I am encountering an error I haven't seen before.
In our environment we have Splunk_TA_nix and have enabled update.sh (sourcetype Unix:Update) it works going into the Splunk but the output is incorrect. Example:
Output in Splunk:
Thu May 19 14:57:31 AEST 2016 extras=0 base=0 addons=0 updates=0
But the output when ran on the command line:
Thu May 19 13:28:30 AEST 2016 extras=0 @devl-rhel-x86_64-server-6=1 base=0 addons=0 production-rhel-x86_64-server-6=211 updates=0
And yes the forwarders are running as root.
Has anyone seen this issue before? Suggestions to resolve?
Thanks Cam.
↧