I have the following scenario to achieve: 1.I have a cluster of indexers receiving misc. events 2. By default, all events are indexed locally 3. For events matching specific condition (for instance, a specific sourcetype) I want to forward them to a 3rd party indexer without indexing them locally. In the documentation, I found several examples closed to what I need: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad So I configured the following: outputs.conf [tcpout] defaultGroup=nothing [tcpout:externalIDX] server = x.x.x.x:9997 props.conf [mysourcetype] TRANSFORMS-routing = ForwardToEXT transforms.conf [ForwardToEXT] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = externalIDX Results When I do apply configuration, my external system does receive the events but my local indexer no longer index anything. Alternatively, I tried to remove defaultGroup=nothing from outputs.conf. This time, everything (any event) is duplicated to the external indexer. Anybody, to help me to define the right syntax? Regards. ... View more

Hello, When events with a specific sourcetype arrive on my indexers, I would like to have both local indexing (default for any kind of sourcetype) but also forward them to another Splunk indexer. So far I got this... It does properly forward this sourcetype to the external indexer. But no longer index the events locally. outputs.conf [tcpout:externalIndexer] server = external_indexer:9997 props.conf [SourceTypeToForward] TRANSFORMS-routing = sendToExternalIndexer transforms.conf [sendToExternalIndexer] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = externalIndexer How can I enhance this config to have both ? ... View more

Hello, I have a Search Head Cluster configured with SAML authentication (ADFS)... For an existing SAML group (already granted with some role), adding new roles using GUI does not apply. For instance I have a user user1 member of SAML group group1. And I have several roles app1, app2, app3 I initially grant the user with role app1... Looking at authentication.conf, I see: [userToRoleMap_SAML] user1@domain.com = app1 [roleMap_SAML] app1 = group1 For this first test, access to app1 is ok for user1... Also I already noticed that the role group assignment has been copied to the user... Strange but so far, it does not create a real problem. But then if I edit again group role assignment to add more roles. This time, I get: [userToRoleMap_SAML] user1@domain.com = app1 [roleMap_SAML] app1 = group1 app2 = group1 app3 = group1 roleMap_SAML is updated as expected, but this time, no copy-paste to the user section. And the roles are never really granted to the user including after a rolling restart. I checked the value of roles using "| rest splunk_server=local /services/authentication/current-context " and I only see the role defined by user mapping. Why does the group mapping does not work ? ... View more

Hello, I have a 3-node (Windows 2012 R2 based) Search Head Cluster currently connected to a standalone indexer. I wanted to follow the non-rolling upgrade procedure (anticipating it will be soon connected to a clustered indexer) described here: http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/UpgradeaSHC It is specified as step 1 to stop all cluster members, and to only restart them after the upgrade of all nodes. However: 1. If I simply stop Splunkd Service, the MSI setup does restart the service automatically at the end of the upgrade. 2. If I stop Splunkd Service and temporary change startup type to Disabled, upgrade fails and rollback because setup is not able to start the service. By the end, the upgrade has worked (I manually stopped again each node after its upgrade) but I have not been able to comply with the "official" non-rolling upgrade procedure. Is anybody proceeding differently and able to follow the official procedure ? Regards. ... View more