Hi, did you find any viable solution to this problem ? ... View more

I just found this to absolutely be the case, and was able to use this method to tune a bunch of my queries in one of my dashboards.  My use-case is that I'm looking for a unique list of hosts reporting to a given index within a timeframe.  Here's a small example of the efficiency gain I'm seeing: Using "dedup host" : scanned 5.4 million events in 171.24 seconds Using "stats max(_time) by host" : scanned 5.4 million events in 22.672 seconds I was so impressed by the improvement that I searched for a deeper rationale and found this post instead.  I'm sure there's a sophisticated internal answer for this significantly improved execution path, but for now I'll just be happy that it works as well as it does. ... View more

i'm wondering this same thing, can the schedule be modified since it's pretty resource intensive. Haven't seen a response on this thread in while.  ... View more

Hi @rasikmhetre , You can add 'secret key' for the addon in the 'passwords.conf' file. The password will be encrypted once you restart the Splunk service.  Can you explain the issue that you are facing with CLI? ... View more

Anyone else facing same issues in 8.2.4. Will check with support and see. ... View more

Thanks, this worked for me! On Win I used this version. ... View more

In Oracle you have the unified audit trail, and there are some pre-deployed policies which you can activate and start immediately. https://docs.oracle.com/en/database/oracle/oracle-database/19/sqlrf/CREATE-AUDIT-POLICY-Unified-Auditing.html  to retrieve and visualize the trail, you can use the following Oracle Unified Audit App for Splunk https://splunkbase.splunk.com/app/6172/  best regards Altin ... View more

Splunk 8.x.x here. Profiling settings did block my apply bundle command. /opt/splunk/bin/splunk apply cluster-bundle Encountered some errors while applying the bundle. Cannot apply (or) validate configuration settings. Bundle validation is in progress. /opt/splunk/bin/splunk show cluster-bundle ... <bundle_validation_errors on master> ...   This command did the trick: curl -k -u admin https://CLUSTER_MASTER_IP:8089/services/cluster/master/control/default/cancel_bundle_push -X POST   And I could edit and apply the bundle afterwards. ... View more

I encountered the same problem in my environment , we use "schedule search"+"| loadjob" in our dashboard for access control to avoid granting user index access. We seek help from Splunk support, they suggested us to increase the number of max_peer_rep_load,  but they didn't know what the number should be increased to, we need to try it by self . ... View more

Following is the search query. index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | stats sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse ... View more

@BainM Mike, I am glad that you were able to resolve the issue(s) with your custom index. No credentials for the network node(s) in your Node List are required for the "Check ssh Port Open" Command Type. The "Check ssh Port Open" Command Type uses the Python socket library to check if the ssh port is open which does not require logging into the ssh server of the network node(s). Regards, Jeff ... View more

Thanks @darrenk_splunk . Based on the info that you provided, I agree...it is not a bug. The Linux "cat" and grep commands help explain the unexpected output also. [root@localhost bin]$ cat /opt/splunk/etc/system/default/inputs.conf | grep "monitor://" [monitor://$SPLUNK_HOME/var/log/splunk] [monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*] [monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log] [monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*] [monitor://$SPLUNK_HOME/etc/splunk.version] [root@localhost bin]$ ... View more

Thank you @jeffrey_berry! ... View more

Without knowing all the details I'll try to answer: the su with the hyphen changes the user environment variables and without the hyphen it keeps the environment variables (more info here: https://superuser.com/questions/453988/whats-the-difference-between-su-with-and-without-hyphen). I believe it might be the case you didn't have permissions to read the file before and after su you kept that without the hyphen. Full su documentation is also available here: http://man7.org/linux/man-pages/man1/su.1.html. hope this helps ... View more

I agree with you.. should've been released by now. Try reaching out to support maybe they have something. As a workaround have a look here : https://answers.splunk.com/answers/777309/splunk-80-upgrade-has-no-web-server-running.html Maybe also try fixing or removing the /opt/splunk/etc/apps/splunk_app_for_nix/appserver/modules/CFHiddenSearch/CFHiddenSearch.py and see if that's the only thing causing the issue. ... View more

Hey Mike - I appreciate the response. I have tried with similar case matching, but haven't had success generating results. I am worried that since the transaction will list 2 account domains for one result, the grouping through results will have inflated results (i.e. result has domain a and domain b listed, domain a and domain b will both receive a count for that one row). ... View more

Summary of the issue: Splunk 6.0.0 - Splunk 7.2.1 defaults to using init.d when enabling boot start Splunk 7.2.2 - Splunk 7.2.9 defaults to using systemd when enabling boot start Splunk 7.3.0 - Splunk 8.x defaults to using init.d when enabling boot start systemd defaults to prompting for root credentials upon stop/start/restart of Splunk Here is a simple fix if you have encountered this issue and prefer to use the traditional init.d scripts vs systemd. Splunk Enterprise/Heavy Forwarder example (note: replace the splunk user below with the account you run splunk as): sudo /opt/splunk/bin/splunk disable boot-start sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0 Splunk Universal Forwarder example (note: replace the splunk user below with the account you run splunk as): sudo /opt/splunkforwarder/bin/splunk disable boot-start sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk -systemd-managed 0 ... View more

Ack. I should have mentioned this, too. ... View more

Answered by @chrisyoungerjds here: https://answers.splunk.com/answers/719213/splunk-instrumentation-error.html ... View more

Thank you very much. Upvoted! ... View more

Thanks! Upvoted. It's possible this could be the only answer as well. ... View more

New Error "Error in 'SearchProcessor': Found circular dependency when expanding from.Network_Traffic.All_Traffic" ... View more

You could use "eventtypes" if you like. create an eventtype called "firewalls_texas" , "firewalls_california" etc ... View more