I need some help updating the mmdb file for the iplocation command. Ive read the other forum questions regarding this, as well as the docs, and i am a bit confused.    I initially uploaded the new mmdb file from MaxMind, the GeoLite2-City.mmdb. I uploaded it through the GeoIP panel through the lookups tab.    It uploads, but i cant seem to find the file afterwards. I am looking on the specific server that I uploaded the file to, we have a clustered environment, but that one specific server I uploaded it to should have it. I ran locate and find commands, but could not locate it. We still have the original under $SPLUNK_HOME$/share/dbip-city-lite.mmdb   Even though the dropbox for the mmdb file showed a successful upload, I can not find it anywhere.  I dont see any trace of the upload through splunkd, or through /export/opt/splunk/var/run/splunk/upload/ , or through any find or locate command.  I wanted to update the file path to include both databases, and i know i needed to change the limits.conf file, and update it to include both paths. But the question is, How do i change the limits.conf so that it replicates. We dont have any app named TA-geoisp or anything similar, and thats what these forums and docs reference.   Somewhere I saw that I could update the search app's limits.conf and just push that from the shcluster directory, as that will push a bundle change that will push out to all Search heads in the cluster. Since the search app is the default app, we could just use that app to point to the mmdb files. But we don't have the search app located under our /$SPLUNK_HOME$/etc/shcluster/apps/   We dont seem to have the search app under our Clustermaster/Deployer shcluster directory. I think i might be missing something. I would basically just like to update the limits.conf to point to the new dir path of both of the mmdb files. Id like to just edit the limits.conf to look like:     [iplocation] MMDBPaths = /path/to/your/GeoIP2-City.mmdb,/path/to/your/dbip-city-lite.mmdb       The question im trying to ask here, is when i upload the file through the gui, where does the file end up. And if i wanted to push these changes manually,  if i wanted to push to all SH and indexers from the deployer and deployment server, how do i go about replicating the folder that holds the mmdb as well as the limits.conf that hold the paths to the files.    Thank you for any assistance.   

Hello! I am trying to send data to Splunk using UDP, I tried to set it up using the documentation and seen a few videos on how to set it up but can't get it right. I have the data coming into my HF from network devices and then should be sent to my indexers. After going through the set up I get this error message "Search peer splunk_indexer_02 has the following message: Received event for unconfigured/disabled/deleted index=<index> with source="source::udp:514" host="host::xx.xx.xx.xx" sourcetype="sourcetype::<sourcetype>. So far received events from 2 missing index(es)." I created a new index during the set up but there is no data to search.

Hi, I am working my way through some of the splunk courses. I am currently on "working with time". In one of the videos the following command is used to find all results within the past day, rounding down. "| eval yesterday = relative_time(now(),"1d@h")". However when I attempt this command myself, it simply prints the "yesterday" value however it uses the time specified in my time picker, not in the actual command. I was under the impression that any time specified within a command would automatically overwrite the time picker. Was I mistaken in this? Or am I perhaps using the command incorrectly? Any help would be greatly appreicated.

My company is transitioning from an on-premise MFA setup within ADFS to the Azure MFA setup.  What's the best approach to getting those MFA events into Splunk?  Does the Splunk Addon for Microsoft Azure (splunkbase 3757) meet that goal?  

Been struggling for a while on this one. On-prem Splunk Enterprise.  v9.1.2, running on CentOS 7.9 -- Just trying to find a consistent way to be able to upload log files through HTTP Event Collector (HEC) tokens.  I found the whole RAW vs JSON thing confusing at first and thought the only way to be able to specify/override values like host, sourcetype, etc. was to package up my log file in the JSON format. Discovered today that you can specify those values in the RAW url, like so: https://mysplunkinstance.com:8088/services/collector/raw?host=myserver&sourcetype=linux_server which was encouraging.  It seemed to work. And I think I've gotten further ahead.  I now have this effectively, as my curl command running in a bash script: curl -k https://mysplunkinstance.com:8088/services/collector/raw?host=myserver&sourcetype=linux_server -H "Authorization: Splunk <hec_token>" -H "Content-type: plain/text" -X 'POST' -d "@${file}" Happy to report that I now see the log data. However, it only seems happy if its a single line log.  When I give it a log file with more lines, it just jumbles it all together.  I thought it would honour the configuration rules we have programmed for sourcetype=linux_secure (from community add-ons and our own updates) but it doesn't.  Loading the same file through Settings -> Add Data has no problem properly line-breaking per the configuration. I'm guessing there is something I am missing then in how one is meant to send RAW log files through HEC?

Anyone know how and what path to query on splunkcloud instance to pull existing SAML configuration details and certificate? I can view the information by browsing to settings -> authentication method -> SAML -> SAML configuration. I want to be able to export that information if it is captured in a file as a backup prior to migrating to different authentication method.  Thanks in advance.