We are in the process of migrating to SPLINK from Nitro. We have requested a deployment server to be built since deploying packages ( UF for Windows) takes a while. Can I install deployment\license server with no other SPLUNK infra ( SH\INDEXER\HF). ... View more

Just want to confirm process: 1. Create private key on splunk web 2. Create CSR from private 3. Pass to my CA authority and get a pem created 4. place the key and pem on splunk web 5. make web.conf changes to point to caroot and server cert 6. restart splunk Thanks! ... View more

I need to install 2 separate universal forwarders on the same Windows box. I have the install built, one via msi and the other via scripted process. On one install the service shuts down. I connected both services to 1 deployment server and that seemed fine, when I change the deployment client to point to the other deployment server the service also shuts down. Here is the log where you see it removing the and then splunkd restarting. ?? 09-20-2017 12:29:54.412 -0400 INFO DeployedApplication - Removing app=Splunk_TA_windows at='C:\program files\splunk-PI\etc\apps\Splunk_TA_windows' 09-20-2017 12:29:54.537 -0400 WARN BundlesUtil - C:\program files\splunk-PI\etc\apps\SplunkUniversalForwarder\metadata\local.meta already exists but with different casing: C:\Program Files\splunk-PI\etc\apps\SplunkUniversalForwarder\metadata\local.meta 09-20-2017 12:29:54.537 -0400 WARN BundlesUtil - C:\program files\splunk-PI\etc\system\metadata\local.meta already exists but with different casing: C:\Program Files\splunk-PI\etc\system\metadata\local.meta 09-20-2017 12:29:54.552 -0400 WARN BundlesUtil - C:\program files\splunk-PI\etc\apps\learned\metadata\local.meta already exists but with different casing: C:\Program Files\splunk-PI\etc\apps\learned\metadata\local.meta 09-20-2017 12:29:54.552 -0400 WARN DC:DeploymentClient - Restarting Splunkd... 09-20-2017 12:29:54.552 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.210.147.150_8090_L74B00-PC0ETLVM.prod.travp.net_L74B00-PC0ETLVM_22D4D347-CE64-48BC-A1F0-352E78032799 09-20-2017 12:29:55.956 -0400 INFO PipelineComponent - Performing early shutdown tasks 09-20-2017 12:29:55.956 -0400 INFO loader - Shutdown HTTPDispatchThread 09-20-2017 12:29:55.956 -0400 INFO ShutdownHandler - Shutting down splunkd 09-20-2017 12:29:55.956 -0400 INFO ShutdownHandler - shutting down level "ShutdownLevel_Begin" 09-20-2017 12:29:55.956 -0400 INFO ShutdownHandler - shutting down level "ShutdownLevel_FileIntegrityChecker" ... View more

I know I can create lookup tables and use them during a search. We would like to apply that same process to fields as they are indexed. so rather making field user Paul instead of Xxxad during a search we want to do this when the event is indexed. Is this possible? Does this impact indexing and what are the impacts on searching? Thanks! ... View more

I think I need to push this from the deployment to each device or at least the forwarder and search head. I have 5 servers making up my SPLUNK Enterprise deployment, 1 SH, 1 FW, 1 DS, 2 Indexers. My props.conf on the forwarder has this configuration for 1 data source: FIELDALIAS-severity_as_id = severity as severity_id FIELDALIAS-dst_as_dest = dst as dest EVAL-app = netwitness EXTRACT-subject = CEF:\s+\d(?:|[^|]+){3}|(?[^|]+) When I search I am not seeing the 'subject' does this need to be pushed to the search head? how about the other devices. I am trying to understand this. Thanks! ... View more

My team are the IS Security folks for the company. We are migrating to SPLUNK from McAfee Nitro and currently we only have a need to look at Windows security event logs. We have our business folks using their own deployment of SPLUNK and we don't want to piggy back or share the deployment as this now need to be managed by our operations team and slow down any upgrades we might want to do that business area wouldn't. For these reason we want our own deployment. I have tested running multiple instances on a device by installing, poking the registry to change the service name, zipping up the contents, exporting the registry key then play it back on another device. While this would work with old software deployment strategy it will not work with our new which is puppet. I can install via puppet using the MSI and while I can deploy to a folder of my choosing the service is still installed as splunkuniversalforwader. I am looking for suggestions on how I can implement this. ... View more

I am trying to install the universal forwarder on Windows using this command. msiexec.exe TARGETDIR="C:\PROGRAM Files\splunker-security" /i splunkforwarder-6.6.2-4b804538c686-x64-release.msi RECEIVING_INDEXER="10.83.180.135:9997,10.83.180.133:9997" WINEVENTLOG_SEC_ENABLE=1 AGREETOLICENSE=Yes it seems to ignore the parameters after the .msi. I have to use 2 deployment methods, 1 puppet and the other BMC, so I want to use the msi install as that is a requirement for our puppet deployments. Thanks! ... View more

We are in the process of deploying Splunk to replace our current SIEM and we are trying to find out how we can determine daily event ingestion based on an MB size. How does Splunk determine your daily limit? ... View more

I installed the app and when I tried to make it visible for user to see I get this: Encountered the following error while trying to update: in handler 'localapps': Data could not be written: /nobody/splunk_ta_Symantec-dlp/app/ui/is_visible: 1 ... View more