Some SPLUNK Notes

Here are some notes about Splunk ( ) usage.

All the relevant documentation is here.

1. Splunk and Ossec

Splunk for OSSEC is available here

To avoid recurrent noisy messages, like this one,

Set privileges to allow the user access to OSSEC, or add the following lines to /etc/sudoers:

splunk ALL = NOPASSWD: /var/ossec/bin/agent_control -l
splunk ALL = NOPASSWD: /var/ossec/bin/manage_agent

2. Purge Splunk

/opt/splunk/bin/splunk clean all


/opt/splunk/bin/splunk clean eventdata

3. License

Go to /opt/splunk/etc/ and check the .license files.

4. Monitor only one directory (not including sub-folders)


5. How to delete

To use the delete operator, run a search that returns the events you want deleted. Make sure that this search returns ONLY events you want to delete, and no other events.

For example, if you want to remove the events you’ve indexed from a source called /fflanda/incoming/cheese.log so that they no longer appear in searches, do the following:

1. Disable or remove that source so that it no longer gets indexed.
2. Search for events from that source in your index:


3. Look at the results to confirm that this is the data you want to delete.
4. Once you’ve confirmed that this is the data you want to delete, pipe the search to delete:

source="/fflanda/incoming/cheese.log" | delete

Be the first to comment

Leave a Reply

Your email address will not be published.