[script://./bin/starter_script.sh periodic] interval = 0 9 * * * # this will run the script daily @ 9 [script://./bin/starter_script.sh on-start] interval = -1 # this will execute the script on startup The above (or at least a variation of it) worked for me.  The TA in question was only distributed to Linux hosts so I don't know if the same trick will work on windows hosts.  And I'm not sure if the label gets treated as an argument because, in my case, my script didn't attempt to read in any command line arguments. The label at the end of each of the stanzas is not significant - they just need to be different so that the stanza merging logic treats them as two separate stanzas.  And if you have two scripts that you wish to run both on start up and periodically then you can reuse the same label. [script//./bin/script1.sh on-start] interval = -1 [script://./bin/script1.sh midnight] interval = 0 0 * * *  [script//./bin/script2.sh on-start] interval = -1 [script://./bin/script2.sh midnight] interval = 0 0 * * *    ... View more

Fixed in version 1.0.1 ... View more

I saw the URLs referenced in the logs and assumed that it was trying to reach out to them but it was presumably just during initialisation/start-up. One advantage of having the ability to disable the stanzas would be that I, as the administrator, can prevent someone from even trying to use them as the Splunk environment in question won't be able to connect to them as it's air-gapped.  ... View more

Hi @doksu, I have now seen the ECE and CWR flags "in the wild" so I've locally updated the REGEX for [netfilter_flags] to now be: REGEX = \s((?:(ACK|CWR|ECE|FIN|NS|PSH|RST|SYN|URG)\s)+) ... View more

Hi @doksu  I haven't encountered those other 3 flags (NS,CWR,ECE) in the environments that I'm working in at the moment but I agree that the TA should cater for any and all of the flags that it could encounter. ... View more

Hi, We experienced a similar issue when we recently upgraded our TEST environment from 7.3.7 to 8.0.6 - the AppServer and WebUI is working on the 3 clustered Search Heads but isn't working on any of the other servers (eg the Deployment Server). We've discovered that one difference between the Search Heads and the other servers is that /tmp is mounted with the "noexec" flag on the "other" servers but is not set on the Search Heads.  When I remounted /tmp on the Deployment Server without the noexec flag the AppServer/WebUI started up. I'm curious to know if your /tmp is set noexec and, if so, if remounting it without the noexec flag "fixes" the issue. ... View more

But what if the user (or someone else) types in the user's id and then fails to enter the correct password multiple times.  Will the account become locked out?  The specific situation here is that the authentication is tied to the client's AD.    If the wrong password is typed in for a user on the Splunk login page multiple (let's say 10 times), will the account become locked either within Splunk, or within AD, or both, or neither?   ... View more

I'm not sure if it's related to your issue but I've just backed out from 4.0.0 back to 3.4.0 because we were getting errors related to one of the LOOKUPs associated with the action field. "Could not load lookup=LOOKUP-cisco_asa_action_lookup_2" I can see the LOOKUP defined in the TA's default/props.conf and nothing looks obviously wrong to me. I wonder if it's supposed to be a two stage process (there's a LOOKUP-cisco_asa_action_lookup_1 as well) and the fact that this second lookup is broken(?) is what is causing the issue that you're having. ... View more