I couldn't figure out what the problem was with my local config and none of the other suggestions worked, but I managed to get the migration to complete by removing my local configuration completely, e.g. cd /opt/splunk/etc/system/local mkdir foo mv * foo /opt/splunk/bin/splunk start # complete upgrade successfully /opt/splunk/bin/splunk start mv -f foo/* . rmdir foo /opt/splunk/bin/splunk start ... View more

I've also written a Splunk add-on that lets you pull data straight from Event Hubs, with optional transformation along the way of data via JavaScript modules. I haven't listed it on Splunkbase yet, but it works well for me: https://github.com/joelw/event_hubs_for_splunk ... View more

Location Tracker should do this by default if you construct a table with time, latitude, longitude, and user name: | makeresults count=4 | eval User="user ".random(), latitude=random()%90, longitude=random()%90 | table _time, latitude, longitude, User ... View more

I eventually used strace to figure out how Splunk was determining the user to run as. Have a look in $SPLUNK_HOME/etc/splunk-launch.conf - there's a SPLUNK_OS_USER= configuration option, which you'll probably want to set to the user that owns the files. ... View more