Hi All, I'm trying to create a sh cluster, here are the sequential things that I have. Please correct me. On the deployer [shclustering] pass4SymmKey = shc@cluster shcluster_label = sh_cluster restart the deployer On all the search heads except deployer splunk init shcluster-config -auth admin:changeme -mgmt_uri https://respective_sh_ip:mgmt_port -replication_port rep_port -replication_factor 2 -conf_deploy_fetch_url https://deployer_ip:mgmt_port -secret shc@cluster -shcluster_label sh_cluster restart the search heads after the configuration. Only on one search head and not deployer splunk bootstrap shcluster-captain -servers_list "https://sh1_ip:mgmt_port,https://sh2_ip:mgmt_port,https://sh3_ip:mgmt_port" -auth admin:admin Push configurations from deployer to sh member. create a app and moved it to etc/shcluster on deployer, then splunk apply shcluster-bundle -target https://sh1_ip:mgmt_port Thanks, Allan ... View more

Dear Saviours, I have multiple single-value elements which have three possible values (Passed, Failed, Executed). Now my single value background has to turn green if the value is "Passed", red if the value is "Failed" and grey if the value is "Executed". I know i can achieve this with range maps, but I want to retain the text in the final view. ... View more

I tried all the possible things in Splunk, but couldn't index only some part of the file. For example: 2015/11/30 19:00:00 ad32ah req:connection srv:vm1pskndx3 method HTTPS txnid:986218312825 and from here 20 to 30 lines of event. I need to index only ad32ah , vm1pskndx3 , HTTPS and 986218312825 . I only need these 4 fields and ignore the other part of the event, and it should be repeated for all the events. I understand I should do something in props.conf or transforms.conf . Please advise! ... View more

Hi, I have 4 forwarders, 4 search heads, and 2 forwarders in my Splunk cluster. Now one of the forwarders is configured to read data from UDP port 514. The data comes in to the forwarder and it then is forwarded to the indexers. Now I need to apply configurations in transforms.conf and props.conf to write few events into a separate index by host. Where do I put those configurations? Should I do the changes in the forwarder or the indexer? Thanks. ... View more

Hi, I have a very specific problem. I have more than 70 devices writing data to UDP port 514. Now I need to input five ip_addresses to one index and the rest of them to another index. eg: 10.0.0.1, 10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, ...... 10.0.0.70 Now 10.0.0.1, 10.0.0.2... 10.0.0.5 should go to the index=indx1 and sourcetype=srctype1 and the rest of the IP addresses should go to another index. Note: Unlike the above example ip_addresses in my case are not incremental or doesn't have any pattern. Please help. ... View more

Hi, I have a scenario where I have to consume tokens for my searches in the dashboard from the URL. I'm doing the dashboard building in HTML + javascript, say tokens are separated by "=" symbol. Please help. ... View more