All are on one side at the moment. Mostly I'm thinking how I'd like the search heads to present the same view (from a search head perspective) of things. I'm just thinking about this possibility now, but I would like to avoid having to explain to users "the reason your search was available when you want to this URL and isn't available over there is that they're different search heads, get it?" The idea of geographic-dependency on search heads and having to get users to keep that in their heads as to what their search head environment is going to look like is something I'd like to avoid. I've had to go through that a few times with geo-dependent pooled search head environments in the US and I get a lot of deer-in-the-headlights looks. Thanks ... View more

I don't believe we have large bundles. Not so sure about the latency under certain circumstances. I don't particularly care about fast replication, just that it be done eventually. Would perhaps latency say across the Atlantic cause some kind of problem in a clustered scenario or would it solely be a matter of replication taking longer than some might expect? Thanks ... View more

I had been trying this on Windows where there's definitely a suite of security apps running. I tried it on my linux workstation where there are no such restrictions and see the same pattern: Firefox works fine, Chrome does not. I don't know what I was looking at before when hitting F12, but when I look at it now under Chrome or IE11 on any OS, I'm seeing Refused to execute script from 'https://:8000/dj/static/js/build/splunkjs.min/config.js' because its MIME type ('text/x-js') is not executable, and strict MIME type checking is enabled. So apparently, the following is in the HTTP header X-Content-Type-Options: nosniff which causes Chrome and IE11 to generate this. Presumably because Splunk hasn't set the type for javascript properly on this page. (Shouldn't it be "application/javascript"?). The search heads are running SuSE and I have seen and applied http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/SuSeLinuxerror even though it's not really this MIME type. I guess what really surprises me is that Firefox works -- that it does not seem to enforce this as well. ... View more

I cleared my cache in IE11 and get the same result. Hit F12 in IE -- doesn't show any javascript errors. I am not familiar with debugging via F12 so I'm not quite sure what to do there. I asked some other people to try this via their browsers. So far only one has replied, but he gets the exact same results in Chrome (he has IE8 which isn't supported at all with Splunk 6.2). ... View more

Also interesting is that if I do "View Source" in Chrome, I certainly see sections that seem to correspond to what I see displayed in Firefox, it just doesn't render it in Chrome or IE11. ... View more

Huh. I turned off search head pooling and reinstalled the app in $SPLUNK_HOME/etc/apps. I then tried hitting the app from the apps pull-down menu (assuming I'd get the first-time setup page). Using my default browser, Chrome 43, I get that same page with nothing but the 2 links on it. Using IE11, same thing. But when I tried this with Firefox 31, I got the first-time setup stuff and was able to "bypass checks" along the way and complete the first time setup. Oddly, even after I completed the first-time setup, IE11 and Chrome 43 both still gave me the same not-useful page with the 2 links on it. I've even tried going to Settings->User interface to open the views directly in chrome and IE and I still get the "2 links" page only. ... View more

I guess I'm a lot confused then :-). While we do use AD (and DNS), it's not a system that my team has rights to interface with other than as mere users. We run pooled search heads (yes, deprecated, but not able to get off of it that quickly) on Linux. Definitely have Windows data from UF's going to Linux indexers. When I put Splunk for Windows Infrastructure 1.1.3 on the Linux search heads, restart, then try to go into the app, I never get any first time setup page. I've wiped it out and restarted and untar'd it back into the search dir several times and get the same result. When I enter the app, I get the Splunk logo in the upper left, a gray navigation bar with no graphics on it (certainly not the progress bar indicated in the docs) a header that says "Additional Resources" and then 2 links below that for "Documentation" and "Learn more about building custom app dashboards". So the only functional parts of that page are things that go right to Splunk's documentation. It's probably just me, but I find the documentation for this app rather confusing, but I think because nothing clearly indicated the AD and DNS components were optional, that the lack of those components were why I didn't get anything beyond the simple non-functional page I mentioned above. When I re-read the docs, they seemed to say that I have to install the Splunk add-on for Windows on the search head which makes no sense unless you're search head is Windows (docs don't say that). I tried adding the Splunk_TA_windows anyway and got loads of errors at startup and no difference when entering the Splunk app for Windows Infrastructure. Something's just not working right with this app and I don't know what/why. Thanks ... View more

Thanks. I'm aware of that. My problem is that I'm trying to use the Splunk app for Windows Infrastructure, but it seems to require that I tie it into AD and DNS. I do not have access to AD or DNS nor am I likely to. From the docs, it seems like it is then impossible to complete setup of this app and thus to use it if I don't have that AD access. ... View more

Thanks very much. I think this was some functionality that slipped in during some release that I never knew about. This solved my problem. ... View more

So ultimately, once search head pooling is gone, you can run 1 standalone search head, or 3+ search heads in a clustered configuration. There is no solution whereby you can use 2 search heads (even if you don't need 3). Thanks. ... View more

Per the answer, when I ran the index=main search over a long time, I did only get the 4 production search peers in the splunk_server field. Per my update, since I found out later that the test server had only unique indexes on it and never used 'main', that actually made sense. Seems to be doing what I need/expect. Thanks! ... View more

Huh. Interesting. Nice to know it can handle it, but also that it knows it's kind of not right. Thanks. ... View more

I do indeed get the splunk_server values I would expect, but as I just mentioned/updated, it looks like the events in question are not in 'main'. I suspect that Splunk would probably "do the right thing" in that situation and return events from all 'main' indexes. I wouldn't think that Splunk could be explicitly named as its own search peer. It kind of is already, isn't it? ... View more

Thanks, Martin. That's what I was afraid of. I already have separate deployments for these different hosts which is a pain to maintain because 95% of the deployments are identical so if I make a change I have to make sure I put it in multiple places the same way. As I was writing the original message, I thought about the indexer-side transforms.conf stuff, but that's not super-clear either. Doesn't seem like there's a great solution for this other than finding a justification for collapsing it all into the same index starting now. Thanks ... View more

Thanks. I guess I'm confused though. In the case of 'ps' as scripted input Splunk provides the timestamp itself doesn't it? (As opposed to just a regular log file where I would need the timestamp for sure). And I also thought Splunk treated a scripted input as just one big event with a timestamp on that one event. If it represents multiple fields (as with 'ps') then you have to tell Splunk to break those lines up with multikv, right? Or maybe I'm wrong about all of that... ... View more