternatives For the record, ...
Jonesome Reinstate Monica's user avatar
18 votes
4 answers
3k views

Monitoring production server [closed]

We have 3 dedicated server, splitted in several VPS using openVZ. We're using munin to monitor the VPS with the production sites, and monit on some one of the VPS to make sure it restarts the service ...
Adam Benayoun's user avatar
13 votes
4 answers
5k views

Thoughts on Free Splunk

I am considering implementing Splunk at my company but am leery about the financial investment. I noticed there is a free version of Splunk that seem to be good enough. Can anyone tell me if you are ...
dan_vitch's user avatar
  • 357
12 votes
6 answers
6k views

Is anybody using Splunk in a large-scale production environment? [closed]

I've been watching the videos at splunk.com and really it's hard to believe that one can get all those features for free, there's still that "where's the catch?" in the back of my head. So it'd be ...
7 votes
5 answers
3k views

Would you use Splunk?

I'm watching the video at http://www.splunk.com and as someone who is newer to IT management this seems like a great solution to get me started. But I have concerns. I just moved from cPanel and I ...
Ben's user avatar
  • 3,870
5 votes
2 answers
3k views

Splunk UniversalForwarder fails with " DetermineContextForAllProducts failed witht: 0x65b"

I am attempting to deploy the Splunk UniversalForwarder as an SCCM application using an MSI Deployment Type to a small group of testing servers and am encountering an uncharacteristically confusing ...
user avatar
3 votes
1 answer
2k views

Splunk File & Directory Data Inputs

I've installed Splunk (4.1.5(85165) on windows) and have uploaded some logs without any issues. I now want to monitor a linux server, but I'm having problems adding the datasource and always get the ...
Mr Shoubs's user avatar
  • 373
3 votes
1 answer
1k views

Using the Augeas INI lens without a header

I am using the IniFile module with augeas to create a Splunk management lens. This works well for all files containing section headers like a normal INI file but there are a couple files that don't ...
Tim Brigham's user avatar
  • 15.6k
3 votes
5 answers
2k views

thought on real time web analytics

we have a few web servers and am planning to create a dashboard to show the real time stats ip address,geo-location and other custom data based on database lookups. Splunk sort of fits perfectly but ...
Linus's user avatar
  • 131
2 votes
4 answers
2k views

Using Puppet to incrementally add lines to a file, from multiple classes

I am trying to use Puppet to automatically configure Splunk monitoring. This involves adding a list of file paths to a Splunk configuration file (inputs.conf). Each role (webserver, db, etc.) in our ...
Mike Ryan's user avatar
  • 288
2 votes
3 answers
315 views

Any QUICK hints for starting off with Splunk

Just downloaded a trial of Splunk, and am thinking of using it to monitor a Windows server base, with the associated apps, e.g.: o Windows event logs / WMI queries (for Windows O/S, SQL Server, ...
Simon Catlin's user avatar
  • 5,232
2 votes
1 answer
742 views

Will Splunk update the index if an already indexed file is edited?

Our Splunk server indexes the audit logs from its clients. Once a week we audit these logs through a Splunk search. My question is, if someone edits the entries in a log file that is already indexed, ...
Sreeraj's user avatar
  • 464
2 votes
4 answers
26k views

Splunk How do I get syslog to send data into splunk from remote machines

If I install the splunk forwarder, I can get the remote data into my splunk install, and index my logs, and searching is great. But I have a number of router devices and other devices that run syslog, ...
Mister IT Guru's user avatar
2 votes
2 answers
1k views

format of the log file format for splunk

The current log file name I have is: catalina.2010-02-24.log. I want to add this for splunk indexing, but i am running into problems, since there is no static file name, since everyday tomcat renames ...
RainDoctor's user avatar
  • 4,574
2 votes
1 answer
249 views

How do I exclude messages from indexing on Splunk Cloud?

I see from this question and answer on Splunk's own Q&A site that it's possible to exclude certain messages from indexing on a Splunk instance. I have a Splunk Cloud instance where the only way ...
Flup's user avatar
  • 8,178
2 votes
2 answers
402 views

Alternative solution to replace aging swatch

We are using swatch installation to sort through 3-5 gig worth of networking syslog and alert us on patterns , we are using splunk to index and search the data but splunk alerting capabilities are ...
Irfan's user avatar
  • 21
2 votes
2 answers
2k views

How can I configure logs as data source from remote unix server in splunk?

