I have 5-6 dashboards running on decently spec'd mini-PCs. They all have 4-5 real time searches running on them which is a requirement because they are for Operations to spot issues and thus have to be live. These all worked great until the 6.5 upgrade. Now, every time I arrive at work, the dashboards show a "chrome has run out of memory" browser message. Has anyone else had this issue? ... View more

We've recently locked down everything to use TLS 1.2 and I think i've fixed just about everything, however, my deployment server is full of SSL3 handshake errors with the forwarders. How do I set up the forwarders to use TLS1.2 with my deployment server? I'm confused about which file to modify: server.conf? web.conf? Everything looks fine server side - it's just on the forwarder I need to update. Here is my server.conf file on my deployment server: sslKeysfile = key.pem sslKeysfilePassword = xxxxx sslPassword = xxxxxx cipherSuite = TLSv1.2:!eNULL:!aNULL sslVersions = tls1.2,-ssl2, -ssl3 sslVersionsForClient = tls1.2,-ssl2, -ssl3 allowSslCompression = false ... View more

I'm currently using a very old deployment monitor search to determine when forwarders are down and it doesn't seem to be working very well in 6.5 (false positives + non alerts). I know the Monitoring Console has some additional functionality. Does anyone have a specific search for this? I'm hoping to alert if forwarders don't check in for 2-3 mins. ... View more

I have four independent indexers in a round robin, 2 are fairly old, 1 is a year old and my newest is maybe 3-4 months old. hot/warm is on an SSD Mirror, cold is on spinning disk but currently barely used at all (thresholds not met yet) Right after upgrading to 6.5.0, my newest indexer started filling up ALL of its indexing queues, I've taken it in/out a bunch of times and although not as often It's still randomly filling up all queues then stopping indexing of data. All disks are healthy, no IO waits or anything.. I've watched the disks while this was happening and there are no issues with them. Could these errors have something to do with it? 10-26-2016 13:00:08.697 -0700 WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 13431 - data_source="/opt/splunk/var/l og/splunk/remote_searches.log", data_host="splunk08", data_sourcetype="splunkd_remote_searches" ... View more

I work in a dynamic environment and often servers will get restarted for various reasons, updates for example.. Often I'll miss these events because I'm not on-call or nobody tells me. What happens is Splunk DB Connect disables all the inputs for that server and never tries to re-enable them. So that data stops flowing into Splunk until someone manually re-enables the inputs for the servers in question. My question is: Is there any way to have auto-retry logic? Or is there something I can use to monitor for inputs that get disabled? Right now I simply can't trust the data going into it because of this. ... View more

I have three stand alone indexers in a round robin and want them to accept HTTP events via the HTTP Event Collector. How do I generate a token with the same value on all three? ... View more