Make stats in Splunk more meaningful with fillnull
I mentioned in my last post about a common issue that I have with the stats command: items with empty values are simply excluded from the results. What if you want to include those empty results with...
View ArticleExtract Active Directory Account Names in Splunk
I don’t really understand Microsoft’s rationale when it comes to log verbosity. I suppose too much information is better than not enough information, but that comes at the cost of making it difficult...
View ArticleExtract multiple Active Directory fields in Splunk
I had posted here about how to extract account names with a specific modifier (exclude account names ending in a dollar sign.) That worked for one specific instance, but I found I needed something...
View ArticleGet geolocation info in Splunk with iplocation
Splunk 6 has many awesome new features, one of which is built-in IP geolocation. No longer do you have to manually lookup up city, state, and country when investigating logs – Splunk will do that for...
View ArticleAutomatically delete old data in Splunk
I’ve had Splunk humming along for about two years now. I’ve already increased the storage space for my Splunk VM once. Today I received a notice that I’ve once again run out of space and indexing had...
View ArticleFix Splunk lockout after exceeded quota
Recently I came across a situation with my home install of Splunk (free license) where the 500MB quota was exceeded three days in a row. I hadn’t checked Splunk for a few days so I was completely...
View ArticleDetermine what a Splunk forwarder is forwarding
I recently came across a need to determine exactly what is logging to a forwarder in Splunk. I had a hard time finding out what to search for so I thought I’d share what I found. The key to discovering...
View ArticleInstall Splunk Universal Forwarder on Linux
I do this infrequently enough that I decided I should really write this down. Below is the quick and dirty way to get the Splunk universal forwarder installed on a new Linux system. Thanks to...
View ArticleChange the hostname on a Splunk Indexer
Recently I set about to change the hostname on a Splunk indexer. It should be pretty easy, right? Beware. It can be pretty nasty! Below is my experience. I started with the basics. hostname command...
View ArticleFix erroneous DM Splunk Missing Forwarders alert
For some time now Splunk has been alerting me to “missing” forwarders even though all of those forwarders are working perfectly fine. It turns out to be a glitch in the Deployment Monitor app. After...
View Article
