I'm looking to get the Unix App working on a Splunk 5.x cluster environment. Anybody do this yet? Suggestions on how to do it... Thanks! ... View more

Given our network architecture, we would like to do failover rather than load balancing. We would want a primary and a secondary indexer. Under normal conditions, all forwarders should sent data to the primary indexer. If the primary indexer goes down, data should then go to the secondary indexer. When the primary indexer comes back up, data should go to the primary again. Thanks! ... View more

Here is our props.conf: [aristajson] TIME_PREFIX = hosttime": " MAX_TIMESTAMP_LOOKAHEAD = 22 BREAK_ONLY_BEFORE = {{"hostname KV_MODE = json NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false TRUNCATE = 90000 pulldown_type = 1 TRANSFORMS-larry = aristahostname Here is our transforms.conf: I've tried it with and without the host in <> . I've also tried to indicate the space after the : with a \s [aristahostname] REGEX = "hostname": "( [a-zA-Z0-9-_]+)" FORMAT = host::$1 DEST_KEY = MetaData:Host Here is a snippet of our data that comes in via tcp. There is only one cr at the very end of the event: {{"hostname": "nyaristalab-2"}{"hosttime": "2012-09-19 18:58:58"}{"neighbors": {"Ethernet3": {"2": {"sysName": "nyaristalab-1", ..... } Here is what it kinda looks like in search. Each of the + are drill downable. So it is all good except for it not using what is in hostname as the host field. 1 » 9/25/12 10:25:59.000 PM {[-] hostname : "nyaristalab-2", hosttime : "2012-09-25 22:25:59", interfaces : {[+]}, neighbors : {[+]}, routing : {[+]} } Thanks for looking! ... View more