when you look into your clearpass app in splunk, you can see the missing fields that are aliased here... i.e $SPLUNK_HOME/etc/apps/ClearPassOnSplunk_2/default/props.conf.. FIELDALIAS-cppm-24 = framed_ip_address AS ip_address FIELDALIAS-cppm-016 = username as user_name FIELDALIAS-cppm-acctnasip = nas_ip_address AS nas_ip FIELDALIAS-cppm-019 = nad_ip AS nas_ip FIELDALIAS-cppm-910 = host_mac AS mac_address FIELDALIAS-cppm-911 = end_host_id AS mac_address FIELDALIAS-cppm-911 = mac_address AS end_host_id #FIELDALIAS-cppm-host = ClearPass_Server AS host Let's take FIELDALIAS-cppm-24 = framed_ip_address AS ip_address, in this case you need to have either ip_address or framed_ip_address in your raw data, due to a change in FIELDALIAS behavior in 7.2...you have to change your configs like this... #FIELDALIAS-cppm-24 = framed_ip_address AS ip_address EVAL-ip_address = coalesce(ip_address, framed_ip_address) so, before making any changes, I would check the raw logs on the source host(may be a syslog) to make sure I have the required fields in the log file itself or Splunk is not parsing the fields correctly...?? ... View more

I mean to say is run a splunk search via CLI or RestAPI to export the data instead of dump, something like this.. splunk search "index=_internal earliest=09/14/2015:23:59:00 latest=09/16/2015:01:00:00 " -output rawdata -maxout 200000 > c:/test123.dmp curl -u admin:changeme \ -k https://localhost:8089/servicesNS/admin/search/jobs/1423855196.339/results/ \ --get -d output_mode=json -d count=5 ... View more

You can define your timezone in your props.conf by sourcetype/source/host...this splunk doc should help.. http://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Applytimezoneoffsetstotimestamps#How_Splunk_software_determines_time_zones ... View more

Can you run this commands, and also make sure you installed a compatible splunk version on your OS ./splunk status spunkd ./splunk status splunkweb based on the output, you can try this if it resolves the issue./splunk restart splunkweb ... View more

That's weird, I tried both ways on my local based on your sample snippet in your question... 1. having splunk do the line-breaking..etc., it's working 2. adding props.conf, above props are working for me Can you check if any other configs are overriding your extractions... ./splunk cmd btool props list --debug [sourcetype] ... View more

were you able to login or it's just happening when you click on update..?? ... View more

hope this should work...MAX_EVENTS works only when SHOULD_LINEMERGE = true according to the docs..props.conf [Log] SHOULD_LINEMERGE = true NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 25 BREAK_ONLY_BEFORE = \d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\.\d{4} FIELD_DELIMITER = | FIELD_NAMES = Timestamp,Thread,Level,Stack,Info,AddInfo INDEXED_EXTRACTIONS = psv MAX_EVENTS = 99999 ... View more

As you deleted the server class from CLI and If you are still seeing the serverclass you created from deployment-server UI, I would restart splunkd on deployment-server. what's the exact error you are seeing..?? did you follow the splunkanswers resolution you posted in your question..?? ... View more

You can setup a default_namespace = under user-prefs.conf to login to users preferred app... user-prefs.conf default_namespace = <app name> * Specifies the app that the user will see initially upon login to the Splunk Web User Interface. * This uses the "short name" of the app, such as launcher, or search, which is synonymous with the app directory name. * Splunk defaults this to 'launcher' via the default authorize.conf http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/User-prefsconf ... View more

I think the message you are seeing is expected on deployment server, you can't manage all the configs via deployment server web-interface.. check you repositoryLocation on your deloyment server(they usually reside under $SPLUNK_HOME/etc/deployment-apps), whereas on deployment clients they are downloaded under $SPLUNK_HOME/etc/apps https://docs.splunk.com/Documentation/Splunk/7.2.1/Updating/Createdeploymentapps ... View more

Can you post your query here, you can try | addcoltotals ... View more

You can run the search via CLI or RestAPI.. https://docs.splunk.com/Documentation/Splunk/7.2.1/Search/ExportdatausingCLI ... View more

@willsy: so, you don't see any output when you run Splunk cmd btool check..?? It looks like the output you posted is from splunk cmd btool indexes list --debug. what version of splunk are you on..?? Check your SPLUNK_DB environment variable, look at this splunk answer if it helps... https://answers.splunk.com/answers/94428/error-warning-cannot-create-new-path-for-index-when-starting-splunk.html ... View more

@a212830 : accept an answer for future readers. ... View more

so, you don't see a latest bundle when you did apply bundle-push from cluster-master..?? If not, you might have to make a dummy change to get a new checksum or do a rolling restart form cluster-master if that helps. ... View more

Check this Splunk answer, and it seems the same question has been repeated here.. https://answers.splunk.com/answers/708443/splunk-scripted-input-to-run-a-btool-command-witho.html#answer-705615 ... View more

ADIDAS: All Day I Dream About Splunk 🙂 read it somewhere in slack channel... ... View more

What version of Splunk are you on...?? If you are on 7.2 and above, there is a change in Fieldalias behavior, you might have to check you props.conf... https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html ... View more