We configured SPLUNK to use Active Directory as authentication system. Problem occurs with users that have "Log On To..." restrictions on the AD to restrict they ability to logon into Splunk from only a particular workstation. Such user is unable to logon to the SPLUNK system, and the message returned is "Invalid username or password". ... View more

My source file is like: ============================ App01trace 3 0 393222 0 19 148 8838300 4 0 458759 0 29 15 0 4 0 458759 0 31 12 0 5 0 524296 0 61 170 8869500 App02trace 4 0 327685 2032 0 0 0 0 NULL 6 0 393222 2032 0 0 0 0 NULL 5 0 458760 2032 0 0 0 0 NULL App03trace 21 1 2959165 3 8 1 1 P 22 9 859165 3 12 6 1 R ============================ I would like to associate to each App0.trace a different sourcetype, and then associate each value to a different field, specific for that sourcetype. I've tried the following steps: In inputs.conf I assign my source file to a fix sourcetype [testbb] I then use [testbb] to define a stanza props.conf, like this: [testbb] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = false LINE_BREAKER = ([\r\n]+)(App01trace|App02trace|App03trace) TRANSFORMS-App01trace=tr-App01trace TRANSFORMS-App02trace=tr-App02trace TRANSFORMS-App03trace=tr-App03trace In transforms.conf I extract the three different sourcetypes, like: [tr-App01trace] REGEX = App01trace DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::App01trace Finally I create another stanza in props.conf for sourcetype [App01trace] where I perform the search time extractions (using Extract) My problem is that it only extracts the fields from the first line of each sub block, not for every line. So supposing the third field for App03trace is called app03field3, I get app03field3=2959165 but the value 859165 doesn't get extracted. That doesn't surprise me as the LINE_BREAKER has been already executed for that stream. What should I change to achieve my goal? Thanks for your help. ... View more

Hi, I need to monitor an Oracle database running on a Solaris Cluster. Do you have any suggestions on how to do it? I was thinking to install a Light Forwarder in both the nodes and send the data into an external indexer: has anybody tried to install a Splunk Light Forwarder in a Solaris cluster? Do you have any suggestions on how to configure the data service? Thanks ... View more

I have a script error during the installation of a rpm package: how can I see the scripts the are run during a rpm installation? ... View more

I want to integrate Splunk with SSO, and then I'd need to remove the Login page and the Logout bottom at the top right. Is that something that can be done manually? ... View more

I would like to deploy Splunk in a non reliable network. I have an Index on a Satellite which is indexing events locally and also sending them to the main index on Planet Earth. Once in a while, at irregular times, the communication goes down. Is there any way to keep the two indexes synchronized? ... View more