Hello, I am trying to install and run a Splunk Univeral Forwarder v8.2.1 on a number of Solaris SPARC 11.3 servers but I am getting this error message. $ /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes ld.so.1: splunk: fatal: relocation error: file /opt/splunkforwarder/bin/splunk: symbol in6addr_any: referenced symbol not found Killed The requirements here https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/Systemrequirements state the system should have SUNW_1.22.7 or later in the libc.so.1 library, and it does. # pvs /usr/lib/libc.so.1 libc.so.1; SUNWpublic; SUNW_1.23; SUNW_1.22.7; SUNW_1.22.6; SUNW_1.22.5; SUNW_1.22.4; SUNW_1.22.3; SUNW_1.22.2; SUNW_1.22.1; SUNW_1.22; SUNW_1.21.3; SUNW_1.21.2; SUNW_1.21.1; SUNW_1.21; SUNW_1.20.4; SUNW_1.20.1; SUNW_1.20; SUNW_1.19; SUNW_1.18.1; SUNW_1.18; SUNW_1.17; SUNW_1.16; SUNW_1.15; SUNW_1.14; SUNW_1.13; SUNW_1.12; SUNW_1.11; SUNW_1.10; SUNW_1.9; SUNW_1.8; SUNW_1.7; SUNW_1.6; SUNW_1.5; SUNW_1.4; SUNW_1.3; SUNW_1.2; SUNW_1.1; SUNW_0.9; SUNW_0.8; SUNW_0.7; SISCD_2.3; SYSVABI_1.3; SUNWprivate_1.1; Does anyone have any suggestions? Thanks

I have a scheduled search that outputs the results every 5 minutes using the outputcsv command to local disk. The file is stored with name abc_dns.csv       index=abc |fields _time _raw |fields - _indextime _sourcetype _subsecond |outputcsv abc_dns     Then I am forwarding that file to an external Indexer inputs.conf   [monitor:///opt/splunk/var/run/splunk/csv/abc_dns.csv] index = abc_dns_logs sourcetype = abc_dns #crcSalt = <SOURCE>   Below is the props.conf   [abc_dns] INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = structured TRANSFORMS-t1 = eliminate_header   transforms.conf   [eliminate_header] REGEX = ^"_time","_raw"$ DEST_KEY = queue FORMAT = nullQueue     When I validate the results, I am seeing data is getting duplicated on the external Indexer. I attempted to add crcSalt = <SOURCE> to check if it makes any difference, which seemed that it did initially, however, afterwhile, I saw data was getting duplicated again. In reality, there is indeed duplicate data in original logs itself, but overall I am actually seeing data from the monitored file is also getting duplicated. Can anyone please help with this ?

We encounter an error configuring the VMware Carbon Black Cloud application (vmware_app_for_splunk 1.1.1 with Splunk Common Information Model Splunk_SA_CIM 4.20.0) with Splunk Enterprise (8.2.1). In Application Configuration API Token Configuration when we select + we get the error message "Something went wrong. TypeError: Cannot read property 'length' of undefined" and "vmware_app_for_splunk: pavo_message:UNKNOWN"

Hello, I performed a "fresh" installation of ES 4.6.1 in a search head cluster through deployer. Splunk app version is 8.0.9.  The apps for the ES were pulled from a repository solution to deployer and then pushed to the search cluster. When I try to open the content management it is stuck in blank and the Incident Review displaying "Operation Failed, Internal Error. __enter__" error. Is there any log file I might check and permission I need to change a this behavior is quite strange? Thank you in advance

Hoping to find some physical copies of the Quick Reference Guide on card stock.  I was hoping they would be available from the Online Splunk store here: https://www.mypromomall.com/splunk  but they are not. I usually pick them up at .conf, but being virtual last year didn't have that opportunity.  I'm working with a rotating base of junior folks who use the heck out of them.  The cards have been an awesome aid in getting them up to speed.  

Hi everyone, I am looking for any document which can help to calculate log source volume. I have 10 different type of log sources i only have their log source description and quantity. Now i have told to calculate the estimated total volume per day.  If someone can help me to get the Log source volume calculator.

HI all, in our identity feed there are some instances where different identities are registered with the same email address. ES by default merges using "key" fields and email. I want to disable this behaviour, but I cannot find how to do that. In the documentation it is written "The key field is identity and the default merge convention is email.". Anyone knows how can I change the default merge convention? Thanks Mario

I have a requirement to list the most used indexes in the platform. For this I need to prepare a report which shows when indexes was used last time, and how those indexes were used e.g. if the user used it via an ad-hoc search or the index is part of any scheduled saved search. I am looking into audit data model for it , but this is not listing out indexes when it's defined within a macro. for example I have a scheduled saved search which is having a macro with index and source type definition, how to get that index name extracted via audit logs of saved search execution? Any inputs please. Thank you!

Hi all, I usually onboard Windows Server 2008 and newer but 2003 it is not working with below Stanza  # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 is it possible to read the files like this? [monitor://C:\WINDOWS\System32\config\AppEvent.Evt] Best, N.

Question: How can we find diff between log statements before and after a given date.  Applicability:  Let's say we release a new application code and I want to be able to see all new events that application has started logging.  Now definition of new is very vague here but any suggestion would help.  Idea is that splunk should be able to compare type of events were being logged earlier and only show new events that were not present before.  That would help finding any new Exceptions Errors or Warning that are being logged and not yet surfaced as a failed customer interaction.  Example:  After a new code release,  our application started logging an WARN event regarding "open file handlers" that kept building up over the time and ultimately reached a stage where no more unix file handlers were available to process any new request. 

Hi, I have a custom search get input as raw string, but when I combine splunk don't understand that, it always return error  Example: |example rawstring="{"EventCode": "13","EventType": "SetValue","TargetObject": "(?mi)Software[//\\\\]{0,2}Microsoft[//\\\\]{0,2}Windows[//\\\\]{0,2}CurrentVersion[//\\\\]{0,2}Run"}}"  Can anyone help me pass it, thanks in advance

Hi all, I have created a lookup table and imported it into SPLUNK. It has 2 columns, one called hosts the other called IPs. The columns are populated with the hosts I want to query. I'm very new to SPLUNK and would like to create a search that returns errors/events worth investigating from the hosts specified in the lookup file. I'll display the results on a dashboard and will be checking this daily for preventative maintenance on my system. I'm just after events worth looking in to and need to filter out irrelevant events to save time. Can anyone help? Thanks in advance.

hi. I have a splunk server that is on windows and a vmware that windows on it too for forwarding data from vmware to host system. I read documents and do it step by step to  install and configure the universal forwarder on vm . the ports for receiver on two machines are open with firewall rules. but when i add data to splunk server the message show "There are currently no forwarders configured as deployment clients to this instance" and i search more but not fixed.  there are solution for this subject on this community but not work for me. please help. thanks.