Do I need to have autoLB on the search head?
I am getting the message Forwarding to indexer group default-autolb-group blocked for 100 seconds I am running a single search head with two indexers and 42 Universal Forwarders. I have `[tcpout]` and...
View ArticleWhich version of splunkforwarder will support parsing like routing to nullQueue?
Word on the street is that the Universal Forwarder may be doing parsing in the near future if not now.
View ArticleError while configuring Splunk Add-on for ServiceNow
Hi Guys, Getting an error while trying to configure the Splunk Add-on for ServiceNow. If anyone could throw some light on it, that would be of great help.![alt text][1] [1]:...
View ArticleWhy am I getting error "Failed to delete the non-existent input. Remote...
I'm new to Splunk. I get the above error when trying to remove Event log collection inputs (from a forwarder) under settings-Data Inputs-Forwarded Inputs-Windows Event Logs. I no longer want to collect...
View ArticleSplunk Add-on for Blue Coat ProxySG: Why am I getting error "Page not found!"...
Installed the Splunk Add-on for Blue Coat ProxySG and missing something. It displays *"page not found"* when I try to launch the app. URL goes to: server:port/en-US/app/Splunk_TA_bluecoat-proxysg/setup...
View ArticleWhy is cidrmatch not matching an IPV4 address against an IPV4in6 subnet...
We have log files with a mixture of IP Address formats (IPV4, IPV4in6, IPV6). cidrmatch seems to be misbehaving, in that it isn't matching an IPV4 address against an IPV4in6 subnet definition, or vice...
View ArticleHow to troubleshoot why I am unable to search some Windows event logs from...
Hi, I have two search heads A & B. I am trying to search the Windows event logs from both of them. I observed that some event codes are only visible in search head A, but not through search head B....
View ArticleSummary Index getting populated with incorrect data
Hi, I am getting logs from 2 servers which is exactly same unless there is some failure. We have to group the events based on an Id and consider it as a single event for reporting. So i used...
View ArticleWhy is Malware_Attack.signature always "unknown" for Data coming from Sohpos...
Hi, We are using Splunk Addon for Sophos to ingest Sophos Console data into Enterprise Security App. Sophos add-on is installed on the console( with Splunk forwarder & Windows addon) and on the...
View ArticleWhy am I getting error "Splunk.License: failed to add because: license is...
We started using Splunk's Free version to see how powerful this tool was and the expected happened. The license was about to expire. We contacted Splunk, we paid for the license, I added the license...
View ArticleHow do I parse through my sample CSV type log to graph field values by date?
Hi, I am having trouble finding a good way of parsing through my log entries to try and grab the key-value pairs for plotting on a graph. To be clear, I get one log a day in the format: 2016-06-03...
View ArticleIn the "New Search" window, why does typing * result in "No results in...
I have tried multiple time ranges. no luck. Cisco app shows data coming in. License section of Splunk Utilization Monitor app shows data coming in. Just do not seem to be able to look at raw data.
View ArticleHow do you use the new Status Indicator Visualization for Splunk 6.4?
The examples provided in the app were good, but I needed a simpler example.
View ArticleHow to edit my regex to extract all user field values from my sample logs?
Here is the regex that I have:...
View ArticleHow does the licensing for Splunk Enterprise Security legally/commercially work?
Is it required for the Splunk Enterprise Security app to match the volume of the core Splunk Enterprise license? The EULA stipulates that the Enterprise Security app is licensed per daily indexed...
View ArticleHow do I group time values together by another field?
I'm trying to get my table to group events by Source IP. The search counts the number web traffic hits by Source IP and groups them into 1 hour time frame. I want to then have each Source IP as a...
View ArticleForwarding and receiving - Error occurred attempting to remove setting from...
Hi guys, I configured my all-in-one Splunk instance to forward data to another SH by using an tcpout:9997 at outputs.conf. Then I removed the config file manually from Ubuntu command line. However, I...
View ArticleWindows UF is not able to connect to deployment server
Hello, I have a new deployment server (also acting as search head) installed on Windows Server 2012 R2 with version 6.4.1. I have multiple UF installed on misc Windows OS (2008 R2, 2012, 2012 R2) with...
View ArticleForwarding and receiving - Error occurred attempting to remove a tcpout input...
Hi guys, I configured my all-in-one Splunk instance to forward data to another search head by using an tcpout:9997 at outputs.conf. Then I removed the config file manually from Ubuntu command line....
View ArticleWhy are our 6.4.1 universal forwarders unable to connect to a new 6.4.1...
Hello, I have a new deployment server (also acting as search head) installed on Windows Server 2012 R2 with version 6.4.1. I have multiple Universal Forwarders installed on misc Windows OS (2008 R2,...
View Article