I've followed this guide to install SC4S and connect with Splunk: https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/byoe-rhel8/ And I am getting this error: 2021 Nov 11 00:56:11 sc4s-hostname01 curl: error sending HTTP request; url='https://10.0.0.1:8088/services/collector/event', error='Couldn\'t connect to server', worker_index='0', driver='d_hec_fmt#0', location='root generator dest_hec:5:5' 2021 Nov 11 00:56:11 sc4s-hostname01 Server disconnected while preparing messages for sending, trying again; driver='d_hec_fmt#0', location='root generator dest_hec:5:5', worker_index='0', time_reopen='10', batch_size='1469' Network connection, token are ok: curl -k https://10.0.0.1:8088/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}' {"text":"Success","code":0}  

As the title says, I installed the PUR app on ES and non-ES SHs. The app did run and return results on non-ES SH but not on ES SH.  Can somebody please explain what might be the potential reason behind this or how I can fix this ?

I recently performed a data migration to correct some mistakes made by the person who built our environment. Afterward, I found I had to run `splunk fsck repair` due to errors that are preventing splunk from starting. After running the command with "--all-buckets-all-indexes" or "--all-buckets-one-index --index-name=linux" it stops without seeming to do anything. After it stops I get, as an example Process delayed by 56.174 seconds, perhaps system was suspended? Stopping WatchdogThread. We have four indexers in a cluster. I've put the cluster master in maintenance mode and stopped splunk on all of the indexers. I'm running the command on a single indexer since the data is shared via NFS. One thing I haven't done is unmount the share on all of the other indexers. What is the cause of this error and what do I need to do to move past it?

I recently had to realign our storage. Specifically, write cold data to one NFS share and hot/warm to another. Prior to this, all data was being written to the same storage which was not per our design. I placed our cluster master in maintenance-mode, stopped splunk on all indexers, then used rsync to copy data to the proper shares. After moving data around and ensuring that NFS shares were then mounted in the proper locations, I attempted to bring everything back online. The cluster master starts fine. The indexers, though, do not. I have only been able to start one indexer out of four. It seems to not be one specific indexer, though. I had splunk running on indexer1, but indexer2, indexer3, and indexer4 then failed. Later, I was able to start splunk on indexer2, but indexer1, indexer3, and indexer4 failed. Examples of the errors I'm seeing are ERROR STMgr - dir='/splunk/audit/db/hot_v1_64' st_open failure: opts=1 tsidxWritingLevel=1 (No such file or directory) ERROR StreamGroup - Failed to open THING for dir=/splunk/audit/db/hot_v1_64 exists=false isDir=false isRW=false errno='No such file or directory' Your .tsidx files will be incomplete for this bucket, and you may have to rebuild it. ERROR StreamGroup - failed to add corrupt marker to dir=/splunk/audit/db/hot_v1_64 errno=No such file or directory and ERROR HotDBManager - Could not service the bucket: path=/splunk/_introspection/db/hot_v1_388/rawdata not found. Remove it from host bucket list. WARN  TimeInvertedIndex - Directory /splunk/_introspection/db/hot_v1_388 appears to have been deleted FATAL MetaData - Unable to open tempfile=/splunk/_introspection/db/hot_v1_388/Strings.data.temp for reason="No such file or directory";  this=MetaData: {file=/splunk/_introspection/db/hot_v1_388/Strings.data description=Strings totalCount=761 secsSinceFullService=0 global=WordPositionData: { count=0 ET=n/a LT=n/a mostRecent=n/a } and FATAL HotDBManager - Hot bucket with id=389 already exists. idx=_introspection dir=/splunk/_introspection/db/hot_v1_389 I've run 'splunk fsck repair --all-buckets-all-indexes' more than once, but these issues persist. Can the underlying issues be corrected or should we cut our losses and start our collections fresh? Fortunately, this is an option we can use as a last resort.

I want to find items in one index based on results from another index's search. I have the following but only get a handful of results for some reason.     index=a sourcetype=test |join id [search index b | rename id as idb] |stats count by id, idb     Is this the best way to accomplish it and any reason I only get a small number of results? 

My default timezone is EST. How do I change it so that when other users are using my dashboards they can view it utc time or a different time zone? Or in other words displaying my result in a different time zone or adding an offset.

Hello all, I'm not sure what I have been asked to do is achievable.  I'm hoping that someone can advise. We have a Windows 2003 server that cannot have a UF installed as it is not compatible with our current environment (8.1.6).  Anyway, that aside, I have managed to ingest data using 'open' shares from a UF on a Windows 2016 server to the 2003 server. I now have a request to ingest data from a restricted share on the 2003 server.  I have tried setting up a share from the 2016 server to the 2003 server, but this does not work.  I guess because the UF is not using the same account as the share has been set up under? Can anyone tell me how I can create a share for the Splunk UF to use? Thanks

I am currently using an Input token called OS. I have three values for the token:      MAC       Windows      Linux. In my visualization I want to say:  If OS = Mac . Then run this search. If OS = Windows. Then Run this search If OS = Linux. Then run this search.   I am aware that the EVAL command has decision logic built into it but I don't think that  it can handle sub searches inside the case. Any help is appreciated Thank you, Mark