Check splunkd.log.  If you find a core file, open a support request with Splunk. ... View more

You say the username and password are working fine, but the error message clearly disagrees.  Ask your DBA to reset the password. ... View more

I'd start by using the find command to see if the reported string is in any of your props.conf files. find /opt/splunk/etc -name props.conf -print0 | xargs -r0 grep "\(::)\?" When you find that you should know what needs fixing. ... View more

The MC doesn't have that information.  You can get it from the SH on which the search is scheduled.  Go to Settings->Searches, reports, and alerts or search for  | rest /services/saved/searches | search is_scheduled=1 ... View more

Shutdowns may be a problem since it's possible the system could stop before the event is sent to Splunk.  Reboots are possible, however.  The key is monitoring the right source(s) on your Linux boxes and indexing that data in Splunk.  You will need to monitor the /var/log file in which the OS records shutdown and startup events (I don't know which file, ATM).  Then it's just a matter of creating a scheduled search to find those events and alert when they're found.  Once you have the data in Splunk, come back with questions about searching for it. ... View more

The first step is to find out what file/directory is using up the disk space.  Use the du utility for that.  Next, figure out what process is using the disk space.  Is it Splunk, the OS, or another app?  Then you can try to determine the cause.  It could be too many search artifacts filling up the dispatch directory or searches not getting reaped from dispatch, a lookup file may have grown too large, etc. ... View more

The Monitoring Console and Cluster Manager both should have a full list of indexers, with the CM likely to be more accurate.  The Inherited Development manual (https://docs.splunk.com/Documentation/Splunk/8.1.3/InheritedDeployment/Introduction) offers other suggestions for finding what instances you have. ... View more

Splunk is a very Linux-centric company so Windows-oriented instructions are not as common as they could be. Most of the time, all a Windows admin needs to do is change file path delimiters, but every now and then a Linux command has to be replaced with a Windows equivalent.   In this case, I use 7-zip in place of tar.  Also, Ubuntu on Windows has tar available. ... View more

I'm not sure what to do about that, but I'm pretty sure it's not a Splunk problem.  See if https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors helps at all. ... View more

Follow the instructions in the second link provided. ... View more

It's documented.  See https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/UsingforwardingagentsCloud or https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/HowtoforwarddatatoSplunkCloud You also can go to the "Universal Forwarder" app in your Splunk Cloud instance for instructions. ... View more

More information, please.  The question mentions "Cluster Master", "CM", and "MC", but they are two different things.  Which are we talking about?  Where and how did you define the workload admission rules?  Are the search heads clustered? ... View more

There';s no need to dedup before counting.  The distinct_count function will give the number of unique values in a given field. sourcetype=x index=x method="Explicit Proxy" | fields app,category,activity, user, bytes | stats dc(user) as users, sum(bytes) as totalBytes by app I'm not sure anyone here can say if the results of the second query are correct or not because we don't have access to your data. ... View more

For an app to be approved for Splunk Cloud it must be evaluated for compatibility with Splunk Cloud.  That only happens when a Splunk Cloud customer requests to install your app.  Developers cannot request Splunk Cloud vetting. ... View more