Splunkd logs - in universal forwarder I notice,     INFO AutoLoadBalancedConnectionStrategy [XXXXX TcpOutEloop] - After randomization, current is first in the list. Swapping with last item   what is this log indicate ? ... View more

Is there a possibility to implement a high-availability concept in Splunk License master server? Scenario: when the Splunk license master server goes DOWN/UNREACHABLE, Splunk indexers & forwarders connected to the master servers are orphaned (if >24hrs down), where if the secondary license master is there, which can supplement this. No violation in license usage. Usage calculation per daily basis should be based on primary. Any suggestion is highly appreciated. Thanks ... View more

I am just trying to create a dashboard which shows Windows System information (like Task Manager) Powershell script: Get-Process | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin { $Owner = Get-WmiObject -Class Win32_Process } -Process { $ID = $_.Id New-Object -TypeName 'PSCustomObject' -Property @{ 'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User 'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain 'ProcessName' = $_.ProcessName 'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB) } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed } Output of the script: UserName DomainName ProcessName MemoryUsed --------- ---------- ----------- ---------- NETWORK SERVICE NYYYY chrome 6.61 MB SYSTEM NYYYY Explorer 17.80 MB User1 CCTTT cmd 9.65 MB The Script runs fine and Exeution-Policy are set to Remote-Signed I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ? I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory Inputs.conf [script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd] interval = 0 sourcetype = winperf index = main ... View more

How to compare two fields in two different sourcetypes ? eg: Events from sourcetype 1 : int Tier OS version SIT MAC v8 SIT Windows v7 SIT CentOS v2 sourcetype 2 : uat Tier OS version UAT MAC v8 UAT Windows v6 UAT CentOS v2 I used the query : index=* sourcetype =int|table OS,INTversion|join[search index=* sourcetype=uat|table UATversion] Output: Tier | INTversion |UATversion MAC | v8 | v8 Windows |v7 | v6 CentOS | v2 |v2 I need a additional column here like Difference between INT & UAT - Expected Output: Tier | INTversion |UATversion | Difference MAC | v8 | v8 | No Windows |v7 | v6 |Yes CentOS | v2 |v2 | No I tried with some diff , match , eval commands - doesn't helped. Please help in this ... View more

I have configured the inputs.conf to monitor the log file of NetFlow logic Since the log file is in unreadable format , i set the props.conf to NO_BINARY_CHECK =1 After that i receive the logs in the below format . Is this the correct one ? am i missing something here ? 2014-01-29T05:56:35+00:00 10.0.255.245 \x84R\xE8\x98%\x00d\xD2I\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00
0\x00\x00\x00\x00\x00\x00\x00\xAC \xAC
\xA6\xA3\x00{\x00\x00\x96\x00\x00 : \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00\xCC\x00\x00\x00\x00\x00\x00\x00\xAC \xAC "\xB3\xDE\x00\x00\x96\x00\x00 \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00-\x00\x00\x00\x00\x00\x00\x00 \xAC \xAC \xB3\xDE"\x00\x00\xC6\x00\x00 \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00\x00\xA4\x00\x00\x00\x00\x00\x00\x00\xAC \xAC "\xB3\xDD\x00\x00\x96\x00\x00 \x00\x00\x00\x00\x00\x8A\x00\x8A
\xBE\xEF\x00\x00\x00\x00\x00\x00\xB0\x00\x00\x00\x00\x00\x00\x00\xAC \xAC ... View more

I have a windows platform . Splunk universal forwarder is deployed to collect the logs from a Citrix Xen app server. Do I need to copy the addons from the below location and drop in to Universal Forwarder ? Splunk_Home/etc/apps/SplunkAppForXenApp/appserver/addons Please advice. Also , without UF is there a way to monitor Citrix XenApp from Splunk ? Similar to modular inputs ? Suggest a good documentation regarding setting up Splunk app for Citrix Xen App ... View more

Hello, In my Splunk dashboard I wanted to display the contents of a web URL ,. Please suggest some examples. Is there any plugin to directly provide the URL and get the data into splunk and index ? Please help. Thanks. ... View more

Background : I am using Splunk verion 4.3.3 , having 4 indexer with 1 Search head and using the default configurations for limits.conf. OS : RHEL 6 Subnet : logging HDD 1 : 40 HDD 2: 100 Memory : 16 CPU cores :4 By default settings my search head is capable of doing 4 concurrent searches. (as recommended by splunk) However often i am getting maximum historical search limit is reached. and this is quite annoying for my users. Suggest me a best idea to resolve this, (something from my readings , correct me if i am wrong below) Shall i tweak the default settings in limits.conf . How far this is recommended to localize this configuration file ? Shall i increase the no. of cores in Search head's CPU ? Do i need to go for multiple search heads ? Can i try this , restrict the Splunk users triggering a complex query | or a query which fetches very old data . Restrict features in TimeRange picker -remove "All Time" selection However i wanted to limit the users from complex query. Is there any tricks ? or any way to force the search query to show limited data , even though long time range is selected ? Kindly advice. Thanks, Chimbu ... View more

Splunkweb Enables and provides a easier medium to Setup or Change the Configuration settings in Splunk Indexer/ Search head. Is there any application to visualize the settings for Splunk Universal Forwarder in dashboard ? ... View more