Original version is here, I just wanted something easier to read.
Config | Default | Max Recommended | Purpose | When to use |
---|
Original version is here, I just wanted something easier to read.
Config | Default | Max Recommended | Purpose | When to use |
---|
flowchart TD
subgraph IDX
TCP("TCP/UDP") -- Uncooked --> pQ
TCP -- Cooked --> rulesetQ
TailReader("TailReader") --> pQ
fifo("FifoInput") --> pQ
# Disable the default management listener which binds to 0.0.0.0 | |
# And then set up a new listener that listens on the loopback | |
[httpServer] | |
disableDefaultPort = true | |
[httpServerListener:127.0.0.1:8089] | |
ssl=true |
template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n"); | |
template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); }; |
There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.
You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml |
[replicationSettings] | |
sendRcvTimeout = 120 |
#!/bin/sh | |
[ -d "/opt/splunk" ] && SPLUNKPATH="/opt/splunk" | |
[ -d "/opt/splunkforwarder" ] && SPLUNKPATH="/opt/splunkforwarder" | |
[ -f "$SPLUNKPATH/etc/system/local/inputs.conf" ] && rm -f $SPLUNKPATH/etc/system/local/inputs.conf | |
[ -f "$SPLUNKPATH/etc/system/local/outputs.conf" ] && rm -f $SPLUNKPATH/etc/system/local/outputs.conf | |
[ -f "$SPLUNKPATH/etc/system/local/deploymentclient.conf" ] && rm -f $SPLUNKPATH/etc/system/local/deploymentclient.conf |
@echo off | |
del /f /q "%SPLUNK_HOME%\etc\system\local\inputs.conf" | |
del /f /q "%SPLUNK_HOME%\etc\system\local\outputs.conf" | |
del /f /q "%SPLUNK_HOME%\etc\system\local\deploymentclient.conf" |