Renaming the file, as my previous answer suggested, does not stop the alerts. What appears to work is editing the search query that triggers this alert. Go to /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/savedsearches.conf Copy out the [Audit - ES System Requirements] stanza Paste it into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf Edit the appropriate test, such as "numberOfCores" or "physicalMemoryMB" ... View more

The answer went "beyond" the question by not answering the actual question. Read the question, "How do I get it to stop, regardless of my system requirements?" I repeat, "regardless of my system requirements." This site is called answers.splunk.com, not Im-gonna-tell-you-how-to-run-your-splunk-instance-because-I-know-your-environment-and-needs-better-than-you.splunk.com. It did not answer the question therefore it should not be considered an answer. I'm not disagreeing on the points made about the effectiveness of the documented minimum requirements. They are sound. And belong in the answers for a question asking if it is ok to run a Splunk box under the minimum requirements. But that is not this question here. ... View more

A Python script performs the check that kicks out the alert in question. /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/configuration_checks/confcheck_es_system_requirements.py Renaming this file (to something like confcheck_es_system_requirements.bak) seems to effectively stop in from running and stop the alerts. While it is not the proper way to run Splunk, this addresses the question asked. I'm not going to tell you how to run your Splunk instance. You know your environment better than anyone else here. We all know what the term "minimum requirements" means. The question is not asking for people to tell him to upgrade to the minimum requirements, which is the straightforward alert verbiage. ... View more

I downvoted this post because it doesn't answer the question that was asked. ... View more

I'm creating it via a bash shell script that is using the sqlcmd command provided by the Microsoft MS-SQL driver (this is on a RHEL6 box) to query the database and create the file. The output overwrites the previous csv in a lookup folder every morning. ... View more

I figured the username should fit with the product ... max_memtable_bytes is 10MB but my csv is 4.5MBs. ... View more

Only 1 line per event in my csv lookup file. I'm trying to find some rhyme and reason to which rows are missing. ... View more

Why would quotes affect this? A csv is split by linebreaks for rows, and commas for columns. ... View more

Also, when performing additional searches through Splunk on this lookup file, there are missing fields. When I search for it in the actual file, the rows I'm looking for are there. This is the command I use to search through the lookup table: |inputlookup resources.csv |search host_name=2AH39911B And yes, the "host_name" field exists. As does the specific host_name I'm searching for. No results in the Splunk search though. ... View more

I went with the 2nd option as I'm not very familiar with appendcols and it didn't work immediately for me. It said I had to use a chart option instead of a table. But the 2nd option with the join works great. Thank you. ... View more

I'm having this same problem. Getting results of "## NOT SUPPORTED TYPE ##" for several binary16 fields. Haven't figured out what the issue is yet. Database = MySQL Driver = jTDS and MySQL Java = jre1.8.0_45 Python = 2.6.6 Splunk Enterprise = 6.2.3 DB Connect v2 = 2.0.2 ... View more

As I'm digging more, it appears the problem is bigger than I expected. Iam unable to collect data into a summary index. Getting odd behavior. Some stuff works, other stuff does not. This works: index=security sourcetype=dbx2 source=ca_owned_resource inactive=0 resource_status=2600 OR resource_status=0 resource_family=362243 OR resource_family=3622436 OR resource_family=3622435 OR resource_family=3622486 OR resource_family=3622488 OR resource_family=3622500 OR resource_family=3622458 OR resource_family=3622454 OR resource_family=3622491 OR resource_family=3622492 |dedup resource_name |stats count(resource_name) as asset_mgmt.cmdb.active |collect index=summary This does not: index=security sourcetype=nmap_xml host.status{@state}=up earliest=-5d |stats first(host.status{@state}) as State by ip |stats count(State) as Count |rename Count as asset_mgmt.nmap_xml.ip.live |collect index=summary Both searches, per se, work fine. But the collection part does not work on the latter query. Each search query provides a number value as expected. When I look at the summary index (index=summary asset_mgmt) right after running each query, only the first search comes up. It does not matter the user I run it as; typical user, power user, or admin. I have also tried this on different searchheads but have the same result. Overall, I have three search strings that will not record into the summary index, and one that will. Other stuff is indexing, such as the MS Exchange app. But this seems to make this original question moot now. I will be opening a new question with this info. ... View more

Different user. But the fieldaliases are already shared globally. Which means, they should apply during an execution of the a report in savedsearches.conf. When I inspect the job, it says "done." Meaning it is running, and successfully. But I'm collecting them into the summary index. Yet it never shows up. Actually, one out of four do. The one that does does not use any aliases. The ones that fail use aliases and field extracts, too (all of which work when I use the same search query). ... View more

I think this Splunk Answer answers it best: http://answers.splunk.com/answers/3718/deployment-server-not-sending-config-file-to-client.html The deployment server hashes the app. It gives that hash to the deployment client. When the deployment client checks in with the deployment server, they compare the hash that was traded previously. This is not a situation where the deployment client ever hashes the app it has been pushed to it, it is merely comparing the hash it was given by the dep. server. This means that the only time the app will be reloaded is when it is completely missing or when the app on the deployment server is updated, thus creating a new hash, which will not match with the hash the deployment client was previously given, and thus the entire app (not just one or two files that were changed) will be redownloaded. ... View more

Disabling the app until it can be corrected seems to be the logical way to go. The default setting according to the app.conf spec file is enable. ... View more

I'm having this issue currently. It seems to be happening with all my deployment clients. No changes are being updated. The only way things are updated is if I completely remove the app from the deployment client, at which point the app will be redeployed in full. I assume it is a problem with the deployment server. But I can't find a setting that would seem to be causing this. Anyone have any ideas? ... View more

Woodcock already stated that he restarted repeatedly. What is the alias name for the client that you're referring to? ... View more