If your HF can't connect straight to your SH, you could always ingest the CSV like any other log file.
Then, run a search, from the search head, on the data, create a table in the format you want the lookup to be in, and "outputlookup" the results to a lookup file.
... View more
Splunk does not, natively, support a remote NFS share as an input.
The only way to do this would be to use a script that connects to the share, outputs the data, then tell splunk to use that script as an input.
... View more
You can't tell splunk to prevent a system from shutting down. However, you can run something like
tail -100 /opt/splunkforwarder/var/log/splunk/metrics.log | grep queue | grep tcpout
and make sure "current_size" = 0 before shutting it down.
... View more
i don't see anything, in your spl, that would actually trigger an e-mail to be sent. Have you tried appending the "sendemail" command (with the required options)?
also, what would your use case be? i don't see how scheduling a search, with spl that sends and alert, would be any better than simply making a normal alert
... View more
From the Docs:
Linux (RHEL/CentOS)
Linux kernel version 2.6.32 or later (x86_64)
Bash, version 3 or later.
GNU C library (glibc.i686 32-bit). For example, install using yum install glibc.i686
PAM shared libraries (pam.i686 32-bit). For example, install using yum install pam.i686
So, no. No Windows allowed
... View more
If the server you're monitoring is also the splunk server, then you should just have to change all those "disabled = 1" to "disabled = 0", for the inputs you want, and restart splunk.
... View more
It is not, as both share some of the same ports. If the server you're monitoring is also the splunk server, then remove the universal forwarder. If your splunk server isn't the server you're monitoring, remove splunk enterprise.
... View more
I have everything installed on the one Windows server I am using, Splunk Enterprise, Universal Forwarder, Windows app for Splunk and Windows add on and selected the Windows host as the deployment server.
Do you have both splunk enterprise and splunk forwarder installed on the same machine?
... View more
This usually happens when a forwarder cannot send something to an indexer. Is splunk running on your indexer? Is the input's port open? Can the forwarder connect to the input's port?
... View more
Splunk will publish the information. There's just a lot of different use cases and they don't want to publish anything before doing thorough testing.
... View more
Do I need to copy it manually to the shcluster folder?
That is correct.
just like /deployment-apps and /master-apps are the only ones that get pushed to forwarders/indexers, /shcluster is for apps that are pushed to search heads
... View more
To share a dashboard, the user must have write access to the app they're trying to share it in. Assuming you're using the "search" app, simply grant users write access and they should be able to share dashboards.
... View more
Here's what Splunk recommends
Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory.
Of course, you can always go more restrictive.
... View more
According to the docs
KPI search values update at regular intervals according to the search schedule that you define when you create the search.
In other words, the glass tables won't update every 10 seconds unless your KPIs are updating every 10 seconds (which would be a pretty crazy short time).
... View more
Girakul,
Splunk Enterprise can run on anything from one VM to hundreds. You only need more than one VM if your work load is too much for it.
http://docs.splunk.com/Documentation/Splunk/7.0.0/Capacity/IntroductiontocapacityplanningforSplunkEnterprise has a lot of information on this.
If you choose splunk cloud, the splunk environment will mostly be managed by the splunk cloud team and you will not have to install any dedicated vms on your network. You'll only have to install the forwarders on machines that you want to send logs to the cloud from.
... View more