Universal Forwarder SSH into the server running the Universal Forwarder To verify if the forwarding is configured
Tag Archives: Splunk
Create a Splunk index
Splunk stores the events in separate databases based on index names. It is faster to search for events if the event types are separated into multiple indexes. To create an index for the event type you want to send to Splunk In the Settings menu select Indexes Click the New Index button Enter the name of the …
Enable the HTTP Event Collector in Splunk
To send events to Splunk via HTTP posts, enable the HTTP Event Collector functionality on the Splunk Enterprise server. If you operate your own Splunk server Log into the Splunk web interface as an administrator In the Settings menu select Data inputs Select the HTTP Event Collector link In the upper right corner click the …
Continue reading “Enable the HTTP Event Collector in Splunk”
How to send an event to the Splunk HTTP Event Collector
The Splunk HTTP Event Collector is the preferred way to send events to Splunk. The Splunk HTTP Event Collector closes the connection if you don’t use HTTPS when you are sending a POST message. Recv failure: Connection reset by peer To send the event from the Macintosh Bash terminal curl -k https://MY_SPLUNK_SERVER_IP:8088/services/collector -H ‘Authorization: Splunk MY_TOKEN’ …
Continue reading “How to send an event to the Splunk HTTP Event Collector”
Splunk App for AWS
To collect data from AWS install the Splunk App for AWS plugin. The app currently can collect information from AWS Config, Config Rules, CloudTrail, Inspector, CloudWatch, CloudWatch Logs, Billing, S3, Kinesis, Metadata. New data source To set up a new data source, click the Set up button Already set up data source To add a …
Splunk configuration
Splunk stores the configuration values in files in the /opt/splunkforwarder directory structure. Splunk client Description Location Splunk Deployment server /opt/splunkforwarder/etc/system/local/deploymentclient.conf Example targetUri = DEPLOYMENT_SERVER_URL:8089 Splunk Forwarder address /opt/splunkforwarder/etc/apps/tcpout-aws/local/outputs.conf Example server = FORWARDER1_ADDRESS:9997,FORWARDER2_ADDRESS:9997 Linux event log. Splunk tails this file. /var/log/messages To log a message in the Linux event log logger “My message” To …
Splunk lookups
Lookups provide readable information to users, so they don’t have to understand the returned codes in the reports. Lookups are defined for a specific app, and not accessible from other apps. Lookup options Lookup code, description (input, output) values can be defined in multiple ways Comma delimited text file (csv), Search results saved as lookup …
The Splunk Search Language (SPL)
Search Terms: see Searching in Splunk Commands: tell Splunk what we want to do with the search result Charts Computing statistics Formatting Functions: explain how we want to chart, compute and evaluate the results Arguments: variables we apply to the functions Clauses: grouping and definition of results Separator Use pipes (|) to separate the components …
Searching in Splunk
When you are building the search criteria, click the field and value in the search result to add it to the search. Wildcard character * (asterisk) one or multiple characters Exact phrases Use ” (double quotes) Search for quotes \” (use backslash to escape quotes if you want to search for quotes) Keywords in the search …
Splunk user management
The default Splunk user roles are Admin Power User