Dear Oscarminassian, I am facing the same issue of missing lines. Did you find any solution for the missing events issue? If yes, Could you please share the same here.   Thanks Ratan ... View more

I was able to get the agent and figure it out. Just syslog on the backend. Thanks   Ed ... View more

i turned the debug logs on but that just confirmed Splunk is ignoring the files even though the paths are present in list monitor. Just opened a case.  Thanks ... View more

Hi, yes I got it to work. Try: Name Node = maprfs:///  Since MapR use Yarn the important flags are  vix.yarn.resourcemanager.address vix.yarn.resourcemanager.scheduler.address ... View more

Any luck? ... View more

Doug are you saying we can now configure more than one FMC in the TA? We have 13 FMCs and I dont want to have to manage 13 HFs to support this use case. Would much prefer to load it all into one or two TAs. We have tried to use the Encore command line client, but it is not super stable and disconnects a lot. What you have configured in the TA is much more stable.  Thanks! ... View more

I would question why you want it done at index time. It rarely makes a performance improvement (In fact more often makes things worse) and takes more disk space. But if you are sure you want to try this on your development system use the above linked answer but replace the REPORT-xyz in props.conf with TRANSFORMS-xyz and add WRITE_META = true to the transforms.conf stanza. ... View more

Try removing the members, cleaning them, initialize them and rejoining them: Removal:https://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/Removeaclustermember Clean/initialize/Join:http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/Addaclustermember#Add_a_member_that_was_previously_removed_from_the_cluster ... View more

Hi, Roles are defined in Splunk_TA_VMWare and you can refer this link https://docs.splunk.com/Documentation/VMW/3.3.2/Installation/DownloadandinstalltheSplunkAppforVMware and ensure that you have deployed all required component on specific instances. And also make sure that you have deployed the same version of apps and addons. ... View more

Are you trying to predict or detect anomalies? Couple of options : As of MLTK 2.1, you could use the Detect Numeric Outliers with the "Fields to split by" for your customer fields, and use a sliding window too. If you take a look at the Conf presentations from last year, https://conf.splunk.com/files/2016/slides/building-a-crystal-ball-forecasting-future-values-for-multi-cyclic-time-series-metrics-in-splunk.pdf is pretty awesome. Are you looking to predict a number of transaction counts and then alert when the residual (actual - predicted/estimated) values differ? you can use the Predict Numeric Fields Assistant with some clever stats by client,dayofweek,hourofday, etc variables. You will have to understand how linear regression works. ... View more

Ok sorry i missed that - it becomes a kv pair as it should - so my search index="skynet" sourcetype="custom_json_indexed" Msg GvuLnDhEXexLaaHmMHSaqQJyozYtFJAarNkkridVbsUHmcZagLNwPrsVvycpKoGsohXgnzyvAbrWLaZalFIasamdiPJwikfEBZraMpugIJaShabvEaidNRJakYjdeEIVKWMvqJDoAIJQcVhgKaISSVLYojjRaHNaSJcywvaaaYsaaassiVtmdBGWlqBEzGtHmqaaVk become index="skynet" sourcetype="custom_json_indexed" Msg GvuLnDhEXexLaaHmMHSaqQJyozYtFJAarNkkridVbsUHmcZagLNwPrsVvycpKoGsohXgnzyvAbrWLaZalFIasamdiPJwikfEBZraMpugIJaShabvEaidNRJakYjdeEIVKWMvqJDoAIJQcVhgKaISSVLYojjRaHNaSJcywvaaaYsaaassiVtmdBGWlqBEzGtHmqaaVk "mdc.mdcKeyaippQ"=mdcValueuvCvVphbipWgKdaagITQ ... View more

Have you looked at the nmon application for Splunk ? NMON Performance Monitor for Unix and Linux Systems ? https://splunkbase.splunk.com/app/1753/ It does most of what you are trying to do, and it would be easier than trying to build data models and then accelerating them for the information you require (the nmon app has a number of accelerated data models). ... View more

Is it possible to suppress the error per-sourcetype so as not to clutter the logs? ... View more

You can hide the index= stuff inside of an eventtype (or a macro ) and then update that KO after the events age out. ... View more

ok - that makes sense. I need to define the overall size along with the size for home and cold so data is shifted to cold to account for limits in main storage. Thanks! ... View more

We are having the same problem. What do you mean by "writing a wrapper to execute the PS script and using a script input" as the workaround? ... View more

It doesn't appear that you are sending anything to the [serverClass:test] machines. That would make those whitelisted servers think that they should not have anything from the deployment server and will remove anything in the etc/apps directory that would be controlled by the deployment server (under the etc/deployment-apps directory on the deployment server). You should have a list of apps that you want on the indexer, something like: [serverClass:test] whitelist.0 = test* [serverClass:test:app:appnumber1] [serverClass:test:app:appnumber2] The two lines that I added are related to the servers listed in the whitelist because they have the same serverClass:test at the beginning of the definition. when the deployment server is contacted by a whitelisted server, the apps (appnumber1 and appnumber2) will be sent to them. If they change at some point, the deployment server with then send the updated files. If you were to remove one of those apps from the configuration, the server would be told to remove that app by the deployment server. You can do all the deployment of all the apps at once, it should not make a difference. You just have to get the configuration right. If you are using clustered indexers, don't use the deployment server for the deployment of the apps to the cluster master, just make your modifications on the cluster master. Then when you apply the cluster-bundle it will distribute to the indexers and then do a nice rolling restart. ... View more

Hey, Ed. It sounds like you're monitoring a local directory on a syslog server. Try creating a local/inputs.conf file with the monitor stanza, and only assign sourcetype = syslog: [monitor:///opt/logs/all_logs] diabled = false sourcetype = syslog Also - make sure the hostname in the ASA is configured correct, as well as this command: asa(config)#logging device-id hostname The Add-on should pull out the hostname accurately. This worked for me. I didn't edit transforms or props. Let me know if it works! Ed (as well) ... View more

Hi I can confirm that iptables -F works in a homelab. ... View more