Problem: Unable to send cooked data to two different Indexer ports
Hello Experts, I have an issue where I am unable to send cooked data to two different Indexer ports. My flow of traffic is UF > HF > IDX UF IP: a.a.a.a HF IP: y.y.y.y IDX IP: x.x.x.x 1) Universal...
View ArticleSearches are stuck at 'finalizing job' after upgrade to 6.5
I upgraded Splunk on my linux server to 6.5 and after that no searches are getting completed. Not even index=_internal Search job inspector also doesnt load. All the jobs are getting stuck at...
View ArticleWhy does my search only return the first occurrence of an XML element?
New to Splunk and have below XML: When searching for all attr values, it only receives the value of the first element (i.e. "a"): index=* scenario=y "some search criteria" | table attr I get the same...
View ArticleUnable to change TZ in props.conf for host?
I am able to modify the TZ attribute as follows in $SPLUNKHOME$/etc/system/local/props.conf [source::mysource] TZ=US/Pacific However, I am unable to replicate the same functionality via the host...
View ArticleAfter removing a monitor on one log file from all my Splunk forwarders, why...
I removed a monitor on one log file from all the Splunk forwarders in the inputs.conf file and restarted Splunk forwarder and Splunk indexers. However, we still see the new logs been indexed and search...
View ArticleSplunk Add-on for Cisco UCS: Where do I configure my tasks to use a peer...
I installed the Splunk Add-on for Cisco UCS and can't figure out where to configure it to fill the "Index" drop-down with my clustered indexes OR modify a task from the CLI to use a single clustered...
View ArticleWindows Perfmon Collection Issue
Having some issues with collecting % Processor Time for processes. My inputs.conf is configured with the below stanza: [perfmon://Process] counters = % Processor Time; etc. instances = * disabled = 0...
View Articlerex expression
I need to extract the account name from this snippet of a Windows security event log: Account For Which Logon Failed: Security ID: NULL SID Account Name: Joe User Account Domain: Some.Domain This is...
View ArticleJMS Messaging Modular Input: Is the add-on particular about the JDK version...
Using JMS Modular Input with WebSphere MQ. JMS Messaging Modular Input add-on and Universal Forwarder are installed on the same server. JMS Messaging Modular Input subscribes to JMS Topic and pushes it...
View ArticleWhy am I receiving resource usage errors like "Failure getting value for disk...
I keep getting these error messages in splunkd.log: 10-05-2016 15:14:12.491 -0500 WARN IntrospectionGenerator:resource_usage - RU - Failure getting value for disk reads ((D:)), status code is...
View ArticleConcatenate Fields for CEF output
ArcSight requires Microsoft-Windows-Security-Auditing:(EventCode) to properly categorize. What I am looking to do is like this: deviceEventClassId=Microsoft-Windows-Security-Auditing:($1) whereas `$1`...
View ArticleHow to drill down from a Splunk dashboard to an external URL?
I am working on a custom dashboard for one of our security tools that doesn't need anything fancy like it's own app. All I want to do is be able to "drilldown" on an event and have that take me to an...
View ArticleWhat does the number of files in the data inputs, files and directories page...
Hi Everyone, I was wondering what the number of files in the data inputs, files and directories page indicate? I have attached a snapshot here. ![alt text][1] Thanks, Paduka [1]:...
View ArticleIf I have a custom sourcetype with fields delimited by commas, how do I...
If I have a custom sourcetype with fields delimited by `,`, the first field in the data is what I want to extract as the event time. What should be in the transforms.conf file for the FIELDS = ? The...
View ArticleHow to prevent a PID file from causing one of our universal forwarders to...
Hi, I got an issue with one of the Universal Forwarder. It is automatically shutting down and when I restart, it is again shutting down immediately. According to what I see when I check status, I...
View ArticleWhat happens to the data if the indexer in an indexer cluster goes down?
I have 12 Indexers (6 each/site) in a multi cluster environment. Data is replicated to the other site with RF =2 and SF =2, so even if one indexer (INDX01) goes down due to network issues, the indexer...
View ArticleURL Toolbox: Is there any way to improve the error output for the 'ut_parse'...
In version 1.6, there is a very poor 'you're screwing up' error message. in 1.4 you use | `ut_parse(trimurl)` in 1.6 you use | eval ut_list = "iana" | `ut_parse(urllist, ut_list)` If you don't use this...
View ArticleHow to implement a two factor authentication (2FA) to collect external feeds...
Currently one of the threat intelligence providers gives us an API link to download the threat feeds. But they are planning to change it to the two factor authentication (username, password and...
View ArticleHow to configure 6.5.0 data roll to search archived buckets in S3?
I follow the instructions in [the documentation for archiving to S3 in 6.5.0 http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/ArchivingSplunkindexestoS3 but Splunk still can't find the jars it...
View ArticleWhy is geostats not working when used in a base search?
Hi all, I've created a dashboard that has multiple panels using essentially the same search, so I decided to try using a base search to cut down on resource usage. Unfortunately I've noticed that when...
View Article