Skip to content

Instantly share code, notes, and snippets.

@automine
automine / splunk_http_timeouts.md
Created December 22, 2022 18:03
Explanation of various HTTP(s) timeouts in Splunk

Original version is here, I just wanted something easier to read.

Config Default Max Recommended Purpose When to use
@automine
automine / iaMasa.md
Last active April 19, 2023 11:05
Ingest Actions Flow
flowchart TD
subgraph IDX

        TCP("TCP/UDP") -- Uncooked --> pQ
        TCP -- Cooked --> rulesetQ
        TailReader("TailReader") --> pQ
        
        
        fifo("FifoInput") --> pQ

Masa Diagram in Mermaid

flowchart TB
    

    subgraph tail
        TailReader("TailReader (tailing)")
    end
    
# Disable the default management listener which binds to 0.0.0.0
# And then set up a new listener that listens on the loopback
[httpServer]
disableDefaultPort = true
[httpServerListener:127.0.0.1:8089]
ssl=true
@automine
automine / syslog-ng.conf
Created March 19, 2019 16:20
Template to test syslog-ng headers
template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n");
template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); };
@automine
automine / README.md
Created January 29, 2019 00:54
Windows TA 5 Changes

Windows TA 5 Changes

Overview

There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.

Why these changes were made

  1. Enhancing code robustness: clean up existing bugs, simplify maintainability, prepare add-on for further enhancements
  2. Improve performance
  3. Follow knowledge management best practices
  4. Remove any unsupported functionality, such as wildcard sourcetyping
  5. Produce well-structured code with a dedicated stanza per log format, instead of the previous mix
@automine
automine / extended_search_reporting.xml
Last active September 11, 2020 13:32
Extended Search Reporting, v1.4 thanks to cerby on the Splunk Community Slack (dpaper@splunk.com)!
You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml
@automine
automine / Master and Indexer distsearch.conf
Last active December 15, 2023 18:46
Recommended tunings for SHC
[replicationSettings]
sendRcvTimeout = 120
@automine
automine / remove_local.sh
Last active October 18, 2018 16:17
Remove Splunk /etc/system/local configs - Linux
#!/bin/sh
[ -d "/opt/splunk" ] && SPLUNKPATH="/opt/splunk"
[ -d "/opt/splunkforwarder" ] && SPLUNKPATH="/opt/splunkforwarder"
[ -f "$SPLUNKPATH/etc/system/local/inputs.conf" ] && rm -f $SPLUNKPATH/etc/system/local/inputs.conf
[ -f "$SPLUNKPATH/etc/system/local/outputs.conf" ] && rm -f $SPLUNKPATH/etc/system/local/outputs.conf
[ -f "$SPLUNKPATH/etc/system/local/deploymentclient.conf" ] && rm -f $SPLUNKPATH/etc/system/local/deploymentclient.conf
@automine
automine / remove_local.bat
Created October 16, 2018 19:06
Remove Splunk /etc/system/local configs - Windows
@echo off
del /f /q "%SPLUNK_HOME%\etc\system\local\inputs.conf"
del /f /q "%SPLUNK_HOME%\etc\system\local\outputs.conf"
del /f /q "%SPLUNK_HOME%\etc\system\local\deploymentclient.conf"