Hello Team, We have use case where we need to map/identify people's region in Splunk and create dashboard. Can we do something in Splunk? we want to be able to write some performance dashboards and categorise people as internal/external and what region (UK/US/APAC/Other) thanks Nik ... View more

Hi I want to discard log lines which includes specific tag "reversed position attributes " in log file. We want to avoid lines which includes these specific tags and index rest of the log file. Is it possible to discard these log lines on forwarder level? Please suggest suitable solution. If you need more information please let me know. Thanks. ... View more

We have recently upgraded the Splunk SearchHead and Indexer to Splunk V6. Since afternoon we are facing below error and no logs are coming on Indexer or Search head. 1. Search peer lonrs10215 has the following message: Tcp output pipeline blocked. Attempt '400' to insert data failed. I looked at the splunkd.log on indexer and can see below error message:( 11.192.36.204 is the Indexer server lonrs10215 mentioned in above error) 01-07-2014 18:10:33.233 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused 01-07-2014 18:10:33.234 +0000 ERROR TcpOutputFd - Connection to host=11.192.36.204:9997 failed 01-07-2014 18:11:03.235 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused 01-07-2014 18:11:03.235 +0000 ERROR TcpOutputFd - Connection to host=11.192.36.204:9997 failed 01-07-2014 18:11:23.237 +0000 WARN TcpOutputProc - Shutdown timed out for 11.192.36.204:9997 01-07-2014 18:11:23.237 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused 01-07-2014 18:11:23.237 +0000 ERROR TcpOutputFd - Connection to host=11.192.36.204:9997 failed 01-07-2014 18:11:23.421 +0000 WARN TcpOutputFd - Connect to 11.192.36.204:9997 failed. Connection refused When i tried the command (netstat -an | grep 9997) on indexer I can see its connecting and have established connections: tcp 24778 0 11.192.36.204:9997 11.182.8.168:2621 ESTABLISHED tcp 1304190 0 11.192.36.204:9997 11.182.8.168:2620 ESTABLISHED tcp 1613142 0 11.192.36.204:9997 11.192.36.204:46875 ESTABLISHED Can you please suggest to resolve this? Thanks Nik ... View more

We have situation where other team want to manage their own instance of universal forwarder on the same Windows box. Is it possible to run multiple forwarder under different dir on Windows box? Thanks Nik ... View more

Anybody can suggest how to setup email alerts if Splunk service is down. I am trying to configure alerts in a way so we get email alert if service is down. Any sort of help will be appreciated. Thanks Nik ... View more

I am working on new setup for splunk and facing "Unable to distribute to peer named lonrs10457 at uri https://SPLUNK-IDX1:8089 because peer has status = "Authentication Failed" " error on SearchHead. I have distributed search setup. I have checked the status under Manager » Distributed search » Search peers> Status: Authentication Failed; Replication status:Initial Forwarder are not enabled at the moment. indexer is up and running. Any suggestion please. ... View more

Hi I want to pass more then one client name in deploymentclient.conf on Indexer box. [target-broker:deploymentServer] targetUri = splunk:8089 [deployment-client] clientName = index1, index2 phoneHomeIntervalInSecs = 30 As you can see above clientName = index1, index2. I tried with comma (,) and (;)semicolon but its not working for me. Is it possible to implement? if Yes please suggest the right way to do? Thanks, ... View more

Hi I want to discard all log which includes "DEBUG" and want to receive only with "INFO and ERROR". I am receiving hell lot of those logs and indexer is swamped with them. The Pattern of the log file as follows: DEBUG 2012-08-08 09:56:44,111 [DistributedCacheWorker:22] process- [] Heatbeat for instance 1 of service System X Even.host=lonrs06087 Options| sourcetype=sfx-application source=/opt/datasynapse/DSEngine/work/l.log Options Solution tried: I have tried to solution provided on: http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest So Under props.conf : [source::.../coherence-*.log] TRANSFORMS-null= setnull And transform.conf: [setnull] REGEX = \\DEBUG DEST_KEY = queue FORMAT = nullQueue But its not seems to be working. can anybody help me with this please? Thanks/ ... View more

Hi I have 4.3.1 version of universal Forwarder on some of the boxes. now I need to add few more boxes in diff environment. 1. Is there any issue if I use the latest "splunk-4.3.3-128297-x64-release.msi" version on new boxes? 2. Any conflicts or other type of issues can raise? Please advise. Thanks. ... View more

Hi I want to add new tab "Summary" in one of the App main screen next to Search tab. i tried to create new view for it but it goes under "View" drop-down but I want it next to main tabs. Example: Search(tab) Dashboard(tab) Summary(tab) View(tab) Search&Report(tab) hope Its clear what I am trying to do. Thanks ... View more