@danielcj wrote: Hello @Gregski11 , This message is related to jQuery 3.5 upgrade. More details on this docs: https://docs.splunk.com/Documentation/UpgradejQuery/1/UpgradejQuery/jQueryOverview "If you encounter an issue with jQuery in a Simple XML dashboard that you own, update your custom JavaScript to work with jQuery 3.5, and certify that the dashboard works with jQuery 3.5 by adding version="1.1" to the root node of the dashboard source code. "   thank you so much can you explain what the root node of the dashboard source code means, I have been adding the version parameter to either the <form version="1.1"> form tag or the <dashboard version="1.1"> tag since some have one and not the other, should all of our custom Dashboards have the <dashboard version="1.1"> tag at the top of the source code, is that best practice? by the way I did not write this code, I inherited it, thank you for your help ... View more

@danielcj wrote: Hello @Gregski11 , The role that you are saying is the Monitoring Console role or the Deployment Server actually acting as a Search Head? In the first case, only the Search Heads should have the Search Head role. In the second case, it is not recommended because if the DS have many clients phoning home, searches could overwhelm this instance.   Thanks. we do NOT actually use it as a Search Head it just has the box checked in the Monitoring Console so I am just asking if we should simply uncheck that box, hope that explains it better, thank you for trying to help ... View more

@gcusello wrote: Hi @Gregski11, as @danielcj said, if your Deployment Server has to manage more than 50 clients, it's better don't give it more roles because it's already overloaded by its role. Ciao. Giuseppe thank you Giuseppe, but our Deployment Server has over 500 clients, are you saying that is too many, keep in mind although the Search Head role is on it, we do NOT run any searches on our Deployment servers I was just asking if even if we don't use them as search heads should I still remove the Search Head role esentially just uncheck the box to keep things clean ... View more

@Zacknoid wrote: Upgraded to version 9.0 facing similar issue : Root Cause(s) Indicator 'ingestion_latency_gap_multiplier' exceeded configured value. did you find out any solution for this ??    Thanks    no but after a day or two the problem just went away  ... View more

@Azeemering wrote: Yes Splunk's Minimum search head specification's are: An x86 64-bit chip architecture. 16 physical CPU cores, or 32 vCPU at 2Ghz or greater speed per core. 12GB RAM. See: Reference hardware - Splunk Documentation   thank you, but I don't follow, you shared the minimum specifications and my question was why Splunk does not see the second CPU in our machines, I followed that link and don't see how to engage the other CPU, what am I missing? ... View more

@Azeemering wrote: proxy? firewall? yeah, we were thinking the same thing, but sometimes it works, so it's intermittent I thin firewall is either on or off so I am at a loss, plus the other search heads are set up the exact same way and they work ... View more

@richgalloway wrote: The default geolocation database changes with every release.  The new database may produce different (hopefully more accurate) results than older versions. You can update the database yourself, if it's in MMDB format.  See https://www.splunk.com/en_us/blog/tips-and-tricks/updating-the-iplocation-db and https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/Iplocation for tips on that. There is an app available to keep the database current.  See https://splunkbase.splunk.com/app/5482/ . thank you so much Rich this really helps, it does appear as though the first two links you posted lead to the same location, was that what you expected?   https://www.splunk.com/en_us/blog/tips-and-tricks/updating-the-iplocation-db   https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/Iplocation     ... View more

 we are getting the same error on our Cluster Master and it's running version 9.0.0 Root Cause(s): Events from tracker.log are delayed for 44 seconds, which is more than the yellow threshold (15 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked.   we also opened a support case with Splunk will keep you all up to date on how it unfolds ... View more

@gcusello wrote: Hi @Gregski11, each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer. At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers. In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!). Ciao. Giuseppe Looks like the Splunk Add-on for Windows does not collect Event Logs: The Splunk Add-on for Windows allows a Splunk software administrator to collect: CPU, disk, I/O, memory, log, configuration, and user data with data inputs. Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. You must configure Active Directory audit policy since Active Directory does not log certain events by default. Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging. https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows   ... View more

@gcusello wrote: Hi @Gregski11, each Splunk Enterprise installation has the feature to forward logs, so as you can forwardr internal logs as I described in my previous answer. At the same time you can install the same TAs (e.g. the Splunk_TA_Windows) to take all local logs and send them (with the same forwarding configuration) to Indexers. In other words: you don't need a Forwarder on a Splunk Enterprise server because it already has this feature; you have to manage log ingestion on them as Forwarders, using TAs (better) or enabling local inputs (I don't like this!). Ciao. Giuseppe thank you so much Giuseppe, it appears we do have the Splunk Add-on for Microsoft Windows version 7.0.0 already installed and enabled on our Search Heads (it's not made visible though, but I don't think that matters) I do not see it on our other Splunk servers but they have apps called SplunkForwarder and  SplunkLightForwarder I wonder what those apps do on those servers ... View more

@gcusello wrote: Hi @Gregski11, if a forwarders sends lohs to indexers it must have an outputs.conf file, maybe not in $SPLUNK_HOME\etc\system\local, but in another location. It0s usuallt a best practice to put outputs.conf and deploymentclient.conf files not in the above folder but in a dedicated TA ()called e.g. TA_Forwarders) to manage using a Deployment Server, in this way you can easily change or add Indexers or Deployment Server. You can find the outputs.conf file using btool command by CLI on the Forwarder (https://docs.splunk.com/Documentation/Splunk/8.2.6/Troubleshooting/Usebtooltotroubleshootconfigurations). in few words:     ./splunk btool outputs list --debug     the output will be the list of all options in all outputs.conf files present in your Forwarder. Ciao. Giuseppe ah, thank you sooooo much looks like they are in the etc\apps folder and subfolders named after our apps, really wish Splunk documentation said this, I followed like 19 of their docs and no mention of this from the forwarder and receiver perspective ... View more

@ITWhisperer wrote: Also, I think the idea is that people come here (to the community) to find answers to their questions (using the search facility!). thanks for your comment, I think that's just it, I rather drill down and search within a sub forum than in the entire Community, same goes for posting questions, this portal attempts to pigeon hole us when we try to ask a question and often times I am at a total loss as where to post my inquiries   ... View more

@gcusello wrote: Hi @Gregski11, you don't need to install a forwarder on your Splunk servers, you have only to forward their internal logs to Indexers. You can do this in a simple way: [Settings -- Forwarding and receiving -- Forwarding]. This is a best practice for all Splunk infrastructure, in this way you can monitor your Splunk infrastructure using the Splunk Monitoring Console App. Ciao. Giuseppe the Monitoring Console does not give us what we need? I want to be able to see how long our Splunk servers have been up for, ie how many days? ... View more

thanks, this is what I see, does this mean this Search Head is not configured to forward it's data to an Indexer?    ... View more

thank you I appreciate that, do you think it is a good idea to keep the Index Cluster Master role on a different box than the Search Head Cluster Deployer?  ... View more