Adding a little to the wise words from @alacercogitatus, there are quite a few ways to this. OP might have found a solution already. If anyone still stuck on this, below is one of the many ways to do it Have Tokens for your form Elements Anything user enters is stored in Token You can get really creative and do a search as |makeresults |eval Input1 = $token1$ |eval Input2 = $token2$ |eval Input3 = $token3$ |collect index= host= sourcetype= All of these are part of core Splunk, no custom code. Read more about collect command here https://docs.splunk.com/Documentation/SplunkCloud/8.0.2003/SearchReference/Collect Hope this helps! Thanks, Raghav ... View more

cool....I am able to pass the arguments to external script but the can't add this to triggered alert action as results are always 0 though there's value. I guess it passes the arguments and cleans itself out? I run this |gentimes start=-1|eval x=120|map search="|gentimes start=-1 | script python Hello $x$" I get the values of x printed to a text file but results say 0. If i could get the results populated so that they are displayed in triggered alerts & pass arguments that would solve it all. And i would drive to Texas and buy you a beer :)...is it possible? ... View more

you gotta be kidding me 🙂 that shed the exact amount of light i needed....Thank you ... View more

Excellent! Please accept this as an answer so that it can easily be found. Thanks, Raghav ... View more

I do not think that is required. Since you are working on only one out of 8 indexers, I would just put that indexer in offline mode and disable boot start. We applied OS patches on our 33 indexer cluster by taking one indexer offline at the time. IT did take lot of time but I never had to touch my master ot the configurations on the master once during the process. As long as the work you are about to do doesn't alter the application or configs, you should be alright. I apologize for the delay. Thanks, Raghav ... View more

Hello @runiyal Method #1:You can extract the source values to a extracted field and then apply the condition after extraction. Example: Sourcename is the field you extract and you can simply ask splunk to |search Sourcename=vendor which will limit it to the events that contain that field Method # 2: use a combination of eval , match function and the condition you want. Method#3: use stats and eval combination with a AND condition (If both conditions you are looking for are key pairs) Hope this helps, Thanks, Raghav ... View more

@sbattista09 , We had the same message couple of weeks ago....We just ran java service and Splunk with proper permissions and it worked like charm...kinda what Damien said above. Thanks, Raghav ... View more

Hey @skoelpin Is the ask here to fix the 8089 vulnerability anyway or using the self signed cert only? In general, if you want to force the cipherSuite, i would just add the following to server.conf under sslconfig stanza (This will take care of all the SSLv3 POODLE stuff) What it doesn't take care of is XSS (Cross Site Scripting) vulnerability if you using versions older than 6.3.3 (I say 6.3.3 because that's the version has XSS patch) supportSSLV3Only = false cipherSuite = TLSv1.2:!eNULL:!aNULL While you are in there, disable kvstore port 8191 if you don't need it as that will pop up in the scan results eventually. Hope this helps! Thanks, Raghav ... View more

Hey @iamarunk, Here's how licensing works Free Splunk : cannot exceed 3 violations in a rolling 30 day window Enterprise Splunk (With active license): cannot exceed 5 violations in a rolling 30 day window If it's an Enterprise Splunk Instance with active License, please contact your Splunk Support person to get a reset key. Once you add the reset key, the search functionality will resume (Your indexing does not get interrupted due to this btw) After you resume the search functionality, go to LURV/ License utilization . If you are in a distributed setup, these metrics will be found on your license master. Check for hints as to what and how this license overage has caused and correct it. Here's what i would do Check which index/host/Business unit is consuming license more than it's entitled to Filter the data upfront (Before it hits the Indexers) If all the data is required/already filtered, start a dialogue with Business/Splunk teams to buy more license. Hope this helps! Thanks, Raghav ... View more

Excellent! Please accept it as an answer if it helped you and others can find it easily. ... View more

Hello @gibu_george_medlife, First, The monitor/batch stanzas for these logs can reside default or local directories . $SPLUNK_HOME/etc/system/default|local OR $SPLUNK_HOME/etc/app/..local . When you say same machine, how did you come to that conclusion? by looking at the host name? example: index=main source="/opt/splunkforwarder/var/log/splunk/splunkd_stdout.log" gives the host name same as the hunk host? If yes, one possible reason i could think of is someone copied the stanzas as is. Example....if i have one server called Server1 with inputs and outputs and if i distribute the configs as is to Server2, unless someone goes in to inputs and changes the host name to $decideonstartup pr manually enter Server2, Logs will be displayed with host=Server1. If this is the case, try to find out IPs of all sourcenames to determine where/which server is sending these logs. Use this search on your hunk server to get the IPs index="_internal" source="*metrics.log" group=tcpin_connections  | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Light Weight Forwarder",fwdType=="full", "Splunk Indexer", connectionType=="cooked" or connectionType=="cookedSSL","Splunk Forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder") | eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"pre 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"n/a",os)| eval arch=if(isnull(arch),"n/a",arch) | eval my_splunk_server = splunk_server | fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps my_splunk_server build version os arch | eval lastReceived = if(kb>0, _time, null) | stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps by sourceHost | stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived first(kb) as KB first(avg_eps) as eps by sourceHost | eval status = if(isnull(KB) or lastConnected<(info_max_time-900),"missing",if(lastConnected>(lastReceived+300) or KB==0,"quiet","active")) | sort sourceHost Hope this helps! Thanks, Raghav ... View more

