Hello All, I am working on the installing and getting data In for SC4S(Splunk connect for Syslog). For installation I referred below link and the service is running without any error. https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/quickstart_guide/ But the problem am facing is testing the data in , as mentioned in document am trying to send data in UDP port, but some how its giving below error. Command am running: bash echo “Hello SC4S” > /dev/udp/<SC4S_ip>/514 Error am getting as below bash: /dev/udp/: Is a directory Note: Currently the test data send from UDP port is same as SC4S installed machine, as am doing POC on SC4S so only one machine am using for both. Please can any one help me on this, as am not finding any related question on this same. ... View more

Hello All, I have a dashboard which loads large amounts of data, hence its impacting performance dashboard, so to overcome that I decided to go with report acceleration, as given here link But in dashboard it has multiple inputs, like drop down and text box, so for that if I use the post process then I am not getting export feature of Splunk. So can anyone help me how I can achieve my goal? how to optimize dashboard performance? Note: created schedule report which will run every day. Thanks in Advance ... View more

Hello Everyone, I am sending SNMP Trap to Netcool tool using add-on SNMP Splunk MA App for Netcool. however the SNMP trap is successful sending to Netcool tool, but the community value is pass as "testing" but in the Netcool side its giving value as "public" only. Can any one help me here? Where did it go wrong and why aren't we getting correct community value in Netcool side? Thanks in Advance! ... View more

Hello Everyone, I have text file 20170701.txt where 2017-year, 07-month and 01-date. This file is coming from the universal forwarder, below is my inputs.conf (C:\Program Files\SplunkUniversalForwarder\etc\system\local) [monitor://C:\sampletestfile\*] index=test sourcetype=largefile crcSalt = <SOURCE> In the heavy forwarder side i wrote the datetime.xml and props.conf (C:\Program Files\Splunk\etc\apps\myapp\local) <define name="_mydatetime" extract="year, month, day"> <text><![CDATA[source::.*?_(\d{4})(\d{2})(\d{2}).txt]]></text> </define> <timePatterns> <use name="_mydatetime"/> </timePatterns> <datePatterns> <use name="_mydatetime"/> </datePatterns> </datetime> props.conf [largefile] DATETIME_CONFIG = /etc/apps/myapp/local/datetime.xml After the doing changes i have restarted both UF and HF. The problem is am not getting "20170701" date as indexing time in Splunk. And in Splunkd.log am getting below error 07-05-2017 16:13:54.893 +0530 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Error parsing regex XML file: C:\Program Files\Splunk\etc\apps\myapp\local\datetime.xml - Couldn't find 'timePatterns' in config data for AggregatorProcessor. - data_source="C:\sampletestfile\20170701.txt" Can any one please guide me where am wrong. Thanks in Advance ... View more

Hello Everyone, I have text files where there is no datetime in it, but my required is need to get each line as one event with indexing time ( that willbe system time). I have used below props.conf but still its having same datetime for all the events in the file. [test] DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = false That is one file is having 100 lines as events and for all of that it has same timestamp. Can any one help me where am going wrong Thanks you ... View more

Hello Everyone, I have created multiple dashboards but when i open the dashboard its taking too much of time to load and populated the result, here the main problem is we have to execute each query in dashboard for All time because of requirement and in that the query itself has some join functions to bring the required report. So to make better performance i tried below option but still its not achieved my goal 1. Used post process searches for all the panal but here am enable to give end user download option 2. Used summary index but each schedule search is taking minimum 1 mins to completed the job so like this we have multiple saved searches it might load to our search head and dashboard need to show real time data. Could you please any one guide me how to increase the dashboard performance? Thank you in Advance. ... View more