Hi, I am using DB Connect 3.1.1 to get data from a Microsoft SQL Server 2014 database. I am required to collect the results of the invocation of some stored procedures. According to the documentation, dbxquery command supports stored procedures in databases beginning with version 3.0.0. However I am not able to configure a DB input based on a stored procedure. In fact db_inputs.conf.spec only admits a "query" parameter (while dbxquery command allows the use of a "procedure" parameter"). If i try to "trick" the "Edit Input" GUI, using a SQL statement that contains "exec , I am able to retrieve results, but columns are returned in alphabetic order and "Rising column" / "Timestamp column" dropdowns do not contain selectable values. Finally, if I put the same "exec " in db_inputs.conf, I get some errors due to missing checkpoint file (I created it manually to solve the issue) and missing metadata files (no idea where they should be and I stopped, because I don't want to do heavy "hacking" of the app). Any suggestions on how to create a DB input based on a stored procedure? ... View more

Hello guys, We are going to install two Heavy Forwarders on Windows 2012 R2 servers. The remaining instances of Splunk, which build up our distributed architecture, are running on SLES. As usual, according to best practices, I was trying to distribute our "master" splunk.secret file to new Heavy Forwarders hosted on Windows servers. I tried to install Splunk using the following command line: msiexec.exe /i splunk-<...>-x64-release.msi AGREETOLICENSE=Yes WEB_PORT= DEPLOYMENT_SERVER="" LAUNCHSPLUNK=0 INSTALL_SHORTCUT=0 As expected the "splunkd" service did not start when installation finished, but unluckily a new splunk.secret was automatically created and contents where encrypted using it. So I tried an interactive installation with only the "LAUNCHSPLUNK=0" flag and I monitored the file system: I noticed that the splunk.secret and the encrypted files are created at the same exact time, before the service is started. QUESTION: is it possible to install Splunk on Windows without the creation of a new splunk.secret and the subsequent encryption of data with it, in the same way it is possible in Linux? Thank you! ... View more

Hi, I have found a strange behaviour in the Splunk Add-on for Windows: it contains some transformations, used to extract CIM-compliant fields, which are not correctly processed. After some analysis, I found out that all the transforms which include a REGEX ending with an escaped "backslask" are not processed correctly. For instance, this transformation is not processed at search time: [Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = (.+)\\ FORMAT = dest_nt_domain::"$1" In addition, when I try to edit these transformations using the GUI, I see that the existing REGEX is read by Splunk as: (.+)\\FORMAT = dest_nt_domain::"$1" In my opinion, something is going wrong when Splunk is parsing a regex ending with an escaped backslash. Has anybody incurred the same problem? I am using Splunk 6.2.0 and Splunk_TA_windows 4.7.4 (but I see the same regex in transforms.conf of Splunk_TA_windows 4.7.5). At present, as a workaround, I have created a "transforms.conf" in Splunk_TA_windows/local , overriding the transforms which use regular expressions ending with an escaped backslash. I rewrite the REGEX enclosing the ending backslashes in square brackets. For instance, the above mentioned transformation becomes: [Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = (.+)[\\] FORMAT = dest_nt_domain::"$1" ... View more

Hi, we have a multisite indexers cluster with two nodes and replication factor = 2. All instances are running Splunk 6.2. In the official documentation we read that it is not possible to back up just the data on a single node, since there's no certainty that a single node contains all the data in the cluster. I suspect that this is not true in our scenario, where all data are replicated to both nodes (replication factor = total number of peers). Am I right? Can we backup data from one node (snapshot backup) and be sure that all data has been saved? ... View more