Either through server.conf where under license stanza you provide the uri to LM OR via GUI where you select , associate with a license master and provide the mgmt_uri for LM ... View more

Hello @ritsma, 1.lets talk about SHC, when you build a search head cluster, rules is minimum of 3 search heads + deployer. All the content you want to migrate from standalone to SHC, put them on deployer (except search app) and push to your search head cluster members. Example: put the apps other than search app on deployer @ $Splunk_home/etc/shcluster/apps/ And etc/users under $splunk_home/etc/shcluster/users etc. You maintain content on deployer that needs to be pushed to SHC. As far as search app, move the content to a new app and make the artifacts global so that It's available on search app on your SHC. 2.Read the docs on how to migrate to SHC and how to add/initialize new or existing Splunk instances as Search head cluster members. 3.you use deployer as the master node for SHC 4.indexer cluster is managed by cluster master and SHC is managed by Deployer. They work hand in hand from a cluster functionality perspective. If you look at the SHC members server.conf, you will see two stanzas, one for SHC and one for indexer clustering. In the indexer clustering stanza, all your search heads are listed as cluster members with mode = search head 5.now migrating standalone indexed data to indexer cluster is slightly different. You push you r indexes.conf from cluster master to all peer nodes but data has to be distributed to your indexers in cluster manually. So if you have 10 buckets on standalone and if you want to migrate them to a indexer cluster with 5 peers, you will copy 2 buckets to each peer. NOTE, bump the bucket id's before migration to avoid conflicts and also roll the hot buckets to warm before you migrate. Docs has this I formation covered in detail. http://docs.splunk.com/Documentation/Splunk/6.4.2/DistSearch/SHCarchitecture http://docs.splunk.com/Documentation/Splunk/6.4.2/DistSearch/SHCconfigurationoverview http://docs.splunk.com/Documentation/Splunk/6.4.3/Indexer/Migratenon-clusteredindexerstoaclusteredenvironment http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Clusterdeploymentoverview Hope this helps! Thanks, Raghav ... View more

Correct, first thing you need is connectivity between source and destination. From source, do a quick telnet to destination on 9997 Telnet destination-ip 9997 if it's connected, check splunkd.log on both source and destination. Location $SPLUNK_HOME/var/log/splunk/splunkd.log Look for any errors in these logs. Thanks, Raghav ... View more

What does the splunkd.log say? ... View more

+1 to @rbal[Splunk] 's answer. We have seen jobs from 10 days ago in the list and still @ Running 0%. Unfortunate thing is, it will eventually skip the next occurrences (Atleast happened in my case). Rolling restart and get the stuck jobs cleared and start your day fresh 🙂 Thanks, Raghav ... View more

Hello @kranthi851, Short answer is yes! Please see these splunk docs for a working example: http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Forwarddatatothird-partysystemsd That said, you'd miss all the amazing things splunk can do to the forwarded data 😉 Hope this helps! Thanks, Raghav ... View more

Hello @sanaa, I would highly recommend you to read http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Getstartedwithgettingdatain and the following configuration files Inputs.conf: https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Inputsconf & Outputs.conf: https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Outputsconf Step1: in inputs.conf under /opt/splunk/etc/system/local/ add a monitor stanza [monitor:///path to the audit log file] index = name of the index where you want it to send sourcetype = audit In outputs.conf [tcpout] defaultGroup = Name of your Indexer layer [tcpout:Name of your Indexer layer] autoLB = true autoLBFrequency = 60 (seconds to switch to new indexer) server = list your indexers and receiving port (eg: 1.2.3.4:9997,5.6.7.8:9997 etc) Finally, restart splunkd service. I would highly recommend you to read the docs first. Hope this helps! Thanks, Raghav ... View more

np 🙂 Please provide sample events with all possible patterns and we will help you with the dream extraction 🙂 Thanks, Raghav ... View more