Well, I had this setup using the same document I referenced and it worked for me. Although I do not use the analytics iapp as the 50 or so datamodels it enabled was a big strain on our indexer layer. Would you check your eventcollector layer logs if you see any errors w.r.t to the token that you use for f5 logs? Did you define any custom index for the logs? Is the token configured to write to all indexes that the iapp sends data to? ... View more

Did you set up logging on the F5 using the iapp and http event collector? Ref: https://www.f5.com/pdf/deployment-guides/f5-analytics-dg.pdf ... View more

Since this was an ES upgrade, didn't you already have the Splunk_TA_ForIndexers on your indexers? I do have it and the notable index was present. Interestingly, the notable index has no data after the upgrade! ... View more

were you able to fix this? ... View more

@LukeMurphey - I do not see any way to edit permissions on the list page. I am on v2.7.1 of the Lookuop Editor. I am running this app on an Enterprise Security search head with Splunk v6.5.1 - screenshot - https://imgur.com/a/AR5pv ... View more

That worked! I knew it was going to be a trivial thing. I do wish the inputs automatically added either the redis_host field or made a host=field by itself. Thanks. ... View more

Not sure if I can add a host= entry in these mod inputs. ... View more

[redis://www_cs01] authentication = password index = www interval = 60 password = ******** redis_host = wwwcs01 redis_port = 6379 [redis://www_cs02] authentication = password index = www interval = 60 password = ******** redis_host = wwwcs02 redis_port = 6379 [redis://www_cs03] authentication = password index = www interval = 60 password = ******** redis_host = wwwcs03 redis_port = 6379 ... View more

These are modular inputs configured on a data collector that has the add-on installed. The host field is populated by the hostname of the data collector instance. ... View more

This is so great. I am writing this comment (and upvoting) AFTER searching for this answer and using it for the third time. Quite ungrateful. 😕 ... View more

For time travelers - my guess for the duplicate logs was that xml insertion does not happen at the end of the file throwing off Splunk's check mechanism for detecting change - re-indexing the whole file. I mitig ated this by not monitoring the file currently being written to and having the file rotated every 15 minutes and monitoring the rotated files. These rotated files wont have anything written in them once they are created - hence avoiding the problem. Hope it helps. ... View more

Have you looked at https://docs.splunk.com/Documentation/ES/4.7.2/Install/ImportCustomApps? Esp. this part "Import add-ons with a different naming convention". In short, edit the update_es input with a regex matching your custom app that has the macro is question. ... View more

can you check if the mongod process is running? was it started by the splunk user? ... View more

did you change the permissions first? the chown command? ... View more

As root, run chown -R splunk:splunk /opt/splunk remove any *.pid files from /opt/splunk/var/run/splunk/ if you enabled boot start on Splunk , run service splunk start if you did not do that, sudo -H -u splunk /opt/splunk/bin/splunk start ... View more

Hmmm - we have all our storage on local drives - except frozen/archive - which is on NFS. Does frozen/archive drive count? ... View more

Hah! @twinspop I seem to be following you from https://answers.splunk.com/answers/476015/whats-the-best-method-to-updatereplace-indexer-clu.html I am in the same spot now and indexer rebalance is painfully slow. Did you find out the cause for this? ... View more