I've been ignoring this number for 8 or 9 years now as it's never made any sense and doesn't correspond to the results of the queries mentioned above.   How does this counter even work? ... View more

I'd like some clarification on this as well.  Does the TA select the correct source type for these events? ... View more

Over that past week, we've seen the TA correctly ID the timestamps of events for most of a day and then another day it will chuck all the events is to a bin for midnight that day. Today we're seeing that it's choosing timestamps for 2017 and 2019!? The following line in the default props.conf makes it seem like it's expecting a timestamp formatted like so dd/mm/yy hh:mm:ss but, the data from our FMC contains only unix epoch time stamps. [cisco:estreamer:log] EXTRACT-encore_log_fields = ^(?P&lt timestamp &gt \d+-\d+-\d+\s+\d+:\d+:\d+,\d+)\s+ How do we fix that? ... View more

IS there a fix for this? I'm running 3.5.8 and seeing a lot of these warnings ... View more

Um, no. According to the document below 6.5 is not EOL yet. https://www.splunk.com/en_us/legal/splunk-software-support-policy.html We pay quite a bit of money for support, so why do we have to chase down things like this for a supported version of Splunk? ... View more

Is there an officially supported way to do this for Splunk 6.5.x that doesn't involve cutting and pasting from 10 different postings? ... View more

A co-worker of mine just discovered that we're seeing the same error in version 1.0.6. Just wondering if that is fixed in later versions? ... View more

Has there been any progress? ... View more

I'm seeing a similar error. How would one ID the bucket that is a problem? What component should I put into Debug ? ... View more

Also your link is busted : ( ... View more

The Splunk Add-on for Linux ... View more

Can I do this with an envirnment variable? I've had good luck defining SYSLOG_DIR in splunk-launch.conf and then referencing it in the path for a filemonitor. This lets me have the name of the syslog node in the source and keeps my inputs.conf the same. Can I do something similar to define an index in an inputs stanza? ... View more

There are some bugs in that feature. We've found that we have to restart our cluster master when the data re-balance just seems to get stuck : ( ... View more

I forgot to mention that it's Splunk Enterprise 6.5.6 ... View more

This isn't working as desired for us, ATM. One of my App guys is having problems were savedsearches.conf in /local is being merged/appended into savedsearches.conf in /default when we've used the excludeFromUpdate option for $app_root$/local. I've verified that this happens on the Search Head. The contents of the bundles are correct on both the deployment server and the search head. ... View more

We had the same problem. You can either delete the entry in the manifest file or give it the hash of the updated file. ... View more

This doesn't seem to work in 6.5.6. Is there a way to just reload one serverclasss in 6.5.x ? ... View more

It seems to be back in Splunk 6.5.x if, one is running splunkd as a limited user. I just had this happen on an Indexer in Prod that was restarted via vmware. I was able to recreate it in my QA environment. All one needs to do is mock up a pid file with ids from other processes that belong to another user like root. ... View more

My users also want drill downs on this. Is that possible? ... View more

It was an existing install. RHEL 6.x. It turns out the lun that the disk was on was accidentally filled up via a VMware snapshot. ... View more

They are not "myssql" logs. That's a typo that I can't seem to correct. It would Just be the logs for mssql instances. ... View more