Skip to main content

Log Management (Splunk)

Splunk is a log monitoring service provided to Ohio State faculty, staff and student employees. It helps to understand your data by searching, analyzing and visualizing.

The Log Management service is designed to assist units in centrally storing server, network, and application logs as required by the university’s Information Security Control Requirements (ISCR). This log data is then used by Digital Security and Trust and university units to support security incident investigations, service and application monitoring, service and application reporting, and to meet applicable legal and compliance requirements. 

Units can utilize this service to: 

  • Request the storage of server, network, or application logs
  • Manage access to stored data
  • Request help developing, reporting, and monitoring capabilities
  • Request training on service operation and capabilities
  • Troubleshoot service issues 

Log in to Splunk

Request Splunk Access

Splunk access is provided to Ohio State faculty, staff and student employees free of charge but needs to be requested.

Frequently Asked Questions

General

Can my unit use Splunk?

All units across the university can ingest security-related logs free of charge into Ohio States’ Splunk. Extra logs can be ingested into Splunk at a subscription charge to your unit. If your team is considering using Splunk, have your manager email otdi-logsupport@osu.edu about initial steps for setting up Splunk for your team.

Please refer to Getting Data In for details.

What can Splunk be used for?
  • Network Utilization
  • Domain Controller Authentication
  • New Administrator Accounts
  • Recurring Host Infection
  • Local User Credentials
  • Large Web Uploads
  • Slow Web Page Identification
  • Increased Host Logins
  • See more at Splunk Solutions
How do I create an index?

To get the process started, please email otdi-logsupport@osu.edu with your unit and details.

How do I get a new feature for Splunk?

To get the process started, please look through Splunk's add-ons to see if it's available and then email otdi-logsupport@osu.edu with your unit and details.

How do I get a new source of data into Splunk?

After determining the data you want to monitor, please email otdi-logsupport@osu.edu with the file path and log examples.

How do I uninstall the forwarder?

Please see Splunk's Uninstall the universal forwarder help guide. 

What are roles?

Each Ohio State Splunk user has an account created for them at Splunk Login. Depending on what team you work on, you may be connected to a different app that fits your team’s role. In addition to dividing access to data between different physical machines, we use roles that group people together based on unit, purpose, expertise, and other such groups.

What data do I have access to?

Run "|tstats count where index* by index, source, sourcetype." This will show you the different indexes, sources, and sourcetypes you have access to in a table format.

What is the difference between my apps and my indexes?

Indexes split up access to data while apps split up access to visuals (dashboards, charts, maps, timelines, etc.).

 

Troubleshooting

Why am I seeing a redirect loop?

If you log in to Splunk and see the following redirect loop, this means your name.# has not been setup with Splunk. Please see Splunk Access for more information.

A screen with the Splunk Enterprise logo and the following text beneath it: click here to return to Splunk
Where are my logs and latency issues?

Latency issues occur for a number of reasons. For example, a busy server generating a bunch of logs and the Splunk agent having trouble keeping up with the volume. To identify when the issue occurred, please search your index and sourcetype, then append the below command.

"| eval time_diff = _indextime  – _time | timechart avg(time_diff) as seconds"

Why is the time incorrect?

Ensure the timezone on the host is correct. If there was a change to the timezone on the host, please contact otdi-logsupport@osu.edu. The log team will update the timezone in the monitor accordingly.

Why is the hostname missing?

If there is no client name, Splunk cannot identify the source of the logs and cannot perform field extractions, and may even drop the logs entirely. Therefore, make sure you have the client name configured in deploymentclient.conf. Please refer back to Getting Data In for details.

What do I do if I can't find my data?

Please see Splunk's I cant find my data! help guide.

Why is the dashboard in the app is not showing the expected results?

Please see Splunk's Dashboard in app is not showing the expected results help guide.

Where can I find more troubleshooting help?

Splunk offers a robust Troubleshooting Manual. Here are some help guides that may be most helpful:

Contact

Email: otdi-logsupport@osu.edu