@akshaykaul Currently https://splunkbase.splunk.com/app/1739/#/ is the one available from Splunkbase. However the official Splunk version mentioned as supported is 6.5 But you might still give it a try. Many a times the apps available from Splunkbase are not mentioned as supported to the latest version which does not necessarily mean that it would not be compatible But that its not tested yet with the latest Splunk build and there may or may not be unsupported features that you may come across. Thanks ! ... View more

@kloppm This would happen if your lookups with name "ms_ad_obj_xml_member_dn_computer" and "ms_ad_obj_xml_member_dn_group" (Lookup definition OR automatic lookup OR Lookup file) could not be found by Splunk as per the configuration. As a first step, check for the permissions given on you lookup. Go to Settings -> Lookups -> Lookup Definitions and search for your reported lookups. There you will see the names of your lookups being used and the app which should own it. Set the appropriate permission as per where you are trying to access it and with which role and this error would go away. Let me know if this helps you. ... View more

yes, this can be the reason as your errors are directly pointing to that. Can you make sure, the additional monitoring that you added, how many files and what size are they ? you can check for the resources usage by splunkd on you m/c to see for the performance. If the additional monitoring requires splunk to open too many file descriptors but the defined ulimit is not sufficient, you'd face this problem ... View more

@rhungebd If by client you mean the log source machine, the answer is Yes and No both. To get to the answer, lets understand briefly the following: How Splunk processes and searches data - From the log sources, the data is sent to indexer where it keeps a local copy of data after processing it. Now whenever a search is run, Splunk does not pull it directly from the log source but from its local copy of processed data. There are 2 types of searches in Splunk. Historical and Real Time. Now as the names indicate, Historical searches run the historical data and Real Time searches run over the continuous stream of data coming into Splunk. After knowing these 2 facts, below is why I said Yes and No both. Why Yes - If you are trying to search for the data that is coming into Splunk at real time, there would be a delay in results as much as there is from the original source to the indexer. So, the bandwidth will play its role here. Why No - If you are trying to search for the data that is already available with Splunk (say sometime b/w last week to last day). Since this data is already available with Splunk in the form of a local processed copy as I mentioned above, there would be no impact of what bandwidth you have b/w your client and Splunk Indexer. And what David explained above tells you, how the latency plays its role when the data is already in Splunk and how would it play its role in your distributed Splunk architecture. I hope this gives you the conceptual idea of Splunk's working. Let me know if it helps. And please accept answer and upvote if this answers your query. ... View more

The below post has helped many on this issue. You'd want to check this - https://answers.splunk.com/answers/13313/how-to-tune-ulimit-on-my-server.html ... View more

You need to initialize and then Add this instance to the cluster. This can be done by running the following commands on your new instance To initialize, run the below command and restart- splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<management_port> -replication_port <replication_port> -replication_factor <n> -conf_deploy_fetch_url <URL>:<management_port> -secret <security_key> -shcluster_label <label> splunk restart To Add instance to Cluster, run this command - splunk add shcluster-member -current_member_uri <URI>:<management_port> Let me know if this helps ... View more

Can you apprise the status OR mark as answer if already resolved. ... View more

Can you mark as answer if your query is resolved by this OR let me know if you have further ask ? ... View more

you can set it at server.conf. A direct manual update to the .conf file would not be replicated but however through Web OR CLI OR REST they should be. Check this for SHC replication - https://docs.splunk.com/Documentation/Splunk/7.3.0/DistSearch/HowconfrepoworksinSHC ... View more

Can you mention whats the use case here. Knowing your end goal, the community can try to suggest you a better way around. The intent of sourcetype is for it to identify the data structure of an event. And it determines how Splunk Enterprise should format the data during its indexing process. Trying to set a dynamic sourcetype defeats this purpose. I'd rather suggest you use a search time extraction OR "tags" if you want to associate some meaningful info with your events based on source. ... View more

@zhangxq20 You are getting this error always from the same peer i.e. Indexer_03 in your case OR this is varying with your searches ? As this might happen that the searched data is corrupted on the primary buckets of this peer. Also, are you running dashboards OR too many queries at once ? or this is happening with singular query as well. See this post here, it might help you - https://answers.splunk.com/answers/506621/unknown-error-for-peer-xxx-search-results-might-be.html ... View more

It would also depend on your SPL. Can you post your query here ? ... View more

@morethanyell This seems to be a connectivity problem as your error states "Transport endpoint is not connected" and it is throwing a Timeout expiration exception. Can you validate by performing the basic connectivity tests of your LDAP server from your splunk instance. Ping, Telnet And then first try to confirm for basic LDAP search like- | ldapsearch domain=SPL search="(objectClass=user)" ... View more

is this a working setup that has stopped for you ? OR you've just set it up and have not got it working yet ? The answer can help to a better troubleshooting approach. ... View more

No, you have to mention exactly like - crcSalt = <string> i dont think crsSalt = ConstantString means anything ... View more

@harishbenne2 The App documentation has not listed all of its dashboards. But it has dashboards like - Proxy Performance, Network Resources, Application Health (this one provides metrics like Pool Member Health, Virtual CPU Health, CPU violations, Response codes health etc) I believe these can help you but you are the best judge of your requirement. Thanks ... View more

Went on to do some digging for this problem. Can you confirm which DBX version are you using. If its 1 OR 2 then you dont have the support But with 3.0 SProcs are supported. However there seems to be still some problem when using it as a DB input and need to set the rising column values for it. Unwrapping the stored proc and directly using the query in DBX is how some people are doing it plus an adjustment for tail_rising_column in db_inputs.conf directly. See this post for a more comprehensive explanation: https://answers.splunk.com/answers/594665/splunk-db-connect-311-stored-procedure-as-input.html Hope this helps. Please mark as answer if this would resolve your problem. Thanks ... View more

Have you tried crcSalt = <string> Also, take a look at - From: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf initCrcLength = How much of a file, in bytes, that the input reads before trying to identify whether it is a file that has already been seen. You might want to adjust this if you have many files with common headers (comment headers, long CSV headers, etc) and recurring filenames. Cannot be less than 256 or more than 1048576. CAUTION: Improper use of this setting will cause data to be re-indexed. You might want to consult with Splunk Support before adjusting this value - the default is fine for most installations. Default: 256 (bytes). Let me know if that resolves your problem OR we can also start talking about using monitor:// instead of batch:// ... View more

Can you mention how this event is getting processed in fields, especially the Name:targetname along with its values?? ... View more

@mlaurabermudez You want to go something like - index="SomeIndex" sourcetype="SomeSourceType" example="*hello*" | stats min(_time) as earliestTime values(example) as example latest(_raw) as RawEvent | eval earliestTime=strftime(earliestTime,"%+") And if you are saying that you need to do this for 2 different values in 2 different events, you would want to bring in the group by, Like index="SomeIndex" sourcetype="SomeSourceType" example="hello1" OR example="*hello2*" | stats min(_time) as earliestTime latest(_raw) as RawEvent by example | eval earliestTime=strftime(earliestTime,"%+")' Please let me know if this answers your question! 😄 Thanks ... View more

Can you add more context and be more thorough in what you are trying to ask. That'll help people help You better. Thanks ... View more