Depending on what you want to do, you should pick how input method Splunk indexes data. If you're trying to let Splunk schedule the script to run, scripted input or modular input would a good choice. Either way, your script should write data out to standard out where Splunk parse data, instead of writing a file. For comparison between Modular Input and scripted input, please visit; https://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsBasicExample For simple example for Modular Input, please visit and try the examples; http://dev.splunk.com/view/python-sdk/SP-CAAAER3 http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsIntro To run modular input from a command line to validate if the modular input was correctly deployed, please visit the following link; http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsDevTools Here is a copy of a line to run a modular input from cmd. It requires proper scheme and configuration to run it properly. First part is to parse Modular Input configuration from configuration, and pass the output to your Modular Input Script. In this example, twitter.py. In your case, it would be demo.py splunk cmd splunkd print-modinput-config twitter twitter://SplunkTwitter \ | splunk cmd python $SPLUNK_HOME/etc/apps/twitter/bin/twitter.py ... View more

SSL Version 2 and 3 Protocol Detected => Disable SSLv2 and SSLv3, or specify tls1.2 http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/SetyourSSLversion SSL Cert Signed Using Weak Hashing Algorithm (SHA1) => Avoid using Splunk default certificate, and create your own certificate with stronger signiture (sha2 type) asking trusted CA. => openssl has option such as -sha256. For more detail, pleaes consult your trusted CA or google it regarding how to crate certificate with SHA256 or something like that! http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/Howtogetthird-partycertificates SSL Certificate Wrong Hostname (Splunk Self Signed Cert running on 8089) => You need to craete your own certificate and use proper HostName. Splunk default cert does not use server's host name TLS CRIME Vulnerability https://answers.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vulnerability-scan-what-is-going-on.html ... View more

This warning itself cannot tell if you have a real issue or not. Basically, search job status feature checks search job status including modification time of the status.csv in a search dispatch directory. There is a chance status.csv file does not have modification time when it is checked. So, in such case, this message shouldn't be WARN log level. As far as I know, Splunk dev. team is trying to avoid this confusing warning message and improve message more user-friendly in a future release. There is no ETA or fixed release version yet at this point. ... View more

You are right. Unfortunately current Splunk does not have such configurations. How about binding the two interfaces to one? Something like the following doc would help to try bonding NICs http://www.cyberciti.biz/tips/linux-bond-or-team-multiple-network-interfaces-nic-into-single-interface.html ... View more

Wish the message was more user-friendly. Splunk should improve this message. The most important here is that why the bundle is so huge. Is it really needs to distribute to indexers? Often times, there are large files which are not required to send to indexers, and setting blacklist in distsearch.conf to reduce bundle size is the best practice. Otherwise, even if we tune configuration and allow sending a large bundle, there would be other issues such as timeout and/or performance issues. Understanding the potential problem due to a large bundle size, this warning message mean the bundle was too big to send. Two factors/attributes contributes here. 1. maxBundleSize attribute of [replicationSettings] in distsearch.conf ( default is 1GB) 2. max_content_length attribute in [httpServer] in server.conf ( default is 800MB) So, if you increase those two parameters to meet the size of your bundle, the message will be gone. However, most likely you start to see other issues by sending such large bundle; e.g. some timeout and slow performance, more memory usage etc. ... View more

typo sslVersions = tls, =tls1.0 ? unknown protocol error could be caused by the Splunk instance could not read or verify certificate or protocol from forwarder didn't match, or something else 🙂 Splunk instance could not read or verify certificate => in splunkd.log, warn or error message for reading or verifying SSL certificate or private key. This case, you need to re-visit configuration and certificate. I usually use openssl commands to verify all pem files and check if I can start a server using openssl s_server option. forwarder's ssl version didn't match => I've seen this error when ssl client is trying to use sslv2 while ssl server is not accepting. So, ssl supported version compatibility could be cause of the issue. If both of the above is okay, I would try the configuration without sslCommonNameToCheck, sslVerifyServerCert and sslVersions (as a common troubleshooting procedure, to make sure start with simplest settings works) Other useful link to review SSL configuration is; https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certificates-and-authentication.html ... View more

I believe this question should go to the author of the app to confirm if they support Search Head Clustering. I could not find comments regarding Search Head Clustering in the app's doc page http://docs.alertmanager.info/Documentation ... View more