mw866/splunk.md

Last active September 15, 2017 12:52

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/mw866/101ab1305bea006fcd6a79cbb714c960.js"></script>
Save mw866/101ab1305bea006fcd6a79cbb714c960 to your computer and use it in GitHub Desktop.

Download ZIP

Splunk Configuration for Log over REST API

Raw

Splunk Configuration

Download

Dowload Splunk: https://splunkbase.splunk.com/app/1546/#/overview

Download Splunk REST Modular API" https://www.splunk.com/blog/2013/06/18/getting-data-from-your-rest-apis-into-splunk.html

Installation

On local

scp rest-api-modular-input_14.tgz [email protected]:/opt/splunk/etc/apps

On server

cd /opt/splunk/etc/apps
tar zxvf rest-api-modular-input_14.tgz

Start Splunk /opt/splunk/bin/splunk help simple /opt/splunk/bin/splunk {start|stop|restart|status}

Error log tail -f /opt/splunk/var/log/splunk/splunkd.log

Splunk */5 * * * *

/opt/splunk/etc/system/default/

Cron format: https://crontab.guru/

Splunk CLI: http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/AbouttheCLI

Timestamp

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables

imestamp extraction:

 TIME_FORMAT=%s%3N

https://answers.splunk.com/answers/4092/extract-timestamp-in-epoch-milliseconds-to-date.html

ttp://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables

Data Retention:

Data Archiving Policy: https://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Setaretirementandarchivingpolicy

Remove Data: http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/RemovedatafromSplunk

NGINX

Splunk on NGINX https://www.splunk.com/blog/2017/02/20/ssl-proxy-splunk-nginx.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment