Why does Splunk allow you to setup Multiple Indexes? One should be enough right?

There are several reasons for creating multiple indexes.

The general rule of thumb in security is if you don't use it, disable it. Why give a potential attacker yet another door to try?

In the Splunk realm, there are often times where installations such as light forwarders, which need no real interaction other than to throw data at the indexers, we can turn off the management port 8089. There is no real reason to keep it open. Changes can still be made using a deployment server and no interaction is needed with that forwarder.

In local/server.conf add the following:

Ever do a search and get extra fields that you don't want to see in your reports?  Here's how to get rid of those fields.

add "| fields - <fieldname>" to the search.  Field names can also be separated by a comma.

index=main | fields - _raw, _time

This can work if you have fields missing and you want to add them to the report.

index=main | fields count, name, src_ip

And it works in conjunction with each other by adding a |.

Have bad searches that keep popping up in the suggestions?  Here is how you can clear the search history in Splunk.

Rename or Delete: $SPLUNK_HOME/var/log/splunk/searches.log

How do I reset my forgotten admin password in Splunk?

Resetting the Admin Password in Splunk requires file system access.

Backup the $SPLUNK_HOME/etc/passwd file and then delete it.
$ mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak

Restart Splunk.
$ $SPLUNK_HOME/bin/splunk restart

Browse to the login page and login with the default user admin and default password changeme.

Note: be sure to cut off external access during this time and change the password ASAP to avoid compromising situations.

Splunk throws the “Max concurrent searches reached.” error to warn you that the system will become overloaded soon.  This is a common error for dashboards and saved scheduled searches.  This can also be a pain if there are a large amount of concurrent users searching.  Here are a few ways to fix this issue.

Problem: Using contextual links allows admins to have quick access to editing virtually any content on the site.  In some cases, the cacheing system can get corrupted and display the Configure Block link in the Forum Topics Block and possibly others to unauthorized users.

Not to worry, this is not a vulnerability, as the page it links to just says you are unauthorized to view this page.  It is however a nuisance and makes your site look bad.

We created a dashboard. Great! Now, we need to put it on the wall for everyone to see. Problem is the data is always the same. That doesn't do us any good.

Fortunately, there is a way to auto-refresh the dashboard.

Edit the xml by going to manage views and clicking on the dashboard of choice.
Change the opener to .

To set the dashboard to refresh every minute:

In some environments, due to separation of duties or access issues, someone else might be doing to downloading. Such was the case for us recently. The TBSM 6.1 install for Windows comes in two files. Not having access to the download site or the download documentation, we did not know this. The person downloading the software only provided us the first part of the installation files. I began noticing that certain directory structures that were referred to in the documentation were missing. I searched all over IBM’s site, all over Google and found nothing.

Send SNMP Traps from Solarwinds Orion
This project started to integrate Solarwinds and Netcool. I will be writing this as a two-part piece one for sending the traps from Solarwinds and one to receive in Netcool. This should work for other aggregators as well though. Anything that accepts SNMP Traps should be able to work with Solarwinds when the following actions are taken.