The fix is in 8.0.4 which is now available May need to set python.version in server.conf (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf) python.version = {python2|python3|force_python3} * For Python scripts only, sets the default Python version to use. * Can be overridden by other 'python.version' values elsewhere, with the following exception: * If you set to "force_python3", the system always uses Python 3, and ignores 'python.version' values that you set elsewhere. * Default: python2 This will determine the name of the python executable it looks for when running python commands (relevant python install needs to be in PATH) If your instance uses python.exe, python.version needs to be set to a value of:- unspecified This is not documented in current docs. Set python.version accordingly : python2 - python install uses python2/python2.exe python3 - python install uses python3/python3.exe unspecified - python install uses python/python.exe Tested just now and it works. ... View more

In 6.5.3 and higher , buckets can also be rolled in the UI Settings > the Distributed Environment group, click Indexer clustering. This takes you to the Master dashboard. select the Indexes tab. Click the Bucket Status Click Bucket, Action > Roll ... View more

It has an example as well.. Perform selective indexing and forwarding With a heavy forwarder only, you can index and store data locally, as well as forward the data onwards to a receiving indexer. There are two ways to do this: 1. In outputs.conf: [tcpout] defaultGroup = indexers [indexAndForward] index=true selectiveIndexing=true [tcpout:indexers] server = 10.1.1.197:9997, 10.1.1.200:9997 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want index locally, and _TCP_ROUTING= for data to be forwarded. [monitor:///var/log/messages/] _INDEX_AND_FORWARD_ROUTING=local [monitor:///var/log/httpd/] _TCP_ROUTING=indexers ... View more

no special format. just json you may need to do INDEXED_EXTRACTIONS = json in props.conf.. per http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Extractfieldsfromfileswithstructureddata there is also search time KV_MODE=json (but do not set both KV_MODE and INDEXED_EXTRACTIONS ...its an either or,,, will get duplicate fields if both set) https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf ... View more

seems to be a problem with the csv/lookup.. as it is splunk cloud.. will need to log a case to get cloud support team to look at it ... View more

[monitor:///home/splunk] disabled = false blacklist = \/home\/splunk\/anotherdir\/ sourcetype = sbblacklist and files within /home/splunk/anotherdir/ were excluded okay Turning DEBUG on for log channel TailingProcessor also confirmed match blacklist DEBUG TailingProcessor - Not using stanza for this item (Matched blacklist '\/home\/splunk\/anotherdir\/'.). ... View more

This can also occur in following scenario... 'server.conf', in stanza [sslConfig] , a custom CA is defined in paramater "sslRootCAPath" example [sslConfig] .. sslRootCAPath = /opt/certs/myCA.pem .. In this case, per the docs, if param “sslRootCAPath” has been set (in stanza ‘sslConfig’) then caCertFile will be ignored. http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf [applicationsManagement] … caCertFile = * Full path to a CA (Certificate Authority) certificate(s) PEM format file. * The must refer to a PEM format file containing one or more root CA certificates concatenated together. * Used only if 'sslRootCAPath' is unset. * Used for validating SSL certificate from https://apps.splunk.com/ … e.g this flow.. splunkd ——> splunkbase <—— sends server cert signed by CA GlobalSign splunkd verifies the server cert against your custom cert in file defined in sslRootCAPath , which does not contain the CA GlobalSign (this is defined in $SPLUNK_HOME/etc/auth/appsCA.pem) To get round this, concatenate the appsCA.pem contents to your custom CA (as defined in sslRootCAPath in the [sslConfig] stanza) make a backup of your custom CA first cp yourCustomCA.pem yourCustomCA.pem.backup cat $SPLUNK_HOME/etc/auth/appsCA.pem >> yourCustomCA.pem then restart splunk ... View more

see: https://answers.splunk.com/answers/210973/unable-to-add-tcp-data-inputs-in-splunk-cloud.html ... View more

the number of queries dbconnect issues ? If so, at the most basic.. something like this maybe? index=_internal source=*dbx_query_audit.log sourcetype=dbx_query_audit action=sql_audit|stats count by sql ... View more