Is it possible to modify log.cfg via REST? We have several thousand UF's where we need to modify this config file. ... View more

Hoping I can get some feedback on what others have done in this predicament. Trying to deploy DB Connect 2.4.0 in a clustered SH / clustered IDX architecture to be used for "DB Inputs" only (no outputs, and lookups unlikely) Per the Splunk docs, the app is deployed and configured first on a SH Manager/Deployer, and then deployed to the cluster members. All good so far and everything works including the connections. Now trying to configure a DB Input. Get to the point in the GUI asking for the "index" and only the local indexes are available in the drop down (local to the search heads or SH Manager/Deployer). Expected the indexes on the "IDX Peers" to be presented. Waded through Splunk Answers. Several people talking about "deploy to a dedicated HF" or "deploy to the IDX Peers". The Splunk docs mention zip about anything other than deploying on SH's. Not a word about any other scenarios. All of our HF's are are headless (no GUI), and reluctant to put this directly on our Indexers. Don't mind "winging it", but am hoping for some lessons learned before going that route. ... View more

Interested in learning a repeatable process of how to validate the installation of an "Add-on"? Up to know validation has been easy, since installed Add-on's were accompanied by the installation of an App that depended on the add-on. Now I am being requested to install several Splunk developed Add-on's, with no associated Splunk App. Is there a repeatable process for testing, troubleshooting, or validation that the installation of an Add-on was successful? So that the question is not too broad, some of the Add-on's currently working on: Splunk_TA_sourcefire Splunk_TA_cisco-asa Splunk_TA_flowfix Splunk_TA_modsecurity Splunk_microsoft-iis ... View more

Having problems with setting up DB Connect 3.0.1 to connect to DB2 on z/OS. I know, is not supported by Splunk. Our dba provided the zOS driver and license file. With no modification to the Splunk environment (running on SuSE) the driver was recognized without issue. Proceed to create a connection. Continue to receive the error below, which believe to be a generic error response from the DB2 instance indicating that Splunk is not reading the provided license file "db2jcc_license_cisuz.jar" -----------------------------error message (truncated)-------------------------------- Internal server error, originalErrorMessage=[jcc][t4][10509][13454][4.19.66] Connection to the data server failed. The IBM Data Server for JDBC and SQLJ license was invalid or was not activated for the DB2 for z/OS subsystem. If you are connecting directly to the data server and using DB2 Connect Unlimited Edition for System z, perform the activation step by running the activation program in the license activation kit. I have tested the same setup using open source database clients, which all threw the same error, until I provided the path for the license file. Once the CLASSPATH was modified with the path to the license file, everything worked. So.... I did the same thing in Splunk, adding: export CLASSPATH="/opt/splunk/etc/apps/splunk_app_db_connect/drivers/db2jcc_license_cisuz.jar" Restarting Splunk And verifying with: echo $CLASSPATH Also tried the same process with the license file in: /opt/splunk/etc/apps/splunk_app_db_connect/bin/lib Hope somebody can help me see what I am missing ... View more

I have tried all of the examples but am still not getting accurate results. I have a lookup table with (1) column only, a list of hostnames under the heading "name". I have an index that is the output of an internal scanner with an event field "dvc". I need a search that will be used on a regular basis to compare the lookup table and scan results with the output being those hostname that appear in the scan list, but not in index during a particular period of time. The problem is, with the search below, I get inaccurate results. What I get is the first host listed in the lookup table (in the uploaded CSV) and nothing more. What I expected as output was a much longer list of "dvc" that existed in both the lookup table, and the index. When I manually validate I find many records in the lookup table that ARE in the index. The host that does appear, is accurate, but am missing many others that should be there. I am suspicious the output is stopping after the first lookup table entry. I checked the spelling of all of my hostnames in both the lookup table and the index, focusing on those that should be appearing. Spelling is exactly the same, including case. index=scanner dvc=* [|inputlookup test_lookup.csv | fields name | rename name AS dvc] earliest="02/01/2017:00:00:01" latest="02/02/2017:23:59:59" | dedup dvc | table dvc, _time | sort dvc ... View more