Hi All, I have the below sample events in my log data i.e. in UTC format , i want Splunk to change the event time to AEST time. I Assume Splunk would definitely convert in to AEST format since the cloud we use for Australian project/region.   My Sample Data looks like below in UTC format - 2021-08-11T01:16:25.373937Z I-6083-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000298 | X 8 NRRS202108111116250196534269 N ack_nak_response=ack 2021-08-11T01:16:25.381943Z I-6016-EP R> : icexsTrace-icexs5-20210811-1116-037.trc64:0000314 | 8 MH18000000000000000731127354 P AMQ LUXP112 , ` * MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787 2021-08-11T01:16:25.381991Z E-6016-EP S> : icexsTrace-icexs5-20210811-1116-037.trc64:0000323 | _ *SAMPL1* SW051001 MHS18P1 SWLP1 ZP11SIV HXU4P73A MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787 2021-08-11T01:16:25.422824Z E-6016-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000392 | ' MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99 *CSMOKY* 2021-08-11T01:16:25.423000Z I-6016-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000399 | 8 MH18000000000000000731127354 MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99 2021-08-11T01:16:25.428780Z E-6053-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000419 | <BusMsg> <AppHdr xmlns="urn:iso:std:iso:20022:tech:xsd:head.001.001.01"> <Fr> <FIId> <FinInstnId> <BICFI>RSBKAUFSXXX</BICFI> </FinInstnId> </FIId> </Fr> <To> <FIId> <FinInstnId> <BICFI>WPACAU2SXXX</BICFI> </FinInstnId> </FIId> </To> <BizMsgIdr>RSBKAUFSXXX20210811000116253109041</BizMsgIdr> <MsgDefIdr>pacs.002.001.06</MsgDefIdr> <BizSvc>npp.stlmnt.01-sct.04</BizSvc> <CreDt>2021-08-11T01:16:25.310Z</CreDt> <Prty>NORM</Prty> </AppHdr> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:pacs.002.001.06"> <FIToFIPmtStsRpt> <GrpHdr> <MsgId>RSBKAUFSXXX20210811000116253109041</MsgId> <CreDtTm>2021-08-11T01:16:25.310Z</CreDtTm> <InstgAgt> <FinInstnId> <BICFI>RSBKAUFSXXX</   And Each line represents a event in my log , So i have defined the below sourcetype settings  - [ <SOURCETYPE NAME> ] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=AUTO disabled=false But Still i could see events timestamp as UTC format only in Splunk , How would i change it have to AEST Timezone for events..   Could you please help with the settings ?? ... View more

Hi All, After upgrading my splunk forwarder to version 7.3.0 from 6.6.x. my splunk forwarder didnt start. it is shwoing the below error. A Splunk installation already exists. This will upgrade the current installation. Do you still wish to continue ?: [y|n] y Continuing with update Check for processes... Extracting 'splunkforwarder-7.3.0-657388c7a488-Linux-x86_64.gz' ... Updating config files... Starting the forwarder... install_nix_forwarder.sh: line 199: /opt/splunkforwarder/bin/splunk: Operation not permitted Splunk did not start. Please check any error messages when checked in error logs i couldnt find much information - 09-04-2019 19:34:54.397 +1000 INFO TcpOutputProc - Connected to idx=10.16.193.244:9997, pset=0, reuse=0. using ACK. 09-04-2019 19:35:27.370 +1000 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.16.195.198_8089_10.16.195.198_lnxau2106st0273.wsdc.nsw.westpac.com.au_Splunk_Forwarder_payments_lnxau2106st0273 09-04-2019 19:35:30.813 +1000 WARN TcpOutputProc - Cooked connection to ip=10.16.193.247:9997 timed out 09-04-2019 19:35:50.653 +1000 WARN TcpOutputProc - Cooked connection to ip=10.17.193.39:9997 timed out 09-04-2019 19:35:50.759 +1000 INFO TcpOutputProc - Connected to idx=10.17.193.38:9997, pset=0, reuse=0. using ACK. 09-04-2019 19:36:05.484 +1000 INFO PipelineComponent - Performing early shutdown tasks 09-04-2019 19:36:05.503 +1000 INFO loader - Shutdown HTTPDispatchThread 09-04-2019 19:36:05.514 +1000 INFO ShutdownHandler - Shutting down splunkd 09-04-2019 19:36:05.514 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_Begin" 09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_FileIntegrityChecker" 09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_JustBeforeKVStore" 09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_KVStore" 09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_Thruput" 09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpInput1" 09-04-2019 19:36:05.540 +1000 INFO TcpInputProc - Running shutdown level 1. Closing listening ports. 09-04-2019 19:36:05.541 +1000 INFO TcpInputProc - Shutting down listening ports 09-04-2019 19:36:05.542 +1000 INFO TcpInputProc - Setting up input quiesce timeout for : 90.000 secs 09-04-2019 19:36:06.335 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_ExecSendInitialSigterm" 09-04-2019 19:36:06.335 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpOutput" 09-04-2019 19:36:06.335 +1000 INFO TcpOutputProc - begin to shut down auto load balanced connection strategy 09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_UdpInput" 09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_FifoInput" 09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_WinEventLogInput" 09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_HttpInput" 09-04-2019 19:36:06.338 +1000 INFO TcpInputProc - Cleaning up TCP connections 09-04-2019 19:36:06.338 +1000 INFO TcpInputProc - Shutting down existing connections. 09-04-2019 19:36:06.339 +1000 INFO TcpInputProc - TCP connection cleanup complete 09-04-2019 19:36:06.349 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_CacheManager" Could someone please help to diagnose the problem and fix it. ... View more

