Hello Experts, I am facing difficulty at index time fields extraction. My sample log file format: Time stamp: Fri Mar 18 00:00:49 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:50 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:51 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:52 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:53 2022 File: File_name_1 Renamed to: Rename_1   props.conf [ demo ] CHARSET=AUTO LINE_BREAKER=([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD=24 NO_BINARY_CHECK=true SHOULD_LINEMERGE=true TIME_FORMAT=%a %b %d %H:%M:%S %Y TIME_PREFIX=^Time stamp:\s+ TRANSFORMS-extractfield=extract_demo_field TRUNCATE=100000 transforms.conf [extract_demo_field] REGEX =^Time stamp:\s*(?<timeStamp>.*)$\s*^File:\s*(?<file>.*)$\s*^Renamed to:\s+(?<renameFile>.*)$ FORMAT = time_stamp::$1 file::$2 renamed_to::$3 WRITE_META = true   ... View more

Hi Experts, I am getting error during I tried to create new ms-sql connection on my Splunk server (i.e Amazon Linux 2). Connection Type: MS-SQL Server Using MS Generic Driver With Windows Authentication JDBC URL : jdbc:sqlserver://xx.xx.xxx.xx:1433;databaseName=master;selectMethod=cursor;integratedSecurity=true ERROR : This driver is not configured for integrated authentication. ClientConnectionId:d3c9028f-187a-492f-89da-68dfceadceb1 Java version on my splunk server : java version "1.8.0_201" Splunk DB Connect version: DBX:3.1.4 Splunk Server OS: Amazon Linux 2 AMI The driver present in my machine are:   ... View more

Hi Experts,   Please suggest where I can downloaded Splunk Universal forwarder for Window server 2008 (Window version 6.0 Build 6003 Service pack 2).   In https://www.splunk.com/en_us/download/universal-forwarder.html the oldest version is Windows 8.1, and 10 Windows Server 2008 R2, 2012, 2012 R2, and 2016   Thanks in advance.  ... View more

Hi Experts, I am new in SNMP / snmp_ta app. I am facing difficulty to convert MIB to python module. build-pysnmp-mib: command not found libsmi2pysnmp: command not found  My OS details: NAME="Amazon Linux AMI" VERSION="2018.03" ID="amzn" ID_LIKE="rhel fedora" VERSION_ID="2018.03" PRETTY_NAME="Amazon Linux AMI 2018.03" ANSI_COLOR="0;33" CPE_NAME="cpe:/o:amazon:linux:2018.03:ga" HOME_URL="http://aws.amazon.com/amazon-linux-ami/" and  in my system I have pysnmp.__version__ 4.4.12   ... View more

Hi Experts, My splunk indexer server are running out if memory, its main reason are  /opt/splunk/var/run/searchpeers /opt/splunk/var/lib/splunk/_introspection /opt/splunk/var/lib/splunk/_internaldb /opt/splunk/var/lib/splunk/kvstore  Indexer _introspection, _internaldb,  kvstore have default setting, its data are not move in cold and frozen bucket. Please suggest what can I do to create space at my server ?     ... View more

Hi experts, I try to restart our splunk server, but its not start. Earlier I try to start from UI, but it not start. I also try to reboot if using CLI, but dont see any thing on console I am using Splunk 7.2 in AWS EC2 instance (Amazon 1) , I am using splunk on that environment from last one year. $SPLUNK_HOME/bin/splunk -version $SPLUNK_HOME/bin/splunk -version Splunk 7.2.6 (build c0bf0f679ce9) uname -a Linux abcdXyz 4.14.123-86.109.amzn1.x86_64 #1 SMP Mon Jun 10 19:44:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux strace /opt/splunk/bin/splunk start execve("/opt/splunk/bin/splunk", ["/opt/splunk/bin/splunk", "start"], [/ 50 vars /]) = -1 ENOEXEC (Exec format error) write(2, "strace: exec: Exec format error\n", 32strace: exec: Exec format error ) = 32 exit_group(1) = ? +++ exited with 1 +++ ... View more

Hi Experts, I try to ingest data from a mount point, in that path all files are log rotate and moved to .gz format on daily basis. But my splunk ingest only that file that already converted into .gz file. So before 24 hours I don't find latest logs. Please suggest how i get latest logs in the Splunk. Sample conf files are : inputs.conf : [monitor:///data/production/logs/JobBatch/documents] disabled = false index = logs_jobbatch sourcetype = JobBatch whitelist = (zipDocument_[\d]+.log.gz|zipDocument_[\d]+.log) props.conf : [JobBatch] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = false category = Custom disabled = false pulldown_type = true BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s{1}\d{2}:\d{2}:\d{2}.\d{3}\s{1} HEADER_FIELD_LINE_NUMBER = 9 TRUNCATE = 750000 MAX_EVENTS = 1000 BREAK_ONLY_BEFORE_DATE = SHOULD_LINEMERGE = false ... View more

Hi Experts, Please suggest how to join two Splunk index output. I have two indexes in first index i want to fetch only that data that occurred in holiday list occurrence-date field index=monitor index=holiday_list earliest=0 latest=now| dedup OCCURRENCEDATE| table OCCURRENCEDATE ... View more

Hi Experts, Please suggest how to connect splunk_app_db_connect (i.e present in a Splunk-HF) with db instances of Oracle-11g and Oracle-12c both. Its working fine with 12-c instances but show error while connect 11-g instances. Error: java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found ... View more

Hi Experts I am getting below error : java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found Its working fine for oracle 12c servers but show below error while execute on 11g servers. ... View more

Hi Experts, I try to automate db_inputs.conf files entries. For this I try to copy DB_inputs.conf file of one env to another env and update its two fields of each stanza (input). That two fields are: connection = NewConnection host = new:host:IP But the new db_inputs.conf are not visible from Splunk UI. Please suggest what I need to correct ? Do I need to make any entry also in /metadata/ local.meta ? ... View more