Blogs

In my quest to increase the frequency of posting on all interesting things Splunkish, I’m going to be using Seesmic from now on. I’m thinking of doing at least a weekly Splunk update, covering new features, what’s in the release notes, things happening in preview releases and just generally magical I find along my trip down the Splunk rabbit hole, or cave, if you will.

{seesmic_video:{“url_thumbnail”:{“value”:”http://t.seesmic.com/thumbnail/nIpP3YtFG5_th1.jpg”}”title”:{“value”:”theWilde goes video! ”}”videoUri”:{“value”:”http://www.seesmic.com/video/mRn20K06Sg”}}}

Follow me on twitter as well at http://twitter.com/michaelwilde

(i’ll figure out a way to transcribe the videos to text a later date). Lastly, I know this post is very late, the lighting isn’t flattering, I’m a bit tired, could use botox.. but hey, I got the post out, didn’t I?

For those who use Linux as their primary desktop, using splunk can be a chore. Splunk dashboards are built on Flash9. So, you will likely need the following commands (as root, or sudo) to get Flash working.

• rpm -ivh http://fpdownload.macromedia.com/get/flashplayer/current/flash-plugin-9.0.124.0-release.i386.rpm
• yum install nspluginwrapper.{i386,x86_64} pulseaudio-lib.i386
• yum install flash-plugin
• yum erase rhythmbox.*
• mozilla-plugin-config -i -g -v
• mozilla-plugin-config nspluginwrapper -i /usr/lib/mozilla/plugins/libflashplayer.so

(Optionally, if you haven’t imported the Adobe GPG key, you will have to run the following command)

• #rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux

If you found that the new metrics being generated by Splunk on the input (indexing in many cases) and forwarding side to be useful, I am sure you would want to aggregate them all in a central location. Well, you can do that by using Splunk’s forwarding mechanism itself! Although, it does not matter where you aggregate these metrics, I believe the Deployment Server instance could be a good location, if you have one setup for your installation.

Forwarding metrics.log

Forwarding metrics.log will require that you make the following changes to the configuration on each Splunk instance that you would like to collect the metrics from:

If you have many Splunks in your environment, then making these changes on…

If you were always wondering how much data was being transferred between your forwarders and indexers, we may have some help for you. Splunk now publishes these metrics to metrics.log, which are by default tailed and indexed in “_internal”.

Forwarding-side

Splunk uses a component called TcpOutputProcessor, which is configured using outputs.conf, to forward data to another Splunk or non-Splunk entity. This is something that a lot of people also refers to as a forwarder. Each TcpOutputProcessor instance publishes metrics events every 30 seconds – all the fields of these events are described below:

• group=tcpout_connections – this field discriminates this event as being a TcpOutput metric.
• tcpout_group_name:destIp:destPort – the load-balanced group that this metric belongs to. If you have multiple groups defined, a separate event is published…

Microsoft Tube Surfers,

Wanted to take a minute to talk about authenticating Splunk against Active Directory. In case you didn’t know Active Directory is running on top of LDAP. While the guys up in Redmond do their best to make sure tha you have no need to know LDAP they give you the ability to interface with it over LDAP if you know what you’re doing. Let’s take this time to let you know what you need to do.

If you are comfortable with the command line you can run the command ldifede. The ldifde command is the windows equivalent of ldapsearch and should allow you to get an ldif entry for yourself and a group. With those two entries we should…

Recently Matt Asay wrote a thoughtful piece about how some technology companies are consumerizing the computing experience. In the case of Apple, Business Week writer Peter Burrows has also recently wrote about The Mac in the Gray Flannel Suite exploring how CIOs are testing the appetite for Macs in the enterprise. Michele Goins CIO at Juniper Networks recently ran a test among the company’s 6,000 employees discovering that 25% wanted a Mac.

Consumerism of the enterprise computing experience is well underway with Apple, Google, SalesForce and even Cisco’s TelePresence and WebEx offerings. According to Matt, all of these products delight users with a positive user experience by focusing on adoption first and dollars second. “Simple, fast and useful,” is the key.

Could it…

The payment card industry data security standard, PCI DSS for short, was developed by the credit card industry to address data theft. The standard consists of twelve security requirement. Anything from traffic policies to requirements around anti virus software are covered by the standard.

If you are a company that does more than 20.000 transactions per year, you will have to implement the twelve requirements. If you are doing less, you will get away with a quarterly vulnerability scan.

IT search, Splunk, can directly address some of the areas and indirectly address most of the others. Specifically the areas where IT search assists are the following:

• Log management (PCI requirement 10)
• Secure & Central Log Collection (PCI requirement 10.5)
• Audit Trail Retention (PCI requirement 10.7)
• Daily Log Review (PCI requirement 10.6)
• Secure…

This week we were rolling in Las Vegas with Interop at one end of the strip and the Microsoft Management Summit at the other end. At Interop we launched the Splunk for Change Management app. And at MMS the Splunk for Windows Management app made it’s debut. Both apps make use of the Splunk Platform which provides a common set of services and APIs making it easy to create and integrate applications that leverage vast amounts of IT data. These are the second and third applications in a series of new releases we’ll be doing this year. Splunk for PCI was the first app launched last quarter.

Splunk for Change Management App

Splunk for Change Management takes advantage of the fact that we index not just logs…