Questions tagged [splunk]

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources.

The primary features of Splunk include:

Collecting logs from multiple sources into a single location to allow for use without needing to access individual servers.
Parsing of logs with arbitrary formats, including free-form logs with no defined fields
Advanced querying of logs, including
- combining results from different sources
- filtering based on identified field values and pattern matching
- analyzing records using statistical and mapping functions

The name "Splunk" comes from a rewriting of spelunking, a cave exploring hobby.

Splunk is available as both an enterprise application that runs on your servers (with a free tier) and a host service known as Splunk Storm.

Useful links

74 questions

votes

4 answers

Thoughts on Free Splunk

I am considering implementing Splunk at my company but am leery about the financial investment. I noticed there is a free version of Splunk that seem to be good enough. Can anyone tell me if you are using the free version at your company? Do you…

splunk

asked Apr 20 '10 at 21:54

dan_vitch

votes

1 answer

Splunk File & Directory Data Inputs

I've installed Splunk (4.1.5(85165) on windows) and have uploaded some logs without any issues. I now want to monitor a linux server, but I'm having problems adding the datasource and always get the message: Encountered the following error while…

splunk

asked Oct 14 '10 at 10:12

Mr Shoubs

votes

1 answer

Will Splunk update the index if an already indexed file is edited?

Our Splunk server indexes the audit logs from its clients. Once a week we audit these logs through a Splunk search. My question is, if someone edits the entries in a log file that is already indexed, would Splunk re-index the edited file and…

splunk

asked Dec 07 '17 at 10:19

Sreeraj

votes

1 answer

How do I exclude messages from indexing on Splunk Cloud?

I see from this question and answer on Splunk's own Q&A site that it's possible to exclude certain messages from indexing on a Splunk instance. I have a Splunk Cloud instance where the only way of configuring such things is through the GUI. I don't…

splunk

asked May 31 '16 at 09:32

Flup

8,118

votes

2 answers

format of the log file format for splunk

The current log file name I have is: catalina.2010-02-24.log. I want to add this for splunk indexing, but i am running into problems, since there is no static file name, since everyday tomcat renames the log…

splunk

asked Feb 24 '10 at 22:16

RainDoctor

4,514
3
24
25

vote

1 answer

Splunk 6: “Cannot preview on this Splunk instance”

I have a distributed Splunk 6 environment with which I am working through the installation of a new Technology Add-on. On my forwarder I am trying to add a new Data Input... Settings > Data inputs > Files & directories > New then select my file and…

splunk

asked Aug 28 '15 at 18:24

user1801810

vote

1 answer

Capturing Regex in Splunk

I'm trying to grab the directory paths of GET requests and count them in Splunk using this capturing regex. index=main sourcetype="access_combined_wcookie" | rex "(?i)\"GET /(?P\w+)/" | timechart count by MYDIR This sort of works. It grabs…

splunk

asked Jul 13 '13 at 23:00

user181496

vote

2 answers

Splunk form search with multiple variables

I'm using Splunk 3.4.10 with the free license on a CentOS machine. I've created a saved form search called "Trace Mail" that I hope to use to trace a single message through my mail servers as it gets new queue IDs. Now, this form search worked…

splunk

asked Jun 16 '09 at 20:18

thepocketwade

1,575

votes

1 answer

Is there a listing of global splunk variables available for alerting?

This is simple, however I have been able to find anything at the basic level of "number of rows/records found in query" for use in a Slack notification. For example to reference the $name$ of the alert, thats the variable. Is there a list of other…

splunk

asked Jul 03 '19 at 15:20

Bryan Yeung

votes

1 answer

Splunk disk space requirements

I need to get a vague idea of disk space requirements before I start forwarding logs to a Splunk instance. Each indexed line will have on average 320 characters and I will be indexing around 500,000 lines a day. My assumptions are 1 byte per…

splunk

asked Jun 04 '14 at 13:14

Michael

votes

1 answer

How to non-interactively add a Splunk forwarder?

I wish to create a script for setting up forwarding to a splunk server. Here's what I have so far: ./splunk add forward-server SPLUNK-IP-ADDRESS:SPLUNK-PORT However, it asks for my credentials. How can I non-interactively pass credentials to splunk…

splunk

asked Sep 09 '20 at 07:36

user3207874

-1

votes

1 answer

Filtering out strings in Splunk

I have the below query. index=myindex sourcetype="application:access:log" host=myservers* FullURL="*/ABC" It works. However, I'd like the output to show all URLs with ABC within them, I just don't want results with ABCD to show in them. Any idea…

splunk

asked Jan 15 '20 at 05:29

Govno