Hi All, I was in need of a requirement to find the error codes and its occurences windows for a given day to be printed in a table format. For Eg: i was looking for a error code "Z901" in my splunk logs for given day , i would like how many data occurences of these errors i.e. Z901 has seen in that day. // sample output which i am looking is. Day Error_Code Occurence's Duration 08-06-2019 Z901 3 00:02:00 - 01:04:05 07:00:00 - 07:24:45 23:45:00 - 23:55:00 I need the output in the above format - can anyone help me please in getting the above format. So from the above format i can clearly i am seeing Z901 errors on the Day i.e. "08-06-2019" for 3 occurences i.e. between the time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00. I tried using earliest and latest times but getting the output as 00:02:00 - 23:55:00 for the whole day. Need help to print in the above format. ... View more

Hi All, I have a multi site indexer clustering configuration and has a separate license master, Now all indexer cluster servers are point to the license master as slaves to it. I also have the Job servers to run the search jobs from this indexer cluster servers , do i need to use license configuration on these servers as well ? or its not required ?? . i was trying to find the documentation for the same but couldnt find till now..if anyone could help me..tht would be great.. !! thanks rakesh. ... View more

Hi All, I am using Splunk version 6.2.2 with 4 Search heads and formed a Search Head Cluster enviourment with those 4 servers. I have a scheduled search running on this cluster to call the external shellscript to email the search results "results.gz" content to different customers based on the logic in the shell script. This script is working fine in a Single Non Clustered Searchhead but when comes to clustered enviourment , I am seeing the following error and the scripts seems to be not working as expected. 02-15-2017 03:04:19.516 +0000 ERROR script - sid:scheduler_nobody_eGJ0X3NwaHVyX2FsZXJ0cw_RMD58550cea47a8bcd3a_at_1487127660_19_4EFB41A7-977F-4746-9C8F-5BE724662CDD command="runshellscript", Script: /appl1/splunk/etc/apps/xbt_sphur_alerts/bin/scripts/echo.sh exited with status code: 2 Could you please help what could be the issue here ?? thanks, Rakesh. ... View more

Hi All, In Splunk older versions, there is a concept of distributing the Splunk search results in HTML modules, or HTML tags using the results token. i.e. results[0].fieldname etc. In Splunk 6.x version do we have any examples of getting the same functionality? My older sample code in Splunk 5.x version: <module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" autoRun="True"> <param name="search">index=_internal | stats count </param> <module name="HTML" layoutPanel="panel_row5_col1_grp1"> <param name="html"> <div> Search Results : $results.count$ </div> </param> </module> </module> Can we have something similar for Splunk 6.x version ?? thanks, Rakesh,. ... View more

Hi Team, I have created an index called "mysummary" for my Splunk app, and I want this index to store 90 days worth of data, so I have used the following configuration. i.e. at any time, I need to store only 90 days worth of data in this index. I have seen the attribute "rotatePeriodInSecs" added to do the regular checks and roll the data after 90 days from the index and make it preserve only 90 days worth of data, but it's still not working as expected. Can someone pls help here.. // Settings used now to store 91 days of logs. [mysummary] coldPath = volume:cold/mysummary/colddb homePath = volume:hotwarm/mysummary/db thawedPath = $SPLUNK_DB/cold/mysummary/thaweddb maxHotSpanSecs = 7862400 frozenTimePeriodInSecs = 7862400 rotatePeriodInSecs = 60 repFactor = auto thanks, rakesh. ... View more

Hi Team. I have a file name called /var/log/messages which I need to send to two different indexes (say index="A" and index="B") on 2 set of indexer servers. i.e index="A" sourcetype="A" on the indexers set 1 - and index="B" sourcetype="B" on the indexers set 2 -- should give me the same source list i.e /var/log/messages/ please help thanks. rakesh. ... View more

Hi Team. I have my indexers present in 2 sites , site1 and site2. In site1 i have 5 indexers servers and in site2 i have 5 indexers servers. Now all i needed for my multi site indexer clustering configuration is "For each data available in site1 , i need a copy of it in site 2 and viceversa". I have defined the following config but it seems not working as expected , am i missing something ?? // Master Config [general] site=site1 [clustering] mode=master multisite=true available_sites=site1,site2 site_replication_factor = origin:1,total:2 site_search_factor = origin:1,total:2 restart_timeout = 900 // Site 1 Memeber Config [general] site=site1 [clustering] master_uri = https://masterserver:52400 mode = slave pass4SymmKey=splunk [replication_port://52403] // SIte 2 Member Config. [general] site=site2 [clustering] master_uri = https://masterserver:52400 mode = slave pass4SymmKey=splunk [replication_port://52403] Can you please help. Thanks, Rakesh. ... View more

Hi All, I am using the following code snippnet in my HTML dashboard to re-direct the page to the defined URL on clicking on my dashboard. Here i am able to navigate to different URL but loosing the control on the Parent Page i.e the new URL to open in a new blank document rather then on the same page. Is there any means to change /update the redirect function. my code snippnet. e.preventDefault(); var url = TokenUtils.replaceTokenNames("http://localhost:8080/en-US/app/custom_app/dashboard?form.Operator=$row.Operator$&form.CarrierCode=$row.CarrierCode$", _.extend(submittedTokenModel.toJSON(), e.data), TokenUtils.getEscaper('url')); utils.redirect(url); Many thanks. Rakesh. ... View more