Original version is here, I just wanted something easier to read.
| Config | Default | Max Recommended | Purpose | When to use |
|---|
David Shpritz automine
automine
/ splunk_http_timeouts.md
Created
December 22, 2022 18:03
Explanation of various HTTP(s) timeouts in Splunk
View splunk_http_timeouts.md
View iaMasa.md
flowchart TD
subgraph IDX
TCP("TCP/UDP") -- Uncooked --> pQ
TCP -- Cooked --> rulesetQ
TailReader("TailReader") --> pQ
fifo("FifoInput") --> pQ
View masa.md
Masa Diagram in Mermaid
flowchart TB
subgraph tail
TailReader("TailReader (tailing)")
end
automine
/ server.conf
Created
May 30, 2019 15:14
View server.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Disable the default management listener which binds to 0.0.0.0 | |
| # And then set up a new listener that listens on the loopback | |
| [httpServer] | |
| disableDefaultPort = true | |
| [httpServerListener:127.0.0.1:8089] | |
| ssl=true |
View syslog-ng.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n"); | |
| template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); }; |
View README.md
Windows TA 5 Changes
Overview
There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.
Why these changes were made
- Enhancing code robustness: clean up existing bugs, simplify maintainability, prepare add-on for further enhancements
- Improve performance
- Follow knowledge management best practices
- Remove any unsupported functionality, such as wildcard sourcetyping
- Produce well-structured code with a dedicated stanza per log format, instead of the previous mix
automine
/ extended_search_reporting.xml
Last active
September 11, 2020 13:32
Extended Search Reporting, v1.4 thanks to cerby on the Splunk Community Slack (dpaper@splunk.com)!
View extended_search_reporting.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml |
automine
/ Master and Indexer distsearch.conf
Last active
February 4, 2019 17:18
Recommended tunings for SHC
View Master and Indexer distsearch.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [replicationSettings] | |
| sendRcvTimeout = 120 |
automine
/ remove_local.sh
Last active
October 18, 2018 16:17
Remove Splunk /etc/system/local configs - Linux
View remove_local.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| [ -d "/opt/splunk" ] && SPLUNKPATH="/opt/splunk" | |
| [ -d "/opt/splunkforwarder" ] && SPLUNKPATH="/opt/splunkforwarder" | |
| [ -f "$SPLUNKPATH/etc/system/local/inputs.conf" ] && rm -f $SPLUNKPATH/etc/system/local/inputs.conf | |
| [ -f "$SPLUNKPATH/etc/system/local/outputs.conf" ] && rm -f $SPLUNKPATH/etc/system/local/outputs.conf | |
| [ -f "$SPLUNKPATH/etc/system/local/deploymentclient.conf" ] && rm -f $SPLUNKPATH/etc/system/local/deploymentclient.conf |
automine
/ remove_local.bat
Created
October 16, 2018 19:06
Remove Splunk /etc/system/local configs - Windows
View remove_local.bat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| del /f /q "%SPLUNK_HOME%\etc\system\local\inputs.conf" | |
| del /f /q "%SPLUNK_HOME%\etc\system\local\outputs.conf" | |
| del /f /q "%SPLUNK_HOME%\etc\system\local\deploymentclient.conf" |
NewerOlder