Anyone using splunk and willing to share useful searches

Phil Mayers p.mayers at
Wed Oct 21 15:14:25 CEST 2015

On 20/10/2015 23:09, Nathan Ward wrote:

> We write Auth, Acct start, and Acct stop to files with line log, and
> ingest that. This way we limit the storage (and licensing!)

Yeah, this is a big thing with splunk; the volume if you want to log 
every access-request/challenge/accept/reject can be prohibitive.

We send a custom linelog to them designed to send the absolute minimum 
number of bytes; detail logs are probably way too verbose to be useful.

The searches are probably way too site-specific to be useful sharing; it 
all depends what you're using splunk *for*

> requirements, and we make it easier to process without writing splunk
> filters and things. For our use case, interim updates are not
> valuable in Splunk. We use transactions, starting with an acct stop

The 3rd party who advised us was not so keen on transactions, claiming 
they had poor performance. We use them anyway - they're too useful to 
ignore, and we see no problems. But be cautious.

> and ending with an acct start, keyed on the username to see how long
> a user is down for. We have geocoding information available for all
> our users so can plot users who are offline on a map, etc. etc.

The geocoding is useful. We use it to identify suspicious activity on RAS.

More information about the Freeradius-Users mailing list