Comments on: Splunk Best Practices http://www.webadminblog.com Real Web Admins. Real World Experience. Mon, 06 Feb 2012 14:28:57 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Josh http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-754 Josh Fri, 12 Aug 2011 17:01:46 +0000 http://webadminblog.com/?page_id=6#comment-754 Garret, I'm not sure what to tell you. I wrote the app for an older version of Splunk and that dashboard module worked just fine. It's possible that Splunk changed this in a newer version and it no longer works, but I've tested it on our version 4.2.2, build 101277 server and it seems to be working without issue. Have you tried talking to Splunk support? Garret, I’m not sure what to tell you. I wrote the app for an older version of Splunk and that dashboard module worked just fine. It’s possible that Splunk changed this in a newer version and it no longer works, but I’ve tested it on our version 4.2.2, build 101277 server and it seems to be working without issue. Have you tried talking to Splunk support?

]]> By: Garrett Hildebrand http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-753 Garrett Hildebrand Mon, 08 Aug 2011 22:51:08 +0000 http://webadminblog.com/?page_id=6#comment-753 I downloaded and installed your Splunk Monitoring application. When I bring-up the app under the apps menu from within splunk I see the following error: "This view has a Splunk.Module.HiddenSearch module but it is configured with no child modules to push its changes to. This represents a configuration error." There is someone who posted on splunk answers the same error, and someone wrote back and said to comment-out line 24 and to add line 78. But that totally does not work and causes yet another error (I saw this at http://splunk-base.staging.splunk.com/answers/5672/error-on-dashboard-splunk-agent-monitoring-app ). I have the monitoring script working okay, so it is the $SPLUNK_HOME/etc/apps/splunk_monitoring/default/data/ui/views/dashboard.xml that is apparently the problem. Suggestions? I downloaded and installed your Splunk Monitoring application. When I bring-up the app under the apps menu from within splunk I see the following error:

“This view has a Splunk.Module.HiddenSearch module but it is configured with no child modules to push its changes to. This represents a configuration error.”

There is someone who posted on splunk answers the same error, and someone wrote back and said to comment-out line 24 and to add line 78. But that totally does not work and causes yet another error (I saw this at http://splunk-base.staging.splunk.com/answers/5672/error-on-dashboard-splunk-agent-monitoring-app ).

I have the monitoring script working okay, so it is the $SPLUNK_HOME/etc/apps/splunk_monitoring/default/data/ui/views/dashboard.xml that is apparently the problem. Suggestions?

]]> By: gil vidals http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-745 gil vidals Wed, 03 Aug 2011 03:52:44 +0000 http://webadminblog.com/?page_id=6#comment-745 splunk is consuming 50% of CPU when running on Windows 2008 R2 with 1 x vCPU and 6 GB of RAM. This is on a Windows server running with light forwarder mode on and sending the index to the main indexer. We've even pared down the number of logs down to just a couple and the CPU is still at 50%; it seems way to high and I don't know how to fix this. Have you encountered this before? splunk is consuming 50% of CPU when running on Windows 2008 R2 with 1 x vCPU and 6 GB of RAM. This is on a Windows server running with light forwarder mode on and sending the index to the main indexer.

We’ve even pared down the number of logs down to just a couple and the CPU is still at 50%; it seems way to high and I don’t know how to fix this. Have you encountered this before?

]]> By: Josh http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-727 Josh Wed, 11 May 2011 03:56:24 +0000 http://webadminblog.com/?page_id=6#comment-727 Erik, I have to say that I've never run into that. That said, I've never actually installed the app from SplunkBase either. You may want to try downloading the files and manually placing them in your apps directory. The .spl files are really just .tar.gz formatted so running "tar xvzf" should properly decompress them. Otherwise, I'd say that Splunk support may be able to help you further. Erik, I have to say that I’ve never run into that. That said, I’ve never actually installed the app from SplunkBase either. You may want to try downloading the files and manually placing them in your apps directory. The .spl files are really just .tar.gz formatted so running “tar xvzf” should properly decompress them. Otherwise, I’d say that Splunk support may be able to help you further.

]]> By: Erik Curtis http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-726 Erik Curtis Fri, 06 May 2011 15:20:04 +0000 http://webadminblog.com/?page_id=6#comment-726 I have installed the License Usage app. After the install, I get prompted "The License Usage app has not been fully configured". Clicking "Continue to app setup page" results in the error "KeyErrir:'elements'. We are using Splunk v4.2.1-98164. I have installed the License Usage app. After the install, I get prompted “The License Usage app has not been fully configured”. Clicking “Continue to app setup page” results in the error “KeyErrir:’elements’.

