Is there a possibility to implement a high-availability concept in Splunk License master server? Scenario: when the Splunk license master server goes DOWN/UNREACHABLE, Splunk indexers & forwarders connected to the master servers are orphaned (if >24hrs down), where if the secondary license master is there, which can supplement this. No violation in license usage. Usage calculation per daily basis should be based on primary. Any suggestion is highly appreciated. Thanks ... View more

I am just trying to create a dashboard which shows Windows System information (like Task Manager) Powershell script: Get-Process | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin { $Owner = Get-WmiObject -Class Win32_Process } -Process { $ID = $_.Id New-Object -TypeName 'PSCustomObject' -Property @{ 'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User 'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain 'ProcessName' = $_.ProcessName 'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB) } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed } Output of the script: UserName DomainName ProcessName MemoryUsed --------- ---------- ----------- ---------- NETWORK SERVICE NYYYY chrome 6.61 MB SYSTEM NYYYY Explorer 17.80 MB User1 CCTTT cmd 9.65 MB The Script runs fine and Exeution-Policy are set to Remote-Signed I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ? I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory Inputs.conf [script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd] interval = 0 sourcetype = winperf index = main ... View more

How to compare two fields in two different sourcetypes ? eg: Events from sourcetype 1 : int Tier OS version SIT MAC v8 SIT Windows v7 SIT CentOS v2 sourcetype 2 : uat Tier OS version UAT MAC v8 UAT Windows v6 UAT CentOS v2 I used the query : index=* sourcetype =int|table OS,INTversion|join[search index=* sourcetype=uat|table UATversion] Output: Tier | INTversion |UATversion MAC | v8 | v8 Windows |v7 | v6 CentOS | v2 |v2 I need a additional column here like Difference between INT & UAT - Expected Output: Tier | INTversion |UATversion | Difference MAC | v8 | v8 | No Windows |v7 | v6 |Yes CentOS | v2 |v2 | No I tried with some diff , match , eval commands - doesn't helped. Please help in this ... View more

I have configured the inputs.conf to monitor the log file of NetFlow logic Since the log file is in unreadable format , i set the props.conf to NO_BINARY_CHECK =1 After that i receive the logs in the below format . Is this the correct one ? am i missing something here ? 2014-01-29T05:56:35+00:00 10.0.255.245 \x84R\xE8\x98%\x00d\xD2I\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00
0\x00\x00\x00\x00\x00\x00\x00\xAC \xAC
\xA6\xA3\x00{\x00\x00\x96\x00\x00 : \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00\xCC\x00\x00\x00\x00\x00\x00\x00\xAC \xAC "\xB3\xDE\x00\x00\x96\x00\x00 \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00-\x00\x00\x00\x00\x00\x00\x00 \xAC \xAC \xB3\xDE"\x00\x00\xC6\x00\x00 \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00\x00\xA4\x00\x00\x00\x00\x00\x00\x00\xAC \xAC "\xB3\xDD\x00\x00\x96\x00\x00 \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00\xB0\x00\x00\x00\x00\x00\x00\x00\xAC \xAC ... View more

I have a windows platform . Splunk universal forwarder is deployed to collect the logs from a Citrix Xen app server. Do I need to copy the addons from the below location and drop in to Universal Forwarder ? Splunk_Home/etc/apps/SplunkAppForXenApp/appserver/addons Please advice. Also , without UF is there a way to monitor Citrix XenApp from Splunk ? Similar to modular inputs ? Suggest a good documentation regarding setting up Splunk app for Citrix Xen App ... View more

Hello, In my Splunk dashboard I wanted to display the contents of a web URL ,. Please suggest some examples. Is there any plugin to directly provide the URL and get the data into splunk and index ? Please help. Thanks. ... View more