You can use below procedure to workaround this. However, please noticed that after changing the script, I don't think Splunk will support that. If you want to change the attachment file name when using search app by using sendemail, add the following to line #336 in .../etc/apps/search/bin/sendemail.py if argvals.get('attachment_name'): ssContent['action.email.reportFileName'] = argvals.get('attachment_name') When sending alert in search app, pass the attachment name to attachment_name. Your alert search will be like this. ..... | sendemail to=myemail@myemail.com message="Test alert by using sendemail" content_type=html sendresults=true sendcsv=true inline=false attachment_name="my_attachment" ... View more

Can you try to concat the cert into a single pem file, and then add the following. TLS_REQCERT never TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Concat_Cert.pem #TLS_CACERTDIR /opt/splunk/etc/openldap/certs ... View more

You can use _TCP_ROUTING in your inputs.conf to route to different output group. Below are some sample configuration. inputs.conf [monitor://$SPLUNK_HOME/var/log/splunk] index = _internal _TCP_ROUTING = tcp_3rdparty outputs.conf [tcpout] indexAndForward = false defaultGroup = noSuchOutputGroup [tcpout:tcp_3rdparty] server = 192.168.1.165:22222 blockOnCloning = false dropEventsOnQueueFull = 5 sendCookedData = false Remark: You can use netcat to test the setup before you setup the 3rd party server E.g. nc -l 22222 ... View more

Does your indexer in a cluster environment? That procedure only apply to indexer cluster. That means you need to change Splunk_TA_paloalto in cluster master and then deploy to indexer member. ... View more

One possibility is you've firewall enabled on the sever. You can try to run this command to verify. iptables -t nat -L -v iptables -t mangle -L -v iptables -t raw -L -v iptables -t security -L -v From the output, if you saw something like this "MASQUERADE all – any any anywhere anywhere" This means you enabled masquerading for all traffic. This causes local to local traffic also to be source NATed. ... View more

According to this link, http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall (Indexer cluster section) We need to remove the following file if the TA is deployed to indexer cluster. Remove the eventgen.conf files and all files in the samples folder. Remove the inputs.conf file, if it contains one. Remove the database.conf file, if it contains one. In your case, you can run the following command to fix the issue. mv /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/inputs.conf /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/inputs.conf.orig mv /opt/splunk/etc/master-apps/Splunk_TA_paloalto/README/inputs.conf.spec /opt/splunk/etc/master-apps/Splunk_TA_paloalto/README/inputs.conf.spec.orig ... View more

When splunk run scheduled job which generate result to summary index, once the result is generated, it will write the result into a temporary directory /opt/splunk/var/spool/splunk with a file suffix stash_new. (For example, RMD541b14054534417ff_2113273468.stash_new) Splunk by default will monitor this directory with this stanza. [batch:///home/daniel/splunk-idx/var/spool/splunk/...stash_new] sourcetype = stash_new From your description, as you didn't change the scheduled job, one possibility is the sourcetype = stash_new in props.conf is altered by other stanza. You can check it by using this btool command. splunk cmd btool --debug props list stash_new If the returned result have some configuration from local directory, you may need to check whether that configuration is really for stash_new or not. One example that may break the summary indexing logic is that you accidentally write the followng into local/props.conf without any stanza. That configure will applied to [stash_new] as well. cat etc/system/local/props.conf INDEXED_EXTRACTIONS = CSV ## As above configure is not under any stanza, it will apply to all other stanza. Don't configure like this. ... View more

Starting from splunk version 6.3 and later, you can use this command. ./splunk list inputstatus It will return something like this. Cooked:tcp : 9997:192.168.1.104:8089 time opened = 2017-07-09T17:28:47+0800 /opt/splunk/var/log/splunk/splunkd_ui_access.log file position = 434781 file size = 434781 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading Here is the meaning of the output: file position: The file pointer position that Splunk is currently reading at. If this is the same as file size, that means Splunk reach end of file (EOF). file size : Total file size of the monitored file. parent : If you are monitoring a directory, this tell you from which monitoring stanza the file is come from. percent : The progress of the monitoring. If it is less than 100%, Splunk will re-visit the file again. type: The monitoring status. It can be ‘finished reading’, ‘open file’, ‘missing’, ’directory’, 'reading (batch)'. Remark: If you saw 'reading (batch)', that means the file that you are monitoring is greater than min_batch_size_bytes under limits.conf (default is 20M in size) and Splunk is using batch processor to process the file. It is a single thread process and will process one file at a time. (TailingProcessor is multi thread process). ... View more

You can check whether srchFilter is set in your role. For example, authorize.conf [default] srchFilter = NOT index=*_archive If you have set srchFilter to some value, it will get added to every search for this role. As your srchFilter exist, it includes an “index=“ line and Splunk is not going to look at the srchIndexesDefault parameter. ... View more

The “INDEXED_EXTRACTION” came out in 6.x changes a few things on how Splunk works. Its used for well known log sources (IIS, JSON, XML) to have their fields parsed out by the forwarder, moving the work from the indexer to the forwarder. So you need to install those props on the forwarder, not the indexer. When INDEXED_EXTRACTIONs is enabled, it will pass the parsed fields into the indexers. The indexers will not apply any parsing rules for data that was processed as INDEXED_EXTRACTIONs. You can add the following into your forwarder configuration. props.conf [carbonblack:json] INDEXED_EXTRACTIONS=json Here is the doc for more information. http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Extractfieldsfromfileswithstructureddata ... View more

This behavior will be changed from 6.2.3 tentatively. A warning message will be logged instead. ... View more