Same issue: - newest Splunk (6.3.3) - newest stream (6.4.2) - installed manually (from file) - confirmed permissions - wire input set properly (it was done for me automagically) and enabled -- even did the trick of restarting it as described above - enabled all the default streams - did the kernel buffer resizing trick - confirmed inputs.conf is correct (according to documentation) - edited streamfwd.xml to use correct interface (according to documentation) - confirmed interface is getting data with tcpdump - restarted Splunk instance (a couple of times...) - sacrificed a large chicken No data shown in source="stream*" or in the UI. Perhaps the streamfwd.log file doesn't exist any more in this version, or didn't get created...? ... View more

I downvoted this post because no such file...? ... View more

heh, ya "thanks for the help". I'm looking for this answer, and the best I can find are half-answers from 2012. My guess is not many people are even paying attention to this. In our case, the expired certs are setting off alerts with other IDS/IPS sensors, so we want to address it. Even the /splunk help createssl documentation sucks, including line formatting and spacing that's all jacked up -- signs that no one is actually putting any energy into improving this situation. Folks, when someone asks how to do something, as long as it's not completely in left-field, please answer it completely, or not at all. Assume defaults if information is omitted (avoid: "well, you didn't say what O/S, or your server's name, or your blood-type..."). For example the "answer above" does not work, there are other parameters that are required, and yet, it's the "accepted answer". Gah! Also the link to RTFM that discusses certs in general terms, does NOT explain how to renew a cert. Gah! Don't try to up your "answer" count with links to docs that discuss the issue at 20,000 feet. It's a question, looking for an answer. Period. ... View more

I believe the line needs to be in regex format (according to: http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Whitelistorblacklistspecificincomingdata). so, it should read: goonhilly_access$ where $ = end of line ... View more

@Anekkanti only one, from two hours ago: 10-06-2015 13:55:37.897 -0500 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf. I am getting one that may be a clue, emphasis below is mine (is it just taking a long time?): 10-06-2015 15:24:37.496 -0500 WARN TailReader - Enqueing a very large file=/var/log/squid/access.log in the batch reader, with bytes_to_read=878207660, reading of other large files could be delayed ... View more

BTW: I just "downgraded" back to 6.2.5 from 6.3 on one of these boxes -- and it indexes recursively just fine. ... View more

Good answer. The simple solution was to cut down the "limit" -- mine was at 20, setting to 10 solved it. Thanks! ... View more

did this change in 6.2? I'm following all the way through to "edit each dashboard panel..." but I can't find a "Search Report" anywhere... ... View more

Maybe I miss-understood the question, but this didn't work for me; but the "replace" command worked great. Reference here: http://answers.splunk.com/answers/7077/how-can-i-rename-the-host-names-for-my-chart.html ... View more

"Just to be precise: stats does not clear any field's value - but any field not provided with a stats command is not available afterwards in the search pipeline." Thanks! ... View more

Fantastic, this is perfect, provides exactly what I was asking for. Thank you! No, reading the docs yet again on stats doesn't do much for me, that's why there's Q&A places like this ... 😉 Award Points to Chanfoli! ... View more

I had to add the field name to make mine work: (replacing + with a space in my case) rex mode=sed field=search_term_used "s/+/ /g" Also, in my case I had to escape the + weird, when I post this comment, the rex line looses the escape character . ... View more

Same here (6.2, Linux, build 237341) ... View more

Thank you! I tried that before and it didn't work -- but after simplifying the alert to a simple check for the number of events being less than 10 (and taking out the "stats count..." and "search count..." cruft) it seems to be working dandy... ... View more

Thanks. Just tried it, works well enough. Bummer though, all that invested time in getting my dashboards and reports created with geoip -- just another thing to add to my todo list, editing them... ... View more

Egads! Using Splunk for five years now; I totally forgot about the fishbucket... Thanks! ... View more