I am having the same issue.  I have tried all the recommendations above.  Thank you in advance for any assistance. ... View more

We had the same issue and resolved it. The broken clients were all trying to download two versions of an app. I have Splunk_TA_Squid_SiteA and Splunk_TA_Squid_SiteB with competing configurations for the same Squid logs. I didn't realize Server Class SiteA Include was including my SiteB clients. My SiteB clients were downloading both SiteA Squid and SiteB Squid. Once I updated Server Class Site A to only apply to Site A clients and not Site B clients, my Site B clients stopped generating the CheckSum errors. ... View more

in Splunk Version 8.1.6 the same issue is still there. Received fatal signal 11 (Segmentation fault). Cause: No memory mapped at address [0x00007F5F02649C08]. Crashing thread: BatchSearch Received fatal signal 11 (Segmentation fault). Cause: No memory mapped at address [0x00007F7262188008]. Crashing thread: phase_1 What is the current solution? ... View more

Good morning, May I have a copy of that documentation? I am trying to get the same thing done with our Splunk server.   Thank you ... View more

I had the same issue,  this is how I reserved my issue: On  searchhead(s)   in /opt/splunk/etc/system/local/server.conf [shclustering] disabled = 0 mgmt_uri = https://10.0.0.202:8089 replication_factor = 2 shcluster_label = InCorpShcluster01 id = 33DA70FF-FC57-497A-B405-CA85C61EFACE adhoc_searchhead = true current_member_uri = https://10.0.0.135:8089     I had the DEPLOYER =  xxxxx     under the[shcluster]stanza , but read that the KEYc ould be located under the  [general] stanza - so I removed the pass4SymmKey = and restarted  splunk. Deployer /opt/splunk/etc/system/local/server.conf [general]serverName = searchhead2site1 pass4SymmKey = $7$v9H1PDth+5OR0zCD4fnfJOJ8JQ7/sdJd6+vc/jSDRX0v4suiha+Srg== ## bunch of other line configs [shclustering] shcluster_label = InCorpShcluster01   Deployer server ------------------------------------------ [splunk@deployer]lunk/bin/splunk apply shcluster-bundle -target https://10.0.0.202:8089 -auth admin:pssword Warning: Depending on the configuration changes being pushed, this command might initiate a rolling restart of the cluster members. Please refer to the documentation for the details. Do you wish to continue? [y/n]: y Bundle has been pushed successfully to all the cluster members. ... View more

Do you have an update on the problem? I am attempting to do the same now. ... View more

So I haven't use it since it's optional and only required if the private key had a password, which mine does not. I removed immediately after creating it. ... View more

Yes i have done all of that. I still get the last value in the timechart count) series. This is why i opened this question..this shouldn't happen, it's a simple command. ... View more

What I've found is if you are on Windows copy eventgen.conf to locals folder and run icacls against it to change permissions. icacls C:\program files\Splunk\etc\apps\your app here\local\eventgen.conf /grant SYSTEM:F. Took me forever to figure this out. Also every time I edit the file I have to change perms again. Became such a pain that I wrote a c# service to watch for eventgen.conf changes and change perms automatically. ... View more

I've actually already tried this but i appreciate the help. My issue is across the deployer, Search head members. I can't even get a status without the error showing up.Even setup a brand new server to host the Deployer with a fresh installation. ... View more

Thanks cmerriman, unfortunately that doesn't work for me. My original search works to give me the results I need when both values comes back. Now I need to make sure the report does not populate if one of the two searches comes back with zero findings. So I'd like to only populate the search only if both subsearches have a value. For example Hour User computer app event status August 21, 2017 carol123 system123 window server "user logged in" "VDI Session Created" August 21, 2017 priv123 systemx app server "user logged in" System Account Used" vs Hour User computer app event status August 21, 2017 carol123 system123 window server "user logged in" "VDI Session Created" I would like to not show the second event only the first options. ... View more

Additionally, when I use the join command shown below it only gives me the main search. I need it to do a comparison between the user in the subsearch and pull only corresponding results from the main search specific to that users activities. Sometimes the user may be different from the user within the subsearch. index=* user=xxx* computer=vdi* | join user type=left [ search sourcetype=something user=user1 event="logged" | table user, event | dedup user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event | sort 0 - _time ... View more

I got this explanation from Splunk Support: "Those lookups are related to Hostmon inputs. If you're not using the hostmon inputs on your windows forwarders, then these won't be populated. If you like, and you're not using hostmon, you can put in some headers and it will stop complaining about the lookups. Just edit the files, and put "a,b,c" in the top line of each one. Splunk should stop complaining about them then. Now, if you are using hostmon, then there could be an issue there. " ... View more

Originally the app was intended to be installed on a Search Head with the logs going to the search head. An alternative is to use a heavy forwarder. The universal forwarder method described may not work. ... View more

What are your base filters? Within my organization we filtered by department to hasten the query but at the start ran into issues of a few members being added to a different department ID. If you are filtering on criteria, make sure that those values are all accounted for! The easiest way to tell that this is the issue is when you go to map groups, the users show up there (you can see their OU and everything) but they aren't in the actual roles, just like you stated. ... View more

I ended up using the following syntax to get it to work. Settings to add a single user: [Strategy] host = ***** port = 389 SSLEnabled = 0 anonymous_referrals = 1 bindDN = ****** bindDNpassword =******** charset = utf8 emailAttribute = mail userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com userBaseFilter = (&(objectclass=user)(|(sAMAccountName=***)(sAMAccountName=))) groupBaseDN =OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=)(sAMAccountName=***))) nestedGroups = 0 userNameAttribute = samaccountname realNameAttribute = cn groupMappingAttribute = cn groupMemberAttribute = samaccountname groupNameAttribute = cn timelimit = 10 network_timeout = 20 ... View more

Even i faced the same issue today and tried varies thing but it didn't worked out. when i increases the User-level concurrent search jobs Limit and total jobs disk quota in the role through access control option , the dashboard started working fine again ... View more

Hello, It looks like your Master Node does not "see" any of your peers. It could be a configuration problem (i.e. secret key not properly shared) or a network problem. Make sure the [clustering] stanza in the server.conf files on all members of the cluster (master node, search head, peers) are homogeneous. Relevant stuff can be found on the Splunk Docs site : http://docs.splunk.com/Documentation/Splunk/6.1.2/Indexer/Clusterdeploymentoverview Also, you should NOT put anything in $SPLUNK_HOME/etc/master-apps/_cluster as it is reserved for splunk stuff. Instead you should put your apps in $SPLUNK_HOME/etc/master-apps/app1, $SPLUNK_HOME/etc/master-apps/app2 and so on. Stuff regarding the Configuration bundle : http://docs.splunk.com/Documentation/Splunk/6.1.2/Indexer/Updatepeerconfigurations Regards. ... View more

I have the same problem, but the version is not the problem, how can we resolve that plz ? ... View more

Have you checked the eventtypes? The app relies heavily on them and by default these don't always point to the correct indexes where your data is located. ... View more

Thanks, Found then within the installation folder. ... View more

Hi, could you give example of how you do it to make this works? Thanks ... View more