Splunk

Splunk Tutorials.

How to fix 'PropertyPagesException' what(): Cannot get user to act as: No user info provider registered

Yesterday we were given a task of changing the SSL levels for the web interface in SPLUNK. After doing so, we restarted SPLUNK. After attempting to log back in, we were greeted with the following crash report.

2012-02-15 18:05:14.916 +0000 splunkd started (build 115073) terminate called after throwing an instance of 'PropertyPagesException' what(): Cannot get user to act as: No user info provider registered (user: XXXXXXX, app: user-prefs, root:/opt/splunk/etc)

DNS Lookup on Fields in Splunk

You have your search, but it comes up with a bunch of IPs in the results. What are the host names? How do I translate this into usable data?
Lookups:
<Search> | lookup dnslookup clientip as <IP Field> OUTPUT clienthost as <Resolved Hostname>

So this could be:
<Search> | lookup dnslookup clientip as src_ip OUTPUT clienthost as My_Source_Host

Logging Spikes Alert for Splunk

We recently broke our license limits in Splunk. After going back to find out why, we found that we were being attacked and the firewalls were going crazy spitting out logs. We also found that we were able to find misconfigured devices based on log spikes. We typically log at let’s say 500kbps with a maximum of 700 kbps throughout the day. Taking this I can create a search to find the current rate of indexing. I then take that search and create an alert that will let me know if we spike over 800 kbps so I can go back and find out why we are logging so much.

Export to CSV in Splunk

Typically users can easily click on the export button and export data to .csv. For larger data sets, specifically anything with more than 10,000 lines, Splunk hides the export button and will not allow users to export the search results. This is a built-in safety feature that protects Splunk's performance and is designed to prevent a crash.

SPLUNK Top Hits by Country Report

Getting a lot of foreign computers knocking on your door causing network latency?  This search will show the top countries of origin.  This can be useful in determining firewall rules, to know your enemy, and just for fun information.  To setup SPLUNK to run this search you will need to install the geoip package.  amMap or Google Maps are great plugins if you want a more graphical representation.