How use Splunk DB Connect with H2 databases

Today I got a question from a colleague if it’s possible to connect a H2 database engine to Splunk. It would be great to index events from that database – as it contains security events coming from an anti-virus system.

To index events based on a RDBMS there is Splunk’s well-known DB Connect app (https://splunkbase.splunk.com/app/2686/). Unfortunately the DB Connect support matrix doesn’t mention anything with H2 database – so I decided to test it out.

Read full post

manually roll Splunk buckets from hot to warm

As you might know indexes are where your data in splunk is stored. An index contains of time-based buckets (directories). Over time a bucket – the indexed data – is rolling from hot (when data is still written to the bucket) to warm (data is read-only) to cold. When you want to backup Splunk you need the data in a consistent state – in a warm bucket.

Read full post

Nagios Plugin to check Splunk license usage

In today’s article about Splunk monitoring we want to monitor the Splunk license usage. You want to keep an eye on the license usage, as 5 warnings of the daily indexing volume using the enterprise license or 3 warnings using the free license will cause a license violation.

A license violation will deactivate Splunk searches but not the indexing process. So you will not be able to query your data – but at least never loose it.

Read full post

Fix GeoIP and Google Maps Apps in Splunk 6.1

Today, after upgrading to Splunk 6.1 I realized, that some GeoIP data in dashboards was missing. By using the lookup search command to get the country from an IP address like :

| stats count | eval ip=”193.28.153.192″ | lookup geoip clientip as ip

I got an error message, which showed that the lookup was somehow not working.

Read full post