Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [splunk]

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources.

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources.

The primary features of Splunk include:

  • Collecting logs from multiple sources into a single location to allow for use without needing to access individual servers.
  • Parsing of logs with arbitrary formats, including free-form logs with no defined fields
  • Advanced querying of logs, including
    • combining results from different sources
    • filtering based on identified field values and pattern matching
    • analyzing records using statistical and mapping functions

The name "Splunk" comes from a rewriting of spelunking, a cave exploring hobby.

Splunk is available as both an enterprise application that runs on your servers (with a free tier) and a host service known as Splunk Storm.

Useful links

73 questions
0
votes
1 answer

Sending sssd.log to syslog

How do I configure SSSD to send sssd.log logs to syslog? I would like to include the DEBUB SSSD logs as well. We would like to feed the sssd logs to Splunk. Our systems are already configured to send syslog to Splunk Security Module. So we would…
Saqib Ali
  • 428
  • 2
  • 7
  • 21
0
votes
1 answer

Deploying apps using Chef and Splunk as a deployment server

I got Splunk up and running on some EC2 instances using Chef. All is fine and dandy and I was able to deploy some apps manually by using Splunk as a deployment server. I deploy the application -> I write the changes in…
Mugurel
  • 903
  • 1
  • 9
  • 17
0
votes
1 answer

Dumping Splunk Events

We have a nagios instance set up so that using MK-Livestatus and splunk, we are able to push all of nagios's alerts through livestatus's socket thanks to a call from splunk. However, splunk is now receiving data which when someone uses the…
Jouster500
  • 103
  • 5
0
votes
2 answers

Splunk: How Do I Extract Fields from W3C Extended Format

I'm trying to configure Splunk to properly parse the fields of the W3C log format. Now, I'm running into configuration confusion: where and how do I specify how to split up the log format? My Inputs.conf looks like…
John Gietzen
  • 458
  • 5
  • 11
0
votes
1 answer

Splunk aws:config sourcetype not showing in Splunk

I created the data input for AWSConfig by modifying inputs.conf file but I dont see sourcetype aws:config created under Splunk. The AWSConfig messages are sitting in the SQS queue which means Splunk is not polling from the queue. Any idea what the…
minisch
  • 63
  • 3
  • 8
0
votes
1 answer

Converting IP addresses from Hex to normal format in Splunk

How do you convert IP address data in a splunk field from HEX to the normal 4 octet format?
mightyKeyboard
  • 1
0
votes
2 answers

JSON vs Key-Value for Splunk

Rolling out splunk I'm debating switching to JSON. Splunk supports spath now and even endorses JSON towards user friendliness (ref: http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6 ) Ironically Splunk also recommends against JSON (ref:…
CogitoErgoSum
  • 522
  • 5
  • 13
0
votes
1 answer

What webserver does Splunk use on Windows?

Is it a propietary web server? I thought it used Apache, but I've been looking through the installation files and can't find any references. I'm trying to secure the access to the free version of Splunk and solutions I've found so far are for…
jesusbolivar
  • 337
  • 1
  • 4
  • 12
0
votes
1 answer

Monitoring solution that doesn't duplicate source data?

I need to analyze data stored in multiple databases. Each of them contains a few TB of logs and sensor data. If I use Splunk or ElasticSearch/Kibana, I see 2 solutions: Batch import everything Write some scripts to import only the data I need, on…
MasterScrat
  • 314
  • 3
  • 9
0
votes
1 answer

Splunk disk space requirements

I need to get a vague idea of disk space requirements before I start forwarding logs to a Splunk instance. Each indexed line will have on average 320 characters and I will be indexing around 500,000 lines a day. My assumptions are 1 byte per…
Michael
  • 103
  • 2
0
votes
2 answers

How Fortigate 100D send log to Splunk

I have a Fortigate 100D with FortiOS 5.06 , this is my setting config log syslogd setting set status enable set server “192.168.7.4″ set reliable disable set port 515 set csv disable set facility alert set source-ip 192.168.9.2 end I have a Splunk…
Jack Chuong
  • 1
  • 1
  • 1
  • 2
0
votes
0 answers

Unable to access Splunk via port number on Ubuntu 12.04

Ubuntu 12.04 Server x64 & Splunk 6.0 I installed Splunk according to the documentation. Started Splunk as directed and I am able to see it running in the terminal. I believe I correctly added the default port number - 8000 - to iptables with the…
sparecycle
  • 459
  • 1
  • 6
  • 19
0
votes
1 answer

HA proxy and keepalived with Splunk search heads

Is anyone using haproxy/keepaliveD as their software load balancer in a HA search head environment? I am configuring my haproxy.cfg and having some trouble getting sticky sessions and proper load balancing working. This is on a pair of load…
user162159
  • 1
  • 2
0
votes
1 answer

Getting Splunk logs from a remote location

I currently have a server in my home lab running Splunk, really love it. I'm soon going to have another server in the EC2 cloud, and I'd love to be able to monitor that using Splunk, hopefully though the primary Splunk server I already have…
Chiggins
  • 811
  • 8
  • 21
  • 37
0
votes
1 answer

Using ubuntu cloud-init to setup logging to splunk

I intend to start up ~100 EC2 spot instances using Canonical's Ubuntu images. I am using multipart cloud-init user-data to setup packages, scripts, etc. I would like to know how I can tell rsyslog to log to a splunk server (actually a splunk storm…
vsekhar
  • 147
  • 5
1 2 3
4
5