Questions tagged [splunk]

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources.

The primary features of Splunk include:

Collecting logs from multiple sources into a single location to allow for use without needing to access individual servers.
Parsing of logs with arbitrary formats, including free-form logs with no defined fields
Advanced querying of logs, including
- combining results from different sources
- filtering based on identified field values and pattern matching
- analyzing records using statistical and mapping functions

The name "Splunk" comes from a rewriting of spelunking, a cave exploring hobby.

Splunk is available as both an enterprise application that runs on your servers (with a free tier) and a host service known as Splunk Storm.

Useful links

73 questions

vote

1 answer

Capturing Regex in Splunk

I'm trying to grab the directory paths of GET requests and count them in Splunk using this capturing regex. index=main sourcetype="access_combined_wcookie" | rex "(?i)\"GET /(?P\w+)/" | timechart count by MYDIR This sort of works. It grabs…

splunk

asked Jul 13 '13 at 23:00

user181496

vote

1 answer

Weird DF ourput in Red Hat 5.4 - Used < Size, but 0 available?

I have a server with two LUN's mounted from a local SAN. I have a configuration file in place for the vendor software we're using (splunk) that defined the size of the second LUN, but I had accidentally configured it as 6GB larger than it actually…

splunk df

asked Aug 07 '12 at 15:39

Matthew

2,737
8
35
51

vote

2 answers

Splunk form search with multiple variables

I'm using Splunk 3.4.10 with the free license on a CentOS machine. I've created a saved form search called "Trace Mail" that I hope to use to trace a single message through my mail servers as it gets new queue IDs. Now, this form search worked…

splunk

asked Jun 16 '09 at 20:18

thepocketwade

1,545
5
17
27

vote

2 answers

Is it possible to perform reverse lookups on syslogs without Splunk?

Splunk has this capability via its Google Maps addon that allows you to map IP addresses that show up in your syslog. That way you can pinpoint geo locations of attacks such as scans. Do you guys have any suggestions as to if and how this can be…

syslog splunk

asked Dec 02 '10 at 20:30

Bourne

1,039
5
18
24

vote

1 answer

Can I forward events from Splunk 3 to Splunk 4?

I've only used Splunk 4 before and I was wondering if setup a Splunk 3 server to forward to another Splunk 4 server. The reason I'd need to do this is because I have an old Mac OS X 10.4.11 PowerPC server that I would like to monitor with Splunk,…

mac-osx splunk

asked Sep 07 '10 at 21:24

jjbohn

vote

1 answer

Splunk SNMP Modular Input

I just installed this app and found it simple to setup...but I most be doing something wrong. I've created Trap information on my two UPS devices and haven't had any luck bringing them into Splunk. I enabled SNMP, all versions and then I added the…

snmp ups splunk

asked Aug 04 '22 at 21:06

YouSayHello

vote

1 answer

Splunk splitting multi-line log events by date

I have a mostly default Splunk config that is properly splitting most of my log messages from a standard Java application. We don't override any of the defaults concerning line breaks, line merging, or date formats. In some situations, Splunk…

log-files splunk

asked Sep 01 '21 at 19:32

Chris Williams

vote

0 answers

How do you monitor an external domain trust?

We have multiple external domain trusts with different companies, and while I know how to validate the trust in "Windows Domains and Trusts", I am wondering if anyone knows how to monitor it with a script or log in real time? We use Splunk and would…

windows active-directory powershell splunk trust-relationship

asked Nov 03 '20 at 13:50

Erick W

votes

1 answer

How to configure auditd to collect logs from /proc kernel file directory

I've been looking for this for about 3 days now and have come up empty-handed. I am looking for a way to build a threat alert for Linux-based credential dumping in Splunk. To do this I need to be able to monitor the /proc directory. I found audit…

logging linux-kernel auditd splunk proc

asked Aug 21 '19 at 02:34

Geordeaux

votes

1 answer

Is there a listing of global splunk variables available for alerting?

This is simple, however I have been able to find anything at the basic level of "number of rows/records found in query" for use in a Slack notification. For example to reference the $name$ of the alert, thats the variable. Is there a list of other…

splunk

asked Jul 03 '19 at 15:20

Bryan Yeung

votes

1 answer

Parsing or Reformatting Logs before feeding them to Splunk or Elastic Search

I have very complex log messages, that I want to reduce to the most important fields in order to save quota. The log messages are multiline and there is a lot of redundant information in them. A solution is to script something to reformat these logs…

syslog logstash splunk elk fluentd

asked May 16 '19 at 15:30

gspoosi

votes

1 answer

Accessing Splunk instance via AWS

I signed up for a Udemy course on Splunk. I got through to the lecture on setting up an AWS instance of Splunk. Amazon says, "Get the IP of your instance, append :8000" and dump it in a web browser to access your Splunk admin panel. The instructor…

amazon-web-services splunk

asked Oct 14 '18 at 14:25

Adrian

votes

1 answer

How to get Linux commands history in Splunk without Splunk Forwarder?

We have tons of Linux machines which are all connected to Active Directory (AD). AD logs are being pulled in Splunk. Is there a way to get the command history of all Linux machines in Splunk from AD logs (more like processes command line logs for…

linux active-directory bash splunk

asked Jul 27 '18 at 06:12

Vaibhav Nagariya

votes

1 answer

Splunk web login through NAT

Good afternoon, I'm trying to get a Splunk instance setup to be accessed from outside the firewall it is NAT'd behind. Currently, I have the port forwarding rule in for 8000->8000. I can access the Splunk login page from outside the firewall, but…

firewall nat port-forwarding splunk

asked May 01 '18 at 13:21

Caleb Stewart

votes

2 answers

SYSLOG-NG - Having trouble with a destination

I'm trying to set up a seperate log file for all windows messages. I've set up a match for MSWinEventLog, but it's completely ignoring my configuration Here's my config, which is straight after the src object filter f_windows {…

syslog splunk

asked Nov 18 '09 at 18:57

Samuurai

Prev 1 2

4 5 Next