I tried removing inputs.conf from the TA because I only wanted it for the props/transforms on my search head cluster.  Still got the error.  How? ... View more

I'm having the same requirement.  Maybe one way would be to run it from an external program using API calls to kick off the searches and wait for them to complete? ... View more

I tried creating a default app.conf file with the stanza: [install] state = disabled but it didn't disable the app. Then I removed the app from etc/apps altogether, but it came back. We run splunk as user "splunk" so then I removed the app and created a directory etc/apps/learned owned by root with permissions 500 (r-x------) so splunk couldn't recreate it.  That worked. ... View more

the curl command works from the command line only if I specify "-k" (ignore SSL cert) how do I get Splunk to accept the cert? ... View more

Me too. Maybe it's trying to find an index that's not defined on the Heavy Forwarder? "idx=_w(s,0).end())" ... View more

Apologies, this will create a file named server.pem.pem that you will have to move to server.pem . You can omit the ".pem" from the end of the second command to save having to do this step. ... View more

Or (on Splunk 7.3.2) you could run these commands to create a cert with a new expiration date: $ mv /opt/splunk/etc/auth/server.pem /opt/splunk/etc/auth/server.pem,expired $ splunk createssl server-cert -d /opt/splunk/etc/auth -n server.pem ... View more

I was getting this error due to an omission in my certificate. The certificate's "Subject" has no "O=", "OU=", or "DC=" specified. The default certificate created by Splunk uses "O=SplunkUser". Since mine was created with HashiCorp Vault, I don't see a way to get it to add one of those in addition to the "CN=" in the Subject, so I guess I won't be able to use Vault-generated certificates for my kvstore. ... View more

I followed the steps, but my status is still "starting" on the captain, replicationStatus is "Startup" on one member and "Down" on the other, even though it was "ready" when I brought up the captain solo. How long should it take to replicate? ... View more

I'm having the same issue in 7.3.2. System is logging in US/Eastern, Splunk is UTC. My props is based on source. Applied it on HF, and Indexer, no change to time setting. ... View more

My interface is showing "up", but I'm getting errors for "speed" and "duplex", even if I cat them from the command line; I'm running on a fairly recent Splunk AMI in AWS, One wonders why Splunk hasn't seen/fixed this? ... View more

Yes, you can use "uuidgen" (with no arguments) from the linux command line to generate a token like the one the Splunk GUI does when it creates a new HEC input. ... View more

I wish that link still worked... ... View more

I should say I restarted Splunk after I put the app back. ... View more

Ok, I stopped Splunk, removed the Splunk_TA_nix app, started splunk put the app back and started splunk, and I'm finally no longer getting lsof events. However, I now need to do the same on all my deployment clients... Good thing I was planning on working late. ... View more

This is on Splunk Universal Forwarder 7.0.1. ... View more

Yes, I did. I have since stopped Splunk, removed deploymentclient.conf, and the DS2-Splunk_TA_nix-cre directory, and set the indexes for all the Splunk_TA_nix inputs in Splunk_TA_nix/local/inputs.conf, and restarted splunk. I'm still getting a steady stream of lsof events every minute. ... View more

stop it altogether. some of my servers have 5M files open at a time... ... View more

Here's my btool inputs list --debug output for lsof: /opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf [script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh] /opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf disabled = 1 /opt/splunkforwarder/etc/system/local/inputs.conf host = c20sbap01l01 /opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf index = cre_linux /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf interval = 600 /opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf source = lsof /opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf sourcetype = lsof Here's my splund.log output: 10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - New scheduled exec process: /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh 10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - interval: 60000 ms I've tried restarting splunk to no effect... Notice that the interval is set to 600 (600 seconds) in the btool output, but 60000 (60 seconds) in the splunkd.log output. I'll try interval = -1 next. ... View more

You can only find it if you're on Splunk Cloud. On-prem deployments don't have it. Could someone do a tar -tvf "creds-package.spl" and post it here for me? ... View more