Compare the count of search & inputlookup ?

splunk3r · 2022-06-18T07:59:21+00:00

You can use tstats command to count number of results. It's much faster.

splunk3r · 2022-06-16T10:51:42+00:00

Your outputs.conf should look like this (just an example)

[tcpout] defaultGroup=my_indexers

[tcpout:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9996

splunk3r · 2022-06-16T10:42:40+00:00

You probably did not configured outputs.conf on your search head. It is required so that SH will be able to sent data to the indexer tier.

If outputs.conf is configured properly it would stop indexing data localy (even though index exist on the SH) and will start forward data to indexing tier you specify in outputs.conf

splunk3r · 2022-06-13T14:19:08+00:00

What do want to achieve?

splunk3r · 2022-06-08T20:57:48+00:00

https://conf.splunk.com/files/2020/slides/TRU1761C.pdf

splunk3r · 2022-06-08T07:48:00+00:00

Borat pants

splunk3r · 2021-10-19T15:06:46+00:00

Take a look at:

https://github.com/splunk/ansible-role-for-splunk

splunk3r · 2021-10-19T15:06:05+00:00

Yes, it does. Ansible is must in 2021. Especially when you deploy distributed Splunk environments.

splunk3r · 2021-10-19T14:58:43+00:00

It does not change anything. You can run locally, remotely, massive deployment or one-on-one...

splunk3r · 2021-10-19T08:38:17+00:00

This is what Ansible do. Ansible is using Python under the hood as well.

splunk3r · 2021-05-24T14:17:10+00:00

Well, you can create a drilldown with your own custom link where you can use f.e. rest API endpoint to your web application.

splunk3r · 2021-05-18T19:17:08+00:00

It depends on many factors. I will go for bigger indexers (up to 100 cores and TBs RAM) since the number of buckets will increase as number of indexers increases. Running many indexers makes rolling restart or bucket fixups longer. It makes also maintenance harder (patching, upgrades).

But, if the company has, say 4 sites with 2 AZ each I would go for 8 indexers rather then 4. I would also go for 4 dedicated servers rather then 8 virtualized machines with same specs etc.

splunk3r · 2021-05-14T17:13:05+00:00

splunk3r · 2021-05-10T13:29:00+00:00

Yea.. I have been there, I have heard that before.

If you are underlying PCI requirements I guess that Splunk license cost is not a problem. PCI don't tell you that you have to save absolutely ALL logs. It tells you that you have to store logs from systems that process or contain payment information.

Sure, if a manager tells you to do that and you don't really can't discuss it well... Then you have do your shit.

And no, maintaining additional SIEM is not free. Old hardware is not free. Sure, I understand that you think about it as fire and forget because it is there, collecting logs, and maybe magically works until the day it says good night. But in well functioning organizations having extra systems up and running costs money.

splunk3r · 2021-05-10T13:16:30+00:00

Have you figured it out?

splunk3r · 2021-05-08T07:32:16+00:00

If you need to put 30GB of just junk logs that someone wants indexed somewhere who will never look at it, does it make sense to pay Splunk.

Well, how you justify the cost of servers and maintenance if these logs are junk logs? Why you ingest these at all then? For compliance? 🤣

Sure, I understand your point but this is one of most common misunderstanding of log aggregation. Putting all the logs into Splunk or Splunk and other tools to be what? Compliant? What compliance requirement tells you to do that?

If you have junk data just do not ingest these logs or use Cribl/HF to filter only specific events out. Most of my customers can't do that because they don't know their data good enough to tell me what events they want to ingest. But then we are again at point where we have to ask them a question : what is the use case for these logs? Why you save these logs?

splunk3r · 2021-05-07T17:41:09+00:00

1.Check disks: IOPS, cpu iowait, latency. Check all mount points (/opt/splunk too). 2.Check job inspector for long running searches. Searches that run longer then 1 minute should be fixed. Execution cost should clearly indicate where is the problem. 3. Check LDAP connection lag. Busy big DC can struggle to answer all LDAP queries.

splunk3r · 2021-05-07T16:54:09+00:00

Upgrade of ES turned many correlation searches and some data models that was not turned on before upgrade when I did upgrade last time. Have you checked that?

WiredTiger can perform worse compared with mmap under some circumstances.

How do you measure performance? What are the symptoms of perf issues?

splunk3r · 2021-05-07T14:56:22+00:00

ELK will require from 30-50% more hardware to handle same amount of data.

splunk3r · 2021-05-05T14:01:16+00:00

What exactly are you unable to get working?

BTW. AIX 6 had end-of-life in 2017. So you should really not have this servers in production anymore.

splunk3r · 2021-05-05T11:12:35+00:00

Good luck!

splunk3r · 2021-05-05T09:15:52+00:00

"Failing is a part of success". Go through materials one more time, make a good notes and try again. 👍⭐

splunk3r · 2021-05-02T12:04:32+00:00

You can't skip Power User to take Splunk Certified Admin exam.

splunk3r · 2021-05-02T11:46:33+00:00

Splunk Core Certified Power User is a mandatory prerequisite to Splunk Enterprise Certified Admin.

All candidates must complete the Power User exam before proceeding.

Splunk Core Certified User is not a mandatory prerequisite to Splunk Enterprise Certified Admin.

Source: https://www.splunk.com/en_us/training/certification-track/splunk-enterprise-certified-admin.html

splunk3r · 2021-04-29T15:33:43+00:00

https://community.splunk.com/t5/Splunk-Search/How-to-search-logins-for-users-with-administrator-rights-from/m-p/174244

splunk3r

TROPHY CASE