We are using Splunk v4.2.1-98164.

]]> By: Josh http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-660 Josh Thu, 16 Sep 2010 18:18:12 +0000 http://webadminblog.com/?page_id=6#comment-660 Andy, We use the Splunk deployment server so I created a deployment app under "$SPLUNK_HOME/etc/deployment-apps/mybundle/default". It contains a fields.conf file with the values: [niappname] INDEXED = true [nilogname] INDEXED = true An indexes.conf file with the values: [ni_dashboard] homePath = $SPLUNK_DB/ni_dashboard/db coldPath = $SPLUNK_DB/ni_dashboard/colddb thawedPath = $SPLUNK_DB/ni_dashboard/thaweddb A inputs.conf with the values: # Scripted input to do a find on /opt/apps/logs [script://$SPLUNK_HOME/etc/apps/mybundle/bin/apploglist.sh] interval = 3600 sourcetype = dashboard_app_log_list source = ni_dashboard index = ni_dashboard disabled = false A props.conf file with the values: # Handler for apploglist.sh "dashboard_app_log_list" sourcetype [dashboard_app_log_list] BREAK_ONLY_BEFORE = ^ TRANSFORMS-applist = apps,logs AUTO_LINEMERGE = True SHOULD_LINEMERGE = False The most important part is to set up your transforms.conf with the proper regex like this: # Add "niappname" field for apploglist.sh "oas10g_app_log_list" sourcetype [apps] REGEX = /opt/apps/logs/(\w+)/ FORMAT = niappname::$1 DEST_KEY = niappname WRITE_META = True # Add "nilogname" field for loglist.sh "oas10g_app_log_list" sourcetype [logs] REGEX = /opt/apps/logs/(\w+)/(\w+)\.|/opt/apps/logs/(\w+)/_apps_utf8/(\w+)\. FORMAT = nilogname::$2 DEST_KEY = nilogname WRITE_META = True Then you still need to create your script. I put mine under "$SPLUNK_HOME/etc/deployment-apps/mybundle/bin" so it will get deployed with the deployment server. Here is my script: #/bin/bash # VARIABLES LOG_DIR="/opt/apps/logs"; DST_DIR="$SPLUNK_HOME/etc/apps/mybundle/log"; # Hostname HOSTNAME=`uname -n`; # Check if DST_DIR exists and if not create it if [ ! -d ${DST_DIR} ] ; then mkdir ${DST_DIR}; fi # Check if log file exists and if not create it if [ ! -f ${DST_DIR}/${HOSTNAME}_apploglist.log ] ; then touch ${DST_DIR}/${HOSTNAME}_apploglist.log; fi # For each application directory for i in `find $LOG_DIR -type f` do # If that directory has not already been indexed if [ "`grep $i ${DST_DIR}/${HOSTNAME}_apploglist.log`" == "" ] ; then # Add it to the log file echo $i >> ${DST_DIR}/${HOSTNAME}_apploglist.log; # Output it to stdout echo $i; fi done That should do it! Andy,

We use the Splunk deployment server so I created a deployment app under “$SPLUNK_HOME/etc/deployment-apps/mybundle/default”. It contains a fields.conf file with the values:

[niappname]
INDEXED = true

[nilogname]
INDEXED = true

An indexes.conf file with the values:

[ni_dashboard]
homePath = $SPLUNK_DB/ni_dashboard/db
coldPath = $SPLUNK_DB/ni_dashboard/colddb
thawedPath = $SPLUNK_DB/ni_dashboard/thaweddb

A inputs.conf with the values:

# Scripted input to do a find on /opt/apps/logs
[script://$SPLUNK_HOME/etc/apps/mybundle/bin/apploglist.sh]
interval = 3600
sourcetype = dashboard_app_log_list
source = ni_dashboard
index = ni_dashboard
disabled = false

A props.conf file with the values:

# Handler for apploglist.sh “dashboard_app_log_list” sourcetype
[dashboard_app_log_list]
BREAK_ONLY_BEFORE = ^
TRANSFORMS-applist = apps,logs
AUTO_LINEMERGE = True
SHOULD_LINEMERGE = False

The most important part is to set up your transforms.conf with the proper regex like this:

# Add “niappname” field for apploglist.sh “oas10g_app_log_list” sourcetype
[apps]
REGEX = /opt/apps/logs/(\w+)/
FORMAT = niappname::$1
DEST_KEY = niappname
WRITE_META = True

