Are you seeing this issue with other versions? Recently the similar issue has been fixed. Release versions are 6.4.5+ and 6.5.2+ If you are still seeing the issue please contact Splunk Support with the steps repro. Thank you. ... View more

Added these lines to server.conf on my forwarders and that fixed the communication, I think pushing the app would do the same job at scale. Works! cipherSuite = TLSv1.2:!eNULL:!aNULL sslVersions = tls1.2,-ssl2, -ssl3 sslVersionsForClient = tls1.2,-ssl2, -ssl3 allowSslCompression = false ... View more

I'm not sure what you mean when you say you "tried grabbing the search that the DMC uses" The DMC alert is disabled by default. Did you try enabling it? ... View more

According to the amazing @davidpaper, the full details are: Beginning with Splunk 6.5, the indexing threads wrongly attempt to authenticate during indexing, adding significant load on LDAP based external authentication services. This authentication incorrectly attempts to authenticate non-existing external auth users, in this case the splunk system user. And can be found in Section 25 here: https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/ConfigureLDAPwithSplunkWeb The key is to look for “Operations error” in splunkd.log and that indicates the LDAP services are failing to keep up with the rate of queries. ... View more

I am running V 2.3.1 which support SHC but it is in documentation that running input/output is not recommended in SHC. I overlooked this and probably need to run it in standalone instance. ... View more

The performance degradation we experienced (queues backing up) with 6.5.x had to be addressed in two ways 1) better disk i/o - we are running on VMs with a SAN backend, we dedicated hot/warm buckets to flash 2) datestamp parsing - every sourcetype has to have explicit LINE_BREAKER defined in props.conf on the indexers and heavy forwarders: [my_sourcetype] # example time: 2017-06-05T21:10:49.519+0000 TIME_FORMAT = %Y-%m-%dT%H:%M:%S\.%3N%z TIME_PREFIX = ^ LINE_BREAKER = ([\r\n]+)(?:\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d{3}(\+\-)\d{4}\s) SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 28 ANNOTATE_PUNCT = false ... View more

I have the same question - any way to do this without Deployment Server? ... View more

I wish I didn't have to spool up a whole physical server for this however it's clearly the only logical solution. Appreciate your input thanks. ... View more

Stats and eval. Elegant weapons for a more civilized age. Have fun. You're just at the beginning. 😃 ... View more

It is hard to tell without knowing the data you are playing with, but you can find some useful info here: http://www.google.co.nz/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CD8QFjAA&url=http%3A%2F%2Fwww.splunk.com%2Fweb_assets%2Fv5%2Fbook%2FExploring_Splunk.pdf&ei=L4XSUIePMumSiQeBgoGYAw&usg=AFQjCNFWwWjmygJbFKvd15d6fRSfIhPrfw&sig2=08NDgn5U-4WseU3lYcal9g ... View more