the problem is that this query return only the number of every index, if it's higher than 50, I need something like: sourcetype=windows EventId=X status=Y earliest=-5m | stats count by EventID | where count>5 | search tstats count WHERE index=* by index| where count>0 Basically I need to execute the first part of the query, for all the indexes, but I need to display separate results for each of the indexes. Is it possible? ... View more

yes, I checked now again, indexes(2) internal_, audit_.. Did I forget anything? I created the file, put it in master-apps/_cluster/local, used the cli to bundle, and next I checked if in the indexer the file has been copied, and it was. am I forgetting anything? ... View more

It's exactly what I have done, but I can see only a couple of standard indexes.. And the indexes.conf has been correctly copied in the folder slave-apps.. ... View more

so do I need 3 instances or 3 search head and 1 deployer? ... View more

Just ubuntu: DISTRIB_RELEASE=14.04 DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS" ... View more

Once I did it, I can see in the slave-apps local/indexes.conf, but how can I display them from splunk gui? Clicking on indexer there isn't : ( ... View more

How can I virtualize the 2 search heads? ... View more

I tried to remove all the fishbucket and clean the indexer from 4 index. after restarting the forwarder, 2 of the index, where correctly reindexed, the other 2 not. I completely cleaned everything from the fishbucket folder on my forwarder, why is it not indexing old data? ... View more

I can't directly connect to internet from the server, I execute : ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++libc6.1-2.so.3 /lib/libcpc++libc6.1-2.so.3 and it's fine, I also checked if the libraries where already installed using: apt-cache search libpam0g-dev apt-cache search glibc And both of the libraries seems to exists: libpam0g-dev - Development files for PAM libc6 - Embedded GNU C Library: Shared libraries libc6-arm64-cross - Embedded GNU C Library: Shared libraries (for cross-compiling) libc6-armel-cross - Embedded GNU C Library: Shared libraries (for cross-compiling) libc6-armhf-cross - Embedded GNU C Library: Shared libraries (for cross-compiling) How can I update them, without access to internet? I can move file on the server and download the package using my laptop... ... View more

Thank you : ) ... View more

thank you : ) ... View more

Yes, sorry, this is the script: #!/bin/sh INSTALL_FILE="splunkforwarder-6.2.3-264376-Linux-x86_64.tgz" #The script doesn't require the creation of a public pair ssh key # After installation, the forwarder will become a deployment client the passed argument $1 # Specify the host and management (not web) port of the deployment server # that will be managing these forwarder instances. DEPLOY_SERVER="$1" #outputs.conf OUTPUTS='[tcpout]\n defaultGroup= default-autolb-group\n\n [tcpout:default-autolb-group]\n\n server = $DEPLOY_SERVER:9997\n\n [tcpout-server://$DEPLOY_SERVER:9997]' #Input to monitor needs to be changed INPUTS='[monitor:///var/log/*]\n sourcetype=syslog\n host_segment=3\n index=test\n\n [monitor:///var/log/messages]\n sourcetype=syslog\n host_segment=3\n index=test\n\n [monitor:///var/log/lastlog]\n sourcetype=syslog\n host_segment=3\n index=test\n\n' echo 'checking network...' if wget -q 'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true' > /dev/null; then wget -O splunkforwarder-6.2.3-264376-Linux-x86_64.tgz 'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true'> /dev/null; tar xvzf splunkforwarder-6.2.3-264376-Linux-x86_64.tgz -C /opt useradd splunk chown -R splunk /opt chown -hR splunk /var /opt/splunkforwarder/bin/splunk enable boot-start -user splunk --no-prompt --accept-license -- answer-yes sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto- ports --no-prompt --accept-license --answer-yes /opt/splunkforwarder/bin/splunk set deploy-poll \"$DEPLOY_SERVER:8089\" --accept-license -- answer-yes --auto-ports --no-prompt -auth admin:changeme cd /opt/splunkforwarder/etc/system/local/ touch inputs.conf cd /opt/splunkforwarder/etc/system/local/ touch outputs.conf echo -e $OUTPUTS > outputs.conf echo -e $INPUTS > inputs.conf /opt/splunkforwarder/bin/splunk restart else echo 'Seems that your machine is not connected with internet, before to procede be sure that the installation file is on your machine'; fi echo "---------------------------" echo "Done" ... View more

Ok, so your system is working fine if I'm not using ssh, If I log using ssh it's not changing user. I have another question, during the installation I have this error: Can't create directory "/root/.splunk": Permission denied I think it's still related to the user, do you have any ideas why? Thank you so much for your help : ) ... View more

sudo -H -u splunk is not working : ( I've already added $SPLUNK_HOME/bin/splunk enable boot-start -user splunk $SPLUNK_HOME/bin/splunk start --accept-license But seems like it's not changing user ... View more

I tried to use this last command but when I use ps -ef | grep splunkd It's running under root again.. ... View more

I try the command and splunk is actually running as root : ( I'm typing adduser splunk nothing else, and I'm executing only one step: root@x.x.x.x "command list" where in command list there are: useradd splunk chown -hR splunk /opt/splunk /opt/splunk/bin stop sudo -i -u splunk /opt/splunk/bin start So I dunno what's wrong, and thank you for the help ... View more

Thank you! 🙂 ... View more