I just had this exact issue installing Splunk on a Windows 2022 Server running on ESXi. Followed your advice and worked like a charm. Thank you, sir. ... View more

Apply 8.0.1 verified using the tests above that it no longer blocks as dependency on CMSlave lock has been fixed Solution: Apply maintenance release 8.0.1 Fix is covered in JIRA SPL-177646 dependency on CMSlave lock has been fixed Description: Splunk unable to upload to S3 with Smartstore through Proxy Reported as IDX cluster smartstore enabled with problems during upload to S3 and S2 enabled IDX cluster showing upload and download failure Root cause: Configurations changed in server.conf max_concurrent_uploads/downloads to unusually high values which caused pressure via proxy between indexers and S3. Too many connections to S3 from indexers (via proxy server) and Splunk CORE (CMSlave lock algorithm deficiency) couldn’t handle it. Hence the request to upload/download could not proceed and eventually failing on uploads. A sudden increase in uploads/downloads, has lead to a throttling affect via the proxy from indexer to the S3 storage system and overloaded splunk CORE and this backed up (and timed out) on the indexer side preventing downloads/uploads. Workaround (if can't migrate to 8.0.1 straight away) Setting these back to default values helped - max_concurrent_uploads/downloads. ... View more

As a splunkworks add on which is in the public domain Splunk support will not support the add on. However please follow these steps to see if there is some help to be offered Step 1 Confirm add on is covered by splunkworks Step 2 Go to the details verify the source is available on github Step 3 If it can be shown conclusively that the issue is a Splunk CORE issue then splunk will endeavour to rectifying the CORE problem should it be proven so by Splunk Support. ... View more

This occurs for Splunk 6.4.4 possibly related to issue SPL-141089 which is fixed in 6.5 and other releases Problem evaluation: Prior to this fix, we didn't have a mechanism of keeping the SAML user attributes such as email and realname on the disk If the auth system were to be bounced, the cache would get cleared, which would result in the loss of the user attributes Another scenario identified during the course of this investigation: in a SHC, if the SH, which was used by the LB to log the user in, goes down, a different SH in the cluster wouldn't have the user attributes, resulting in the same problem. Resolution: Store the user's real name and email id along with the role list under the userToRoleMap_SAML stanza of authentication.conf. The role list, real name and email are all separated by "::" delimiter. If any of these string have "::" as part of them, the same is stripped off before storing in authentication.conf The GET endpoint for admin/SAML-user-role-map is also updated to now return real name and email id along with the real list. This issue has been fixed in the the following releases: 6.5.6+ 6.6.4+ 7.0.0+ http://docs.splunk.com/Documentation/Splunk/6.5.6/ReleaseNotes/6.5.6 SPL-141089, SPL-143593, SPL-142248, SPL-143592 SAML - Users realName and email being dropped from the UI on authentication bounce Support have tested this (on 7.0.2) and when you log in this section is added to authentication.conf to have the name/email mapped: ... [userToRoleMap_SAML] user@someaddress.net = admin::Tester::user@someaddress.net ... View more

The key point here is that ITSI works entirely off numeric values and with this in mind if your script or routine returns a numeric value it can be used in ITSI's dashboard. So a quick google search turns up the utility sc on windows to query services and their running status sc query without arguments it returns a list of services and details about them including their current state. The state contains a numeric value that you could extract and use in ITSI. In this example a running service is showing 4 and a stopped service is showing 1. You can then assign a threshold for your KPI where above 3 is started / green and below 2 is failed and stopped. Anything in between could be orange where the service is either starting up or stopping. SERVICE_NAME: wuauserv DISPLAY_NAME: Windows Update TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 An example of a stopped process. C:\Users\Administrator>sc query ALG SERVICE_NAME: ALG TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 For processes in windows you have "tasklist" so if the process is present in the list it has a 1 and if not a 0. For linux you can also use the process table to check if it is running [ps -eaf] and most services in linux have a status command so although painful you could run it for each service you need to check. Again you need to select for a numeric criteria and based on this criteria generate a number that can be passed to ITSI. e.g. $SPLUNK_HOME/bin/splunk status ... View more

I downvoted this post because wrong one vote for sorry ... View more

Hi i tried the same but it isn't working. Step 1 Added an image applog.png in a new folder logo . Step 2 Added loginCustomLogo = logo/appLogo.png in my web.conf file. Step 3 Retart splunk server from Settings>server control>restart server. If i am doing something wrong please help me out with this. Thanks in advance:) ... View more

cool, thank you 🙂 ... View more