I have multiple monitored csv files that are created every day at different times on a single server with a Universal Forwarder. Old files are deleted and completely new files are created. Each file is indexed when created and then again at 05:30 am the next day causing duplicate data. Looking through Splunk>answers, I found where I should add the crcSalt = line in the [monitor] section of inputs.conf. I did this for one of the files and the file is still being indexed twice. What else should I do to stop the second indexing? I do find it interesting that the second indexing for these files happen at the same time. Is there some config that sets that time? Just wondering. Thanks for any help provided. Scott ... View more

I am in the process of shrinking my Splunk configuration from a Distributed setup to a Single instance. I did a fresh install of Splunk Enterprise, moved old indexed data to the new system and starting to configure the Apps and Add-ons. While running the Splunk App for Windows Infrastructure's Guided setup, it passes the Prerequisites (Spunk v6.6.1, Splunk Add-on for Windows v4.8.4 and Splunk Supporting Add-on for Windows Active Directory v2.1.4), passes Check data and then starts to experience issues. Using the Detect Features button, it starts looking for Windows and AD features. The status window shows - WinApp_Lookup_Build_Perfmon - Update - Server could not be built. WinApp_Lookup_Build_Perfmon - Update - Detail could not be built. WinApp_Lookup_Build_Event - Update - Server could not be built. WinApp_Lookup_Build_Event - Update - Detail could not be built. WinApp_Lookup_Build_Hostmon - Update - Server could not be built. WinApp_Lookup_Build_Hostmon_Machine - Update - Detail could not be built. WinApp_Lookup_Build_Hostmon_FS - Update - Detail could not be built. WinApp_Lookup_Build_Hostmon_Process - Update - Detail could not be built. WinApp_Lookup_Build_Hostmon_Services - Update - Detail could not be built. WinApp_Lookup_Build_Netmon - Update - Server could not be built. WinApp_Lookup_Build_Netmon - Update - Detail could not be built. WinApp_Lookup_Build_Printmon - Update could not be built. DomainSelector_Lookup could not be built. HostToDomain_Lookup_Update could not be built. tHostInfo_Lookup_Update could not be built. tSessions_Lookup_Update could not be built. SiteInfo_Lookup_Update could not be built. ActiveDirectory: Update GPO Lookup could not be built. ActiveDirectory: Update Group Lookup could not be built. ActiveDirectory: Update User Lookup could not be built. ActiveDirectory: Update Computer Lookup could not be built. I then finish and look at the Overview, some data is populated but not enough to be useful. I do not see any relevant errors in splunkd.log and am stumped to where to look next. Any help is appreciated. ... View more

Due to the amount of bugs that I have been running into since moving to a clustered environment, I want to return to a single instance. I found http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Moveanindex and it looks like all I have to do is move the \Splunk\var\lib\splunk directory to the new system. But nothing is ever that easy. I am worried that since the buckets are duplicated, i will end up with too much data and Splunk will not know how to process that extra data. I am also ok with some telling me how to roll back my clustered systems into a single system. Thanks. ... View more

I am currenly running a 2 system indexing cluster on Windows VMs. One of the systems is experiencing poor performance causing my search head to run slowly. What I want to do is configure a new VM, install a fresh Splunk Enterprise application and move all incoming data to this new system and bypass the old indexer. With the replication going on between the indexers in this cluster, can I shut down the slow indexer and not lose and indexed data? If this is not feasible, is there a way to migrate the data from the old system to the new one? ... View more

I have set up a directory on a Windows system to be monitored by a UF. Two csv files are created every night and are getting indexed. However, the timestamp is the time the file is created, not the time that is in the "Timestamp Fields" parameter. The first line of my csv file is - Event,Door,Side,First name,Last name,Picture,Credential,Supplemental credential,Event timestamp,Credential code,Card format Event timestamp is in this format 4/15/2017 3:45:15 PM The defined parameters under source type are Catagory - Structured, Indexed Extractions -csv, Extraction - Advanced, Timestamp fields - Event timestamp. All others are set to default. props.conf contains - [logs] category = Structured pulldown_type = 1 DATETIME_CONFIG = HEADER_FIELD_LINE_NUMBER = INDEXED_EXTRACTIONS = csv NO_BINARY_CHECK = true TIMESTAMP_FIELDS = Event timestamp description = Door log disabled = false FIELD_QUOTE = ' The second problem is that not all lines of the file not be indexed. I cannot find any parameter that would restrict the size of a file to be indexed. ... View more

I get a nice table with the logon and logoff times per user using the following search - LogName=Security EventCode=4624 | stats earliest(_time) AS LOGON by user | join [ search LogName=Security EventCode=4634 | stats latest(_time) AS LOGOFF by user] | eval LOGON=strftime(LOGON,"%H:%M"), LOGOFF=strftime(LOGOFF,"%H:%M") What I would like to do i create a graph showing the count of logon and logoff by user broken down by hour. The problem is that Windows creates multiple 4624 and 4634 messages. As timechart has a span of 1 hour, it picks up these "duplicate" messages and I get an entry for every hour the user is online. How would I create a query to only count and chart the first logon message and the last logoff message per user by hour? Thanks. ... View more

We are moving to a new Anti-Virus vendor and I will need to add the add-on (TA) for the new vendor. My question concerns the old TA. If I remove the $SPLUNK_HOME/etc/master-apps/ section concerning the old vendor, does that remove the TA from the cluster nodes? Or am I going to have to delete the TA using "splunk remove app -auth user:PW" command? ... View more

Using the Splunk Supporting Add-on for Active Directory, I have been tasked to find out which users are assigned to specific groups. I can get a table showing the "Common Name" of the users in each group - |ldapsearch domain=default search="(objectClass=group)"|table cn,distinguishedName |ldapgroup|rex field=member_dn "CN=(?P\w*\s\w*)"| table cn,UserName | rename cn AS "Group" Results of the search looks like this Group UserName IT Support Fred Flintstone [blank] Barney Rubble . . Security Thomas Magnum [blank] Frank Cannon I then run the following search to get the title of the user - |ldapsearch domain=default search="(&(objectClass=user)(!(objectclass=computer)))" | dedup cn title | table cn title | rename cn AS UserName, title AS Title Search results look like this - UserName Title Fred Flintstone Computer Analyst Barney Rubble Senior Computer Analyst Thomas Magnum Security Guard Frank Cannon Security Manager I what to have a table that combines the searches to look like this - Group UserName Title IT Support Fred Flintstone Computer Analyst [blank] Barney Rubble Senior Computer Analyst . . Security Thomas Magnum Security Guard [blank] Frank Cannon Security Manager I have tried join, append, appendcols and cannot get the items to line up correctly. What am I missing? ... View more