# Add “nilogname” field for loglist.sh “oas10g_app_log_list” sourcetype
[logs]
REGEX = /opt/apps/logs/(\w+)/(\w+)\.|/opt/apps/logs/(\w+)/_apps_utf8/(\w+)\.
FORMAT = nilogname::$2
DEST_KEY = nilogname
WRITE_META = True

Then you still need to create your script. I put mine under “$SPLUNK_HOME/etc/deployment-apps/mybundle/bin” so it will get deployed with the deployment server. Here is my script:

#/bin/bash

# VARIABLES
LOG_DIR=”/opt/apps/logs”;
DST_DIR=”$SPLUNK_HOME/etc/apps/mybundle/log”;

# Hostname
HOSTNAME=`uname -n`;

# Check if DST_DIR exists and if not create it
if [ ! -d ${DST_DIR} ] ; then
mkdir ${DST_DIR};
fi

# Check if log file exists and if not create it
if [ ! -f ${DST_DIR}/${HOSTNAME}_apploglist.log ] ; then
touch ${DST_DIR}/${HOSTNAME}_apploglist.log;
fi

# For each application directory
for i in `find $LOG_DIR -type f`
do
# If that directory has not already been indexed
if [ "`grep $i ${DST_DIR}/${HOSTNAME}_apploglist.log`" == "" ] ; then
# Add it to the log file
echo $i >> ${DST_DIR}/${HOSTNAME}_apploglist.log;
# Output it to stdout
echo $i;
fi
done

That should do it!

]]> By: Andy http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-659 Andy Thu, 16 Sep 2010 17:35:22 +0000 http://webadminblog.com/?page_id=6#comment-659 Josh, Thank you for taking the time to write this article and sharing your experiences. I have a similar setup to your with all app logs being written to /logs/webapps/* . Can you share how you configured your scripted input with your setup? Would it be possible to post the script that you use for this? thanks so much Josh,

Thank you for taking the time to write this article and sharing your experiences. I have a similar setup to your with all app logs being written to /logs/webapps/* . Can you share how you configured your scripted input with your setup? Would it be possible to post the script that you use for this?

thanks so much

]]> By: Josh http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-576 Josh Mon, 01 Mar 2010 16:23:40 +0000 http://webadminblog.com/?page_id=6#comment-576 Alright, I think we've got the issues figured out with SplunkBase and you guys can download the new 4.x version of my Splunk License Usage application here: http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+License+Usage Alright, I think we’ve got the issues figured out with SplunkBase and you guys can download the new 4.x version of my Splunk License Usage application here:

http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+License+Usage

]]> By: Josh http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-575 Josh Fri, 26 Feb 2010 15:30:36 +0000 http://webadminblog.com/?page_id=6#comment-575 Madsen/Lea, I see exctly what you're talking about with the 4.x version of my Splunk License Usage app not showing up. It worked fine while I was logged in to Splunkbase, but not that I'm not logged in anymore, it just shows the 3.x version of the app. I've contacted Emma Dannin and Caleb Poterbin at Splunk support as they helped me get my app on the new Splunkbase. I will update you once it has been made available. Thanks! Madsen/Lea,

I see exctly what you’re talking about with the 4.x version of my Splunk License Usage app not showing up. It worked fine while I was logged in to Splunkbase, but not that I’m not logged in anymore, it just shows the 3.x version of the app. I’ve contacted Emma Dannin and Caleb Poterbin at Splunk support as they helped me get my app on the new Splunkbase. I will update you once it has been made available. Thanks!

]]> By: madsen http://www.webadminblog.com/index.php/splunk-best-practices/comment-page-1/#comment-574 madsen Fri, 26 Feb 2010 13:53:14 +0000 http://webadminblog.com/?page_id=6#comment-574 Hi Josh! A very helpful article. I'm in the process of setting up splunk and was looking at you license usage script for version 3.x. On Splunkbase, however, the script is still only for version 3.x. At least I can't find it and the link you provide above takes me to the 3.x version of it. Have to take a look at the monitoring after the weekend. cheers, madsen Hi Josh!

A very helpful article. I’m in the process of setting up splunk and was looking at you license usage script for version 3.x. On Splunkbase, however, the script is still only for version 3.x. At least I can’t find it and the link you provide above takes me to the 3.x version of it.
Have to take a look at the monitoring after the weekend.
cheers,
madsen

]]>