i was able to see the log:   2021-05-25 16:09:14,760 ERROR [60ad212aa07f15f4543dd0] __init__:342 - Unable to obtain template "slack_alerts:/templates/setup.html": Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/__init__.py", line 337, in render_template templateInstance = mako_lookup.get_template(template_name) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/__init__.py", line 218, in get_template raise_top_level_lookup_exception(uri) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/__init__.py", line 165, in raise_top_level_lookup_exception raise exceptions.TopLevelLookupException(_("Splunk has failed to locate the template for uri '%s'." % uri)) TopLevelLookupException: Splunk has failed to locate the template for uri 'slack_alerts:/templates/setup.html'. ... View more

just remember:   1- install a UF, create a folder like /opt/splunkforwarder/etc/apps/deployment_apps/local and put there the deploymentclient.conf with the settings 2- remove if any deploymentclient.conf file exist on /system/local 3- on deployment server, create the same APP name (deployment_app) and configure the settings needed. Then if tomorrow you need to make changed from deployment server to that config, you can do it. I.e replace deployment server, just need to change the settings to point to another one and make the magic...   hope it helps ... View more

You need to remove the deploymentclient.conf from system/local via an script and use always the file on an app.. that way you can change the config anytime and also chamge the deployment server name/ ip if needed. When i install a new UF o always create it on a folder in /etc/apps and remove the local one ... View more

What you need to do for that is the following: 1- When you first deploy your forwarders, create a folder on /opt/splunkforwarder/etc/apps/deployment-server  (for example). Create a local folder on that folder. Do this for all your deployments, you can create an script to create such app 2- Create the file deploymentclient.conf with the deployment server configuration on that local folder 3- On deployment server, you need to create an app with same name deployment-server/local/deploymentclient.conf 4- If you someday need to change all deployment servers IPs, just configure that file on deployment server and send the push, so all will have that changed hope this helps ... View more

Hello @alacercogitatus. I have an error on splunk on SHs : servername.xxx.xxx] Eventtype 'gsuite_internal' does not exist or is disabled. The eventype do exist if i look on search heads. I did use the HF for the collector to send to idx. On SH, with the non configured app, we have that eventtype: index=internal sourcetype=ga* On HF with the collector add-on: same eventtype enabled as on SH thanks ... View more

Hello, i am getting the same error. I just add the blueprint for cloudwatch and when making a test i get: TypeError: Cannot read property 'data' of undefined at exports.handler (/var/task/index.js:34:45) any help on that? ... View more

You are right that the title should be named different. Anyway, it worked well, thanks so much for the info. ... View more

Hello You should use in outputs.,conf the following parameter: forceTimebasedAutoLB=true With this, it will load balance between indexers regards ... View more

I guess that When SHOULD_LINEMERGE=true is when you can configure BREAK_ONLY_BEFORE, but if it is false, it will not work ... View more

https://splunkbase.splunk.com/app/1365/#/documentation. The add on is embedded into the APP is the one for version SEP12 ... View more

Hello Well, first i tried with this, which it remove all event with lincecount>1 but lincecount>2 you may find still some. Is weird, becuase if you go to http://regexr.com/ and paly with the event and regex it seems to break all lines, but on https://regex101.com/ it only one one line and does not continue. THis is the /local/props.conf I CONFIGURED on the SEP TA: [sep12:system] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:agent] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:behavior] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:traffic] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:scan] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:ids] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:risk] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:proactive] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:admin] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} [sep12:policy] LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} And the default one, which is working now is: (DEFAULT TO THE TA [sep12:log] TRANSFORMS-sub_sourcetype_sep12_file = force_sourcetype_sep12_agent,force_sourcetype_sep12_traffic,force_sourcetype_sep12_proactive,force_sourcetype_sep12_behavior,force_sourcetype_sep12_risk,force_sourcetype_sep12_admin,force_sourcetype_sep12_policy,force_sourcetype_sep12_agt_system,force_sourcetype_sep12_scan,force_sourcetype_sep12_security,force_sourcetype_sep12_scm_system .tmp transforms are for file-based data [sourcetype::...smc_admin.tmp] sourcetype = sep12:admin SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d%n%%H:%M%S [sourcetype::...smc_agent_act.tmp] sourcetype = sep12:agent SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d%n%%H:%M%S [sourcetype::...smc_policy.tmp] sourcetype = sep12:policy SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d%n%%H:%M%S [sourcetype::...agt_behavior.tmp] sourcetype = sep12:behavior SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d%n%%H:%M%S [sourcetype::...agt_proactive.tmp] sourcetype = sep12:proactive SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d%n%%H:%M%S Thanks ... View more