How can I configure splunk with log files residing on remote unix servers? Normally I log into putty to a linux server, from there I ssh into another company server and I navigate through directories ...
cypronmaya's user avatar
2 votes
3 answers
4k views

Azure NSG not allowing traffic

I am having an odd issue. I have a Windows server in Azure which I have installed Splunk on and I can't get to the web UI. I created it from the default template and I have deleted it and tried to ...
frpm's user avatar
  • 23
2 votes
4 answers
2k views

Running a reverse proxy in front of Splunk 4.x

So, I have previously installed Splunk 3.x behind a reverse proxy and downloaded the latest version (4.0.6 at time of typing) expecting it to be as easy to use as before. Sadly this was not the case. ...
sgerrand's user avatar
  • 141
1 vote
1 answer
236 views

Weird DF ourput in Red Hat 5.4 - Used < Size, but 0 available?

I have a server with two LUN's mounted from a local SAN. I have a configuration file in place for the vendor software we're using (splunk) that defined the size of the second LUN, but I had ...
Matthew's user avatar
  • 2,747
1 vote
2 answers
306 views

Is it possible to perform reverse lookups on syslogs without Splunk?

Splunk has this capability via its Google Maps addon that allows you to map IP addresses that show up in your syslog. That way you can pinpoint geo locations of attacks such as scans. Do you guys ...
Bourne's user avatar
  • 1,059
1 vote
2 answers
7k views

how to monitor web app availability with splunk?

I've recently downloaded and installed a Splunk 4.0.4 Server Enterprise trial (running on Windows Server 2008 if that matters), and now I want to set it up to monitor a few web pages in addition to ...
Justin Grant's user avatar
1 vote
2 answers
172 views

Splunk Enterprise - Configure to drop specific events

I have a simple Splunk set-up.  about 120 or so Linux servers (that are all basically appliances) w/ universal forwarder installed, and a single Linux server running Splunk Enterprise acting as the ...
Egyas's user avatar
  • 185
1 vote
3 answers
9k views

Splunk SAML SSO from an IdP with Apache mod_mellon fails

I am trying to configure SSO from an IdP to Apache with mod_mellon and mod proxy to splunk. Environment: Ubuntu 14.04; Apache 2.4.7; mod-auth-mellon 0.7.0. Apache configured with the mellon-...
Brett's user avatar
  • 221
1 vote
2 answers
1k views

Splunk form search with multiple variables

I'm using Splunk 3.4.10 with the free license on a CentOS machine. I've created a saved form search called "Trace Mail" that I hope to use to trace a single message through my mail servers as it gets ...
thepocketwade's user avatar
1 vote
1 answer
1k views

Splunk splitting multi-line log events by date

I have a mostly default Splunk config that is properly splitting most of my log messages from a standard Java application. We don't override any of the defaults concerning line breaks, line merging, ...
Chris Williams's user avatar
1 vote
2 answers
483 views

Syslog-ng multiple filters

I am fairly new to syslog-ng and I have the following issue. I have a Checkpoint firewall that sends the logs to a Splunk server. Due to the huge amount of data sent by the firewall, I tried to filter ...
Daniel D.'s user avatar
1 vote
1 answer
1k views

Does Splunk have a "heartbeat" feature?

I run an application with fairly chatty logs, which we are forwarding to Splunk. Users are building custom alerts (as well as searches and even dashboards) for themselves. We are increasingly relying ...
Mikhail T.'s user avatar
  • 2,411
1 vote
1 answer
1k views

How to process core-dumps with Splunk?

We are managing an application, which some times crashes and dumps core. We have a script, which outputs the application's stack from the core -- and some other details useful for debugging. Can ...
Mikhail T.'s user avatar
  • 2,411
1 vote
1 answer
81 views

Segmenting syslog logs and access to those logs

I'm trying to figure out if what I'm trying to accomplish is possible or not. What I want is to have all my devices send logs to a syslog server, then have Splunk pull logs for everything EXCEPT my ...
LDJS's user avatar
  • 23
1 vote
1 answer
219 views

Splunk SNMP Modular Input

I just installed this app and found it simple to setup...but I most be doing something wrong. I've created Trap information on my two UPS devices and haven't had any luck bringing them into Splunk. I ...
YouSayHello's user avatar
1 vote
0 answers
241 views

How do you monitor an external domain trust?

We have multiple external domain trusts with different companies, and while I know how to validate the trust in "Windows Domains and Trusts", I am wondering if anyone knows how to monitor it ...
Erick W's user avatar
  • 11
1 vote
0 answers
158 views

Using Splunk DB Connect 3 in a large environment with connection pool

I am wondering if anyone can speak from experience with using DB Connect for a large number of sql server instances, each of which installed (so about 2,000 separate instances total). We currently use ...
datadawg2000's user avatar
1 vote
2 answers
2k views

Benefits of using WEF instead of SIEM collectors

Aside from the deployment overhead of a log collector agent on servers from which I want to collect events (using GPO, SCCM etc.), are there any added benefits for using Windows Event Forwarding to my ...
Franko's user avatar
  • 135
1 vote
0 answers
696 views

How do audit file permissions changes over CIFS?

