Hi, I am using DB Connect 3.1.1 to get data from a Microsoft SQL Server 2014 database. I am required to collect the results of the invocation of some stored procedures. According to the documentation, dbxquery command supports stored procedures in databases beginning with version 3.0.0. However I am not able to configure a DB input based on a stored procedure. In fact db_inputs.conf.spec only admits a "query" parameter (while dbxquery command allows the use of a "procedure" parameter"). If i try to "trick" the "Edit Input" GUI, using a SQL statement that contains "exec , I am able to retrieve results, but columns are returned in alphabetic order and "Rising column" / "Timestamp column" dropdowns do not contain selectable values. Finally, if I put the same "exec " in db_inputs.conf, I get some errors due to missing checkpoint file (I created it manually to solve the issue) and missing metadata files (no idea where they should be and I stopped, because I don't want to do heavy "hacking" of the app). Any suggestions on how to create a DB input based on a stored procedure? ... View more

Hello guys, We are going to install two Heavy Forwarders on Windows 2012 R2 servers. The remaining instances of Splunk, which build up our distributed architecture, are running on SLES. As usual, according to best practices, I was trying to distribute our "master" splunk.secret file to new Heavy Forwarders hosted on Windows servers. I tried to install Splunk using the following command line: msiexec.exe /i splunk-<...>-x64-release.msi AGREETOLICENSE=Yes WEB_PORT= DEPLOYMENT_SERVER="" LAUNCHSPLUNK=0 INSTALL_SHORTCUT=0 As expected the "splunkd" service did not start when installation finished, but unluckily a new splunk.secret was automatically created and contents where encrypted using it. So I tried an interactive installation with only the "LAUNCHSPLUNK=0" flag and I monitored the file system: I noticed that the splunk.secret and the encrypted files are created at the same exact time, before the service is started. QUESTION: is it possible to install Splunk on Windows without the creation of a new splunk.secret and the subsequent encryption of data with it, in the same way it is possible in Linux? Thank you! ... View more

Hi, I have found a strange behaviour in the Splunk Add-on for Windows: it contains some transformations, used to extract CIM-compliant fields, which are not correctly processed. After some analysis, I found out that all the transforms which include a REGEX ending with an escaped "backslask" are not processed correctly. For instance, this transformation is not processed at search time: [Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = (.+)\\ FORMAT = dest_nt_domain::"$1" In addition, when I try to edit these transformations using the GUI, I see that the existing REGEX is read by Splunk as: (.+)\\FORMAT = dest_nt_domain::"$1" In my opinion, something is going wrong when Splunk is parsing a regex ending with an escaped backslash. Has anybody incurred the same problem? I am using Splunk 6.2.0 and Splunk_TA_windows 4.7.4 (but I see the same regex in transforms.conf of Splunk_TA_windows 4.7.5). At present, as a workaround, I have created a "transforms.conf" in Splunk_TA_windows/local , overriding the transforms which use regular expressions ending with an escaped backslash. I rewrite the REGEX enclosing the ending backslashes in square brackets. For instance, the above mentioned transformation becomes: [Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = (.+)[\\] FORMAT = dest_nt_domain::"$1" ... View more

Hi, we have a multisite indexers cluster with two nodes and replication factor = 2. All instances are running Splunk 6.2. In the official documentation we read that it is not possible to back up just the data on a single node, since there's no certainty that a single node contains all the data in the cluster. I suspect that this is not true in our scenario, where all data are replicated to both nodes (replication factor = total number of peers). Am I right? Can we backup data from one node (snapshot backup) and be sure that all data has been saved? ... View more

After the upgrade to Splunk 5.0.3, my syslog data sources suddenly stopped to work. Using MS Network Monitor and Wireshark, I am able to see syslog packets reaching the server. Upgrading to 5.0.4 did not resolve the issue. Splunk is installed on a Windows 2008 R2 machine. Anyone experiencing the same problem? ... View more

Hello everybody, due to strict security requirements, I am trying to setup the Splunk Universal Forwarder service to run with a domain account that has NOT administrative privileges on the server. I have granted to the account the minimum permissions specified by Splunk Documentation and I also gave the account full permissions on folder %programfiles%\SplunkUniversalForwarder. I tried to set the account as owner of the entire %programfiles%\SplunkUniversalForwarder folders hierarchy. I have tried to specify the domain account during Forwarder setup and but I also tried to install the Forwarder to run with Local System account and to change the account afterwards. Anyway the service always fails to start, without any specific event in the event logs, even if I tried to rise auditing of security events at maximum level (just to track if some required privilege was missing). Again, nothing gets written to Splunk logs. The only event in the System event log is: "The SplunkForwarder service terminated unexpectedly". Could you give me any suggestion, please? Please note that, due to our requirements, the Forwarder MUST run as a domain account. Thank you for your help. ... View more