Well, I had this setup using the same document I referenced and it worked for me. Although I do not use the analytics iapp as the 50 or so datamodels it enabled was a big strain on our indexer layer.
Would you check your eventcollector layer logs if you see any errors w.r.t to the token that you use for f5 logs? Did you define any custom index for the logs? Is the token configured to write to all indexes that the iapp sends data to?
... View more
Did you set up logging on the F5 using the iapp and http event collector? Ref: https://www.f5.com/pdf/deployment-guides/f5-analytics-dg.pdf
... View more
@LukeMurphey - I do not see any way to edit permissions on the list page. I am on v2.7.1 of the Lookuop Editor. I am running this app on an Enterprise Security search head with Splunk v6.5.1 - screenshot - https://imgur.com/a/AR5pv
... View more
That worked! I knew it was going to be a trivial thing. I do wish the inputs automatically added either the redis_host field or made a host=field by itself. Thanks.
... View more
These are modular inputs configured on a data collector that has the add-on installed. The host field is populated by the hostname of the data collector instance.
... View more
I am trying to pull logs from three redis servers. I have them configured as separate inputs. However, I am unable to differentiate the logs using any metadata or field. I am sure I am missing something trivial. Would anyone shed some light on this?
... View more
Can you specify where it fails? I just saw that you use cs_username in your props? You might be better off using Splunk's field extractor instead.
Reference: https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX
... View more
can you paste your entry in props.conf here? Does this work in search
<your index and sourcetype> | rex field=_raw "user=[^\\]+\\(?<username>[^@]+)@" | table username
... View more
This is a much more graceful than what I did. I didn't know the log format itself was configurable on PAN end. I ended up writing a shitty regex to filter pan:traffic allowed logs. like so:
[pan_traffic_allowed]
REGEX = (([^,]*,){3}TRAFFIC,([^,]*,){26}allow,)
DEST_KEY = queue
FORMAT = nullQueue
😞
... View more
I have a similar issue with the add-on - however I have it for o365 audit logs. Following this question - Please let us know here if you figure out the reason.
... View more
how are you getting the data? Are you getting the data using Splunk App for Windows Infra and hte related addons? In that case, the addon's expect those indexes to be present. If you want to change that behavior, you need to make changes to the add-ons. specifically, the inputs.conf in the addons which specify the index that the data needs to be sent to. If not, please give us more information about how your logs are being collected.
... View more
I recently installed S.o.S on our clustered Splunk(6.2) instance. As per @bmacias84, I went ahead and configured DMC. It's really cool! Thanks for the tip.
... View more
I have a similar setup (2 search heads in a cluster, 3 clustered indexers).It's the same process. Install the S.o.S app on the search heads using the deployer.
... View more
Check the answer posted here:
http://answers.splunk.com/answers/38832/how-do-i-set-up-the-s-o-s-app-to-monitor-splunks-system-resource-consumption.html
Also, check the following answer for best practices.
http://answers.splunk.com/answers/38091/best-practices-to-deploy-the-s-o-s-app-in-a-distributed-search-environment.html
... View more