So, you're not getting data from either unix (not passing through the heavy forwarder, or from windows? ... View more

I know I've seen this before. Recreate the dump or tail with a new input name and check both splunkd.log and the dbx.log for errors or warnings. I know you said the log said success=true, but something else must have failed. ... View more

What type of inputs? ... View more

search | extract | lookup ... View more

Have you tested the lookup by applying it manually after a search that extracts the fields? ... View more

Check the permissions in the Automatic Lookup for applicable Apps. Make sure it is set to include the app throwing the error (I set mine to Global). ... View more

Ok, so it is definitly not a conflicting inputs.conf. Is the target index for this input only? If so, do you have any data in it? You can check this two ways: Manager>Indexes check the size, or check for bucket folders in splunk/var/lib/splunk/indexname/db/. The bucket folders are named 'earliest epoch time_latest epoch time_incrementing unique bucket number. ... View more

The app goes into the etc/deployment apps folder. Example: etc/deployment apps/TA_Windows Add the app to the etc/system/local/serverclass.conf file. Example: squarebracket serverClass:enter the serverclass name that you use to deploy the custom inputs.conf:app:TA_Windows squarebracket stateOnClient = enabled restartSplunkd = true This will send out the app to your server class, just like your custom inputs.conf. If you have multiple server classes that require custom TA_Windows app configurations, then create a copy for each, and change the app name so it is different for each class. ... View more

A pool warning only applies when you have a pool. Issuing a pool warning without an active pool is a Splunk bug. ... View more

Mine is on Windows, and my Splunk bends Redhat to my will. ... View more

raidercom, Wanna bet? ... View more

The license rules are actually very simple. If you exceed x number of violations in 30 days, then you can't search. I believe x=3 for a free license, and x=5 for an enterprise license. Each license violation will roll on it's own 30 day schedule, so if you keep less than the limit over a rolling 30 day period then you'll be fine. A license violation is defined on a day to day basis - if you go over your limit, then it will stick around for 30 days. "Permanent" may stick around longer, but it will only affect your ability to sleep. ... View more

The master license server has not allocated sufficent volume to the slave. http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Groups,stacks,pools,andotherterminology#License_slaves ... View more

Is your data showing up as a file's worth of data in one event? Or, is each line showing up as a single event with it's own timestamp? ... View more

No. This sort of thing should be done on each forwarder via the deployment server. Set the inputs.conf default stanza to point to the correct index for the Windows forwarders: index=desiredIndex And remove index specifications from individual input stanzas that you wish to control from the deployed App's inputs.conf as necessary (make the change once and control them all!!!). In your case, it would probably make things a lot simpler to create a separate deployment server on each primary heavy forwarder to manage that particular network. ... View more

This is a philosophical argument. Splunk was built with a Unix structure. As such, I say it was also built with a Unix mind set. Regardless, the more important question is, “which system do you prefer?” This is because 1) Splunk is designed to effectively integrate into each OS, and 2) Splunk implementation will require significant adaptation to your environment. So, “If you were going to integrate a system that manages massive amounts machine data, would you prefer to do the work on a Unix system or a Windows system?” ... View more

Remote monitoring of Windows systems with WMI is risky because data can get lost. The Universal Forwarder is lightweight, and any Windows system that has a problem with it has larger problems. ... View more

The string that is getting set is coming from the “windows_event_details.csv” file. You can find this file in the /windows/lookups/ folder. This file is going to be associated with a Lookup. You can find the name this way: Go to Manager > Lookups > Lookup Definitions, and select Windows from the dropdown menu. Open each one and see which one is referencing the windows_event_details.csv file. That is the one you want to disable. Be aware that any searches that depend on that Lookup will throw an alert that they cannot find that Lookup. Re-enable the DNS Lookup. ... View more

No doubt dbx can be frustrating. When I said conflicting inputs.conf I meant in different app directories. If you go to Manager > Inputs from the Launcher screen and save an input for dbx it will save the input stanza in launcher/local/inputs.conf, if you get there from search, it will save it in search/local/inputs.conf. I had many copies of my input stanzas when I started with dbx. ... View more

Now that you mention it, yes. For a directory or file monitor the inputName is the path. I was thinking last night that you should use crc salt to reindex what is there, and then remove crc salt (because it can cause trouble down the road). To use crcSalt you need to add the line to your input stanza: crcSalt= Here is what the documents say about using crcSalt= If set to the literal string (including the angle brackets), the full directory path to the source file Don't forget to delete the line and the original files after the original files are reindexed. ... View more

Your data is there, 226391 records of it. The question is where. Verify your index is correct, and that you don't have a conflicting inputs.conf. Search from now to a month in the future (I don't think all time does the future). ... View more

Does the dbx.log do you see something like: dbmon-tail://database/input, resultCount=integer, success=true ? If so then the data is in your index - try a search for all time. If you don't see that entry in your log, then what are you seeing? ... View more

That's your problem. It's actually a quite glorious if you think about it. I think what you have is a self populating lookup table. I've seen this before with AD/DNS monitoring where it learns the relationship between IPs and ComputerNames. You can disable the lookup, or learn to live with the output, which is to some extent at least, that is valid for this Event ID. ... View more