I have a few windows file servers but am slowly changing to Freenas/ZFS boxes which are working much better however I can't figure out how to audit when people change permissions to critical folders. ...
Guldan's user avatar
  • 11
1 vote
1 answer
93 views

Splunk 6: “Cannot preview on this Splunk instance”

I have a distributed Splunk 6 environment with which I am working through the installation of a new Technology Add-on. On my forwarder I am trying to add a new Data Input... Settings > Data inputs > ...
user1801810's user avatar
1 vote
1 answer
736 views

Capturing Regex in Splunk

I'm trying to grab the directory paths of GET requests and count them in Splunk using this capturing regex. index=main sourcetype="access_combined_wcookie" | rex "(?i)\"GET /(?P<MYDIR>\w+)/" | ...
user181496's user avatar
1 vote
1 answer
69 views

Can I forward events from Splunk 3 to Splunk 4?

I've only used Splunk 4 before and I was wondering if setup a Splunk 3 server to forward to another Splunk 4 server. The reason I'd need to do this is because I have an old Mac OS X 10.4.11 PowerPC ...
jjbohn's user avatar
  • 11
1 vote
1 answer
2k views

Simpana CommVault logs and Splunk

What is the best way to get CommVault log data into Splunk? I don't see a Splunk app developed for CommVault, and CommVault generates a lot of log data. It would be extremely beneficial to collect and ...
Bede's user avatar
  • 411
0 votes
1 answer
4k views

How to configure SSL certificates for Splunk on port 8089?

I want to configure a certificate for Splunk so that I could make API requests to it on port 8089. Currently the following command fails because Splunk's default certificate is used, and the default ...
user3207874's user avatar
0 votes
1 answer
3k views

HAProxy 503 Service Unavailable No servers avalible to handle this request

Hey I seem to have issues with HAProxy but can't seem to find the root of the problem. Setup: 1 Load Balancer 3 Servers (Splunk Search Heads) Both Load Balancer and the 3 servers are only accessible ...
HAProxy Help's user avatar
0 votes
1 answer
917 views

Getting Splunk logs from a remote location

I currently have a server in my home lab running Splunk, really love it. I'm soon going to have another server in the EC2 cloud, and I'd love to be able to monitor that using Splunk, hopefully though ...
Chiggins's user avatar
  • 811
0 votes
1 answer
416 views

Installing Splunk on Godaddy server

Does anyone know if it is possible to install Splunk on a Godaddy server? I've downloaded the deb file on my server using wget (and obviously I have ssh access) but I'm struggling to install it as ...
ingh.am's user avatar
  • 283
0 votes
2 answers
1k views

syslog or splunk forwarding over the internet

I have a web application that is split over a couple of sites in the US and the UK. When we have issues I would like to be able to view the collated error logs from the 2 sites. So I was thinking ...
Tom's user avatar
  • 11.4k
0 votes
1 answer
306 views

How to non-interactively add a Splunk forwarder?

I wish to create a script for setting up forwarding to a splunk server. Here's what I have so far: ./splunk add forward-server SPLUNK-IP-ADDRESS:SPLUNK-PORT However, it asks for my credentials. How ...
user3207874's user avatar
0 votes
1 answer
336 views

Parsing or Reformatting Logs before feeding them to Splunk or Elastic Search

I have very complex log messages, that I want to reduce to the most important fields in order to save quota. The log messages are multiline and there is a lot of redundant information in them. A ...
gspoosi's user avatar
  • 131
0 votes
2 answers
10k views

How Fortigate 100D send log to Splunk

I have a Fortigate 100D with FortiOS 5.06 , this is my setting config log syslogd setting set status enable set server “192.168.7.4″ set reliable disable set port 515 set csv disable set facility ...
Jack Chuong's user avatar
0 votes
1 answer
623 views

Using ubuntu cloud-init to setup logging to splunk

I intend to start up ~100 EC2 spot instances using Canonical's Ubuntu images. I am using multipart cloud-init user-data to setup packages, scripts, etc. I would like to know how I can tell rsyslog to ...
vsekhar's user avatar
  • 147
0 votes
2 answers
4k views

Detect port scanning using splunk

i have setup a log server with splunk running on it. i pinged one of the clients using backtrack....Does this also genrate log which is sent the log server?????? I wanted to detect port scanning ......
Vinod's user avatar
  • 1