Im completely green using SPLUNK, I have downloaded enterprise, have a profile but I cannot seem to get it configured to work off of my home system. i.e testing SPLUNK on myself. The steps stop working for at the step for :"Configure the universal forwarder using configuration files"  Im not understanding how to access the config settings through the CLI to move beyond this step.

Hello.  I'm trying to send log from heavy forwarder to 2 indexes. One is receiving logs, but the second is not. Here is the props.conf file: [test] TRANSFORMS-routing=errorRouting,successRouting   Here is the outputs.conf file: [tcpout:errorGroup] server = 35.196.124.233:9997 [tcpout:successGroup] server = 34.138.8.216:9997   Here is the transforms.conf file: [errorRouting] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=errorGroup [successRouting] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=successGroup What could be the problem?    

Hello all, We are getting error in analytics agent part of SAP ABAP Status logs as given below. - Analytics agent connection: > ERROR: connection check failed: > Ping: 1 ms > HTTP response ended with error: HTTP communication failed (code 411: Connect to eutehtas001:9090 failed: NIECONN_REFUSED(-10)) > HTTP server ******* (URI '/_ping') responded with status code 404 (Connection Refused) > Analytics Agent was not reached by server *********_EHT_11V1http://**********:9090. Is it running? Can anyone tell me why this error is occurring? Regards, Abhiram

I want to allow users of a specific role to be able to access the user dropdown menu so that they can logout, but I want to prevent their ability to modify the user preferences (time zone, default app, etc.). I have determined how to prevent these users from modifying their own password with role capabilities. Without the Role capability list_all_objects, the user dropdown doesn't display making the ability to logout difficult. With the list_all_objects capability active for the role the user now has access to adjust the user preferences. Thanks in advance!

I am trying to get data from 2 indexes and combine them via appendcols. The search is  index="anon" sourcetype="test1" localDn=*aaa* | fillnull release_resp_succ update_resp_succ release_req update_req n40_msg_written_to_disk create_req value=0 | eval Number_of_expected_CDRs = release_req+update_req | eval Succ_CDRs=release_resp_succ+update_resp_succ | eval Missing_CDRs=Number_of_expected_CDRs-Succ_CDRs-n40_msg_written_to_disk | timechart span=1h sum(Number_of_expected_CDRs) as Expected_CDRs sum(Succ_CDRs) as Successful_CDRs sum(Missing_CDRs) as Missing_CDRs sum(n40_msg_written_to_disk) as Written sum(create_req) as Create_Request | eval Missed_CDRs_%=round((Missing_CDRs/Expected_CDRs)*100,2) | eval Missed_CDRs_%=round((Missing_CDRs/Expected_CDRs)*100,2) | table * | appendcols [| search index=summary source="abc1" OR source="abc2" | timechart span=1h sum(xyz) as Counter | table Counter] But, I am getting output from just the first search. The appendcols  search is just not giving the Counter field in the output. 

Hi all, We have a source which comes in via HEC into an index. The sourcetyping currently is dynamic. We then route data based on a indexed label the data to a specific index. Here comes the catch. If we have another indexed field called label we want to clone that event into a new index and sourcetype   props.conf     [(?::){0}kube:container:*] TRANSFORMS-route_by_domain_label = route_by_domain_label       transforms.conf We route the data based on a label which is custom named k8s_label for the example here and for sensitive data we also have a label called : label_sensitive      [route_index_by_label_domain] SOURCE_KEY = field:k8s_label REGEX = index_domain_(\w+) FORMAT = indexname_$1 DEST_KEY = _MetaData:Index [clone_when_sensitive] SOURCE_KEY = field:label_sensitive REGEX = true DEST_KEY = _MetaData:Sourcetype #CLONE_SOURCETYPE = sensitive_events FORMAT = sourcetype::sensitive_events