Skip to content

Releases: criblpacks/cribl-splunk-uf-internal-redux

Change to default metrics destination

09 Dec 19:41
@camrunr camrunr
v1.0.1
315a057
Compare
Choose a tag to compare
Change to default metrics destination Latest
Latest

If you enable Aggregations on the metrics source, the default index is now _metrics. This should NOT impact your license. If you change to another index, it likely will. No guarantees made.

Assets 3
Loading

Better docs, better Suppression

08 Dec 00:46
@camrunr camrunr
v1.0.0
adac38b
Compare
Choose a tag to compare
Better docs, better Suppression

Replaced the wonky Aggregation monster I had created and replaced with a straight Suppress play. It's much simpler and does the same thing. Comments were updated as well, to both reflect this new change as well as better describe what's happening.

Assets 3
Loading

Maintenance update of The Cribl Pack for Splunk UF Internal

28 Jul 17:43
@nicktank nicktank
v0.3.3
f1d88cb
Compare
Choose a tag to compare
Maintenance update of The Cribl Pack for Splunk UF Internal

Updated readme and comments. Updated regex for drop match to be more efficient

Assets 3
Loading

The Cribl Pack for Splunk Internal - Initial Release

28 Jul 00:19
@nicktank nicktank
v0.3.2
d6ee482
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
The Cribl Pack for Splunk Internal - Initial Release

Internal logs do not count against index, but they surely impact your resource utilization. In my experience, 5-7% of enterprise deployments' resources are consumed by UF internal logs. Some of these logs can be useful, but most are not.

In this case we are:

  • Dropping any splunkd logs at DEBUG or TRACE level
  • Aggregating repetitive splunkd.logs based on component-level ID in a lookup file
  • A repeat count will be added to the logs allowed through.
  • Dropping any metrics logs that are not either name and group =thruput, or group=per_*_thruput
  • Optionally aggregating these based on a lookup value for farm
  • Optionally:
  • Aggregation logs will still end up in _internal, with sourcetype and source == 'metrics:agg'
  • OR - Aggregated stats will be sent to a metrics store (metrics index is metrics, adjust as needed in the Aggregation functions)
  • Dropping any introspection logs
  • For splunkd and metrics logs that do make it through, optionally trim the timestamp off _raw
  • Trim source to just the file name (eg, ./splunkd.log)
Assets 3
Loading

The Cribl Pack for Splunk UF Internal - Initial Pack Release

28 Jul 00:15
@nicktank nicktank
v0.3.1-RC1
d6ee482
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
The Cribl Pack for Splunk UF Internal - Initial Pack Release Pre-release
Pre-release

Internal logs do not count against index, but they surely impact your resource utilization. In my experience, 5-7% of enterprise deployments' resources are consumed by UF internal logs. Some of these logs can be useful, but most are not.

In this case we are:

  • Dropping any splunkd logs at DEBUG or TRACE level
  • Aggregating repetitive splunkd.logs based on component-level ID in a lookup file
  • A repeat count will be added to the logs allowed through.
  • Dropping any metrics logs that are not either name and group =thruput, or group=per_*_thruput
  • Optionally aggregating these based on a lookup value for farm
  • Optionally:
  • Aggregation logs will still end up in _internal, with sourcetype and source == 'metrics:agg'
  • OR - Aggregated stats will be sent to a metrics store (metrics index is metrics, adjust as needed in the Aggregation functions)
  • Dropping any introspection logs
  • For splunkd and metrics logs that do make it through, optionally trim the timestamp off _raw
  • Trim source to just the file name (eg, ./splunkd.log)
Assets 3
Loading