Community:More best practices and processes
From Splunk Wiki
< Back to the main deployment and best practices area
More best practices
This page contains links to assorted topics on Splunk best practices. Some are written by Splunk employees, and some are contributed by our users. If you've figured out a better, faster way to do something with Splunk, share it with us here!. Feel free to start a discussion about any of these topics on the Discussion tab for that topic.
Participate and contribute
The contents of this wiki are created by Splunk and the Splunk community. We welcome your feedback and contributions.
You're encouraged to add to the topics you find within the sections below, or to create your own topics by linking from the pages inside each area. The Splunk Community Wiki is a MediaWiki (like Wikipedia). Use the Mediawiki online help if you need to know how to add and edit pages.
Signing your posts
When you contribute, please consider signing and dating your post or addition. You can do this easily by including four tildes (~) on a line by themselves.
Questions?
If you have questions about how to contribute to this Wiki, contact rachel@splunk.com. If you have technical questions about running Splunk, you may wish to visit the Splunk user forums or submit a case with Splunk support.
Best practices around getting data into Splunk
Add your own topics to this list:
- Create syslog-ng rules to send data to Splunk
- Considerations for deciding how to get data from Windows hosts
- Deploying lightweight forwarders
- How to design the right forwarder for your environment
- How to find "lost" forwarders
- Working with UDP connections
- Best practices for getting data into Splunk remotely
- Getting data from the Cisco Security Agent (CSA) into Splunk
- Considerations on using Snare, WMI polling or Splunk light weight forwarders
- Best Practices for configuring Syslog Input
- How to get data from Novell Netware into Splunk
- How to index VMware ESX or ESXi data via syslog
- Adding archived/historic data to Splunk
- Setting a blacklist to Index and Forward
- Indexing Tripwire logs
- Gathering HP-UX Audits
Best practices around Data management
- Understanding how "buckets" work
- Estimate the size of your Splunk index and associated files
- Understand Buckets rotation and anticipate size growing
Best practices around searching, reporting
Add your own topics to this list:
- Analyzing Search Performance
- Useful Reports on Splunk Metrics
- How summary indexing can help you
- Back filling a summary index with archive data
- How to handle events that are timestamped in the future
- Tips for working with XML log files
- Best practices for backing up your Splunk data
- Reporting on access patterns over time
- Combining bi-directional netflow logs
- Searching for surrounding events
- Splunk metric reports
- Integrating Splunk with Xymon
- An example of using the list lookup feature for HTTP status lookups
- Useful regex for masking credit card numbers in your data
Best practices around Splunk knowledge management
Add your own topics to this list:
- Best practices for normalizing field names in Splunk
- Use Splunk for event correlation
- Best practices for creating event types
- Working with transactions and macro search
Best practices for Splunk on Windows
Add your own topics to this list:
- How to audit file reads in Windows
- Considerations for deciding how to get data from Windows hosts
- Running multiple or non-installed instances of Splunk on Windows
- How to tell if a log is locked on Windows
- What to do if Windows logs show up as x00 or not at all
- Estimate peak daily licensing volume for Windows event logs
- Troubleshooting common issues with Splunk and WMI
- Recommendations on patterns of logfile creation on Windows
- Using AD monitoring and list lookups to add details to your Windows Event Log data
- Sending SNMP Traps from Splunk on Windows
- Extracting Fields from ISA Logs
- An install script for deploying light forwarders on Windows
Troubleshooting
See the growing section Deploy:Troubleshooting for more.
Unsorted best practice topics
Add your own topics to this list:
- Use Splunk alerts with scripts to create a ticket in your ticketing system
- Reporting on access patterns over time
- Deploy users and roles to multiple servers
- Best practices for Splunk alerting
- Segmentation
- Capacity planning information
- Authenticating against an LDAP server which returns referrals
- SSL Acceleration with Splunk
- How to index different sizes of data
- How do I disable the dashboards that ship with Splunk?
- How to run Splunk behind a Web Proxy
- Migrating a Splunk Install
- How to deploy multiple instances of Splunk on one machine
- Ensuring Splunk runs as a non-root user
- Running Splunk on Virtual Machines
- Minimizing Forwarder Footprint
- Regular Expression Testing Tools
- How Splunk Reads Input Files
- SplunkLightForwarder Internals and Revisions - intended for historical troubleshooting purposes
- How to force SplunkWeb to use SSL v3
- Regex syntax in Splunk
- Indexing Tripwire Logs
- Relocating a 3.4.x Splunk instance
- Backing up Splunk settings in Linux
- Running Splunk on SELinux
- How to move an index between installations
- Recommended configuration for a host without Internet access
- Get Splunk logs off a forwarder
