Hey all, this will be fixed in Splunk 7.2.5 ... View more

Hey all, just wanted to give you an update that this will be fixed in Splunk 7.2.5 ... View more

Could you check the OS level permissions on props.conf compared to inputs.conf after the App is pushed from the Deployment Server to make sure they are consistent? ... View more

Hi DUThibault. A Universal Forwarder does not need to be configured as a Deployment Client in order to forward data to Splunk Enterprise. Inputs can be configured locally, instead of being pushed out by a Deployment Server. This is why it is marked as Optional under the instructions for sending data to a Splunk Enterprise indexer or indexer cluster. ... View more

It sounds like you are trying to filter data at the Universal Forwarder level. I would recommend taking a look at the following Wiki page: https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F SEDCMD is done at the parsing phase, which takes place on a Heavyweight Forwarder or Indexer. So basically, SEDCMD cannot be used at the Universal Forwarder level. ... View more

Hi mudragada, could you please clarify what you mean by "changes weren't picked up"? Is the issue that you are not seeing props.conf changes on the Universal Forwarder or that you are seeing the changes but they are not working properly? ... View more

It is my understanding that the deployer fails-fast if the first member is down. If the second or later member is down, the deployer tries to push to remaining members, but then throws an error at the end. Essentially, there is no way to push a bundle if the first member is down. The point behind this is that we do not want to perturb the system when a member is down, and we particularly don't want to create baseline configuration inconsistency. ... View more

Hello Splunk9999, sorry for the confusion, I meant the actual log file you are monitoring. ... View more

Hello splunker9999, have you confirmed there are logs on the instance with timestamps outside of (12.00 AM to 12.59 AM) ? ... View more

Hello rickrowe, normally you would report this by opening a Support case. What is the exact name of the App where you see this and how is Cisco spelled? ... View more

Hello Daniel, did you recently perform an upgrade? ... View more

Hi scottrunyon, autoLB defaults to true, so it is already configured and there is no need to set it manually. Hope this helps! http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf autoLB = true * Automatic load balancing is the only way to forward data. Round-robin method is not supported anymore. * Defaults to true. ... View more

Hello apietersen, I am sorry you are having trouble configuring Splunk to ingest data. Have you followed the steps outlined in the document below? http://docs.splunk.com/Documentation/Forwarder/6.4.1/Forwarder/HowtoforwarddatatoSplunkCloud ... View more