I am having the same issue and I just opened a case with Splunk.   I will respond later today when i find out.       ... View more

Having same issue has anyone found answer on this  ... View more

yeah that is to unsecured I found I could do like this and it is working Once the Splunk App for Stream is installed on a Splunk Search Head, there will be a Splunk_TA_stream directory that’ll be created in $SPLUNK_HOME/etc/apps. Splunk_TA_stream will then need to be copied over to your windows machine under $SPLUNK_HOME\etc\apps (typically C:\Program Files\SplunkUniversalForwarder\etc\apps). From there, you’ll need to create a local directory and inputs.conf file within. Contents of the inputs.conf file should be as follows, just be sure to replace “localhost” with the hostname of the SH where the Stream app exists, and be sure to modify http/https and the port, where appropriate: [streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0 Then, make sure the windows machines has the outputs.conf to send data to Splunk Cloud, and restart the forwarder. ... View more

I am having this same issue. A handful of servers resolve the correct host name and most give ip [udp://:514] connection_host = dns sourcetype = syslog disabled = 0 index = main no_appending_timestamp = true ... View more

So I updated my search to include an output sourcetype="perfmon:Windows__Processor" counter="% Processor Time" earliest=-13m latest=-1m | stats avg(Value) as AvgProcessorTime by host | where AvgProcessorTime > 85 | outputcsv HighCpu.csv this puts a csv file here: S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv Now I have script that takes the host name from the csv uses credentials and iisreset the host and edits a text file with host that was reset and date and time $servers = Import-Csv 'S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv' | Select-Object -ExpandProperty "Host" forEach ($servers in $servers) { $User = "*domain\username*" #$session = New-PSSession -ComputerName $servers -credential $mycreds $Scriptblock = {IISRESET /RESTART} $secpasswd = ConvertTo-SecureString “*userpassword*” -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential (“$User”, $secpasswd) "$servers initiated IISreset at $(Get-Date)" | Add-Content -Path 'S:\Temp\IISResetLogs.txt' Invoke-Command $servers –Credential $mycreds –ScriptBlock {iisreset /RESTART} } I put this script here: S:\Program Files\Splunk\bin\scripts My only issue is that the trigger is not starting the script I tested manually and know the script takes the csv get host name iisreset the host and edits the log file ... View more