Thanks a bunch! ... View more

The target is a member that is not down. The deployer will still send to all cluster members regardless of the target. In this case, it's trying to send to the first member in the cluster that is down. ... View more

Yes, very possible. You are able to deploy two search heads, make the indexers search peers to both search heads so that they will be searching over the same data, deploy Enterprise Security to one search head, deploy all other non-ES related apps to the other and ensure that you have the proper users and roles setup. ... View more

Thanks MuS ... View more

Yes. What exactly are you trying to accomplish with multiple license masters? You could install the splunk license, for example on two hosts, and configure them both to be license masters BUT any license slaves that you configure would need to point to one or the other, not both. OR if you are looking for failover capabilities, you could try to put a load balancer in front of the two license masters (as an example). Depends on what your usecase is. ... View more

Also, it depends on the use-case and the deployment. ... View more

A central license master isn't required. So you could install the same enterprise license on multiple machines. Unless that has changed? @MuS Each host would still be fall under that same license. ... View more

You could also try to put a load balancer in front of a "cluster" of license masters as well. It depends on your use case. ... View more

Yes, you have the ability to designate one splunk host as a license master and make other splunk hosts license slaves. The other alternative is to install the license on each host which can be a bit much in a larger deployment. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Configurealicensemaster In theory, since you can install the same license on multiple machines, you could have multiple license masters but a license slave can only be the slave of one license master. ... View more

If you want to do cell highlighting, that would require some JS and CSS. I would use the code found in the splunk 6.x dashboard examples app: https://splunkbase.splunk.com/app/1603/. The app contains some neat dashboard customizations that are pretty cool. Typically, if you are using the drill-down feature in your table, specifically for that field, by default the URLS should already be blue: http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/Dynamicdrilldownindashboardsandforms. Finally, you could change the font-color, by doing an inspect element to find the id or class and overriding the default color with css. ... View more

This also works: | rest splunk_server= ENTER HOST /services/server/introspection/queues ... View more

So there are few different things to consider: In terms of where the data gets indexed, by default $SPLUNK_HOME/var/log/splunk directory. See https://answers.splunk.com/answers/418636/where-do-logs-go-when-uploaded-via-splunk-webs-add.html#answer-417611 In terms of deleting the data: for the most part, it isn't recommended that you manually delete indexed data (buckets) because that could cause issues depending on your deployment setup. Splunk employs a retention policy where data is deleted by age (or size). The default is ~ 6 years, but this number is configurable on global and/or index basis. This will need to be configured in the indexes.conf, see : http://docs.splunk.com/Documentation/Splunk/6.0.3/Indexer/Setaretirementandarchivingpolicy. If you have the need to delete data, I recommend that you let the data retire, and re-index the data properly ( consider disk space and licensing.) What index are you sending your data to? If it's a new index and the data is fairly recent, you could clean the index but keep in mind that ALL data in that index will be deleted. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk ... View more

It's the version. Looks like Parallel Data Pipelines are shown on the DMC for version 6.4.X. We are running version 6.3.2. ... View more

Thanks @MuS ... View more

Thanks for the comment. I do not see that when there are two or three Data Pipelines running in parallel. "the pipelinesets setting in server.conf. When pipeline sets are used (that is, if pipelinesets is set to a value greater than 1), some panels in the DMC indexing performance dashboards will be blank." Is there a work around? ... View more

Looks like the user-prefs app is missing. If you go to $SPLUNK_HOME/etc/apps, do you see a directory called user-prefs? If not, that's more than likely the issue. I would download another copy of Splunk Enterprise, whatever version you are running, and copy the user-prefs app from there to your current $SPLUNK_HOME/etc/apps. Or you could upgrade or reinstall. ... View more

You could edit the props.conf's following configs to handle that: TIME_PREFIX = MAX_TIMESTAMP_LOOKAHEAD = TIME_FORMAT = These can be edited under $SPLUNK_HOME/etc/system/local OR in an app under $SPLUNK_HOME/etc/apps depending on your setup. ... View more

The files get indexed into splunk. Splunk (by default...this is configurable) saves the transformed data to the $SPLUNK_HOME/var/log/splunk directory. You will find the compressed version of your data under a directory within $SPLUNK_HOME/var/log/splunk . The directory should have the same name as your index unless you made that index the default index. The data within the index directory will contain subdirectories organized by age, these are called buckets. Your data will be contained within these buckets. ... View more

You can change the permissions of the app by going to : Apps --> Manage Apps --> find the search app and select permissions--> Change the Read/Write permissions. You could also do this by editing the default.meta config file: http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Defaultmetaconf . You could also change the default app that the user sees upon logging into splunk by role or user: Settings --> Access Controls --> Roles|Users--> select the desired role --> Select a default app from the drop-down list under Default app. ... View more