You can install several splunk instances in different directories on the same server. For example /opt/splunk1/ as indexer1 and /opt/splunk2/ as indexer2 Use different port numbers for webinterface, replication etc etc You can now start each splunk instance separately. I have used this to test multi indexer cluster environment on one server. ... View more

When you create an app named app1 and an app named app2 both with for example an props.conf they will after deployment to the FW resides in: ~/etc/apps/app1/local/props.conf and ~/etc/apps/app2/local/props.conf The working props.conf of the FW will be a merged running file of all the props.conf files on the system including those in the app1 and app2 directory. There is no need to place them in ~/etc/system/local ... View more

You can creatie an app containing the needed indexes.conf and place it in de directory ../etc/master-apps/ on the master node. An apply-cluster-bundle should distribute the indexes to all peer nodes. ... View more

Well. I am using Splunk 6.2 and Cisco Security Suite version 3.0.3 build 100784. An Universal Forwarder for sending the network logging data to the Forwarder A Forwarder to receive the data A Master/License node for my cluster. An Deployment node to deploy the configurations onto the UFW, FW, SH. Two Indexers (Cluster Peers) One Search Head. My configuration files (All Apps) deployed by the Deployment server (except those for the cluster peers ) App 1. inputs for the Universal Forwarder to define which logs and their sourcetypes: sourcetype = cisco:asa sourcetype = cisco:esa sourcetype = cisco:ios sourcetype = cisco:wsa:squid App 2. outputs for the Universal Forwarder to define the route to the forwarder: [tcpout:to-fwdr-p] server = 192.168.230.20:10300 [tcpout-server://192.168.230.20:10300] useACK = true App 3. inputs on the Forwarder to define the input from the Universal Forwarder: [splunktcp://10300] connection_host = ip App 4. Outputs on the Forwarder to define the route to the Indexers server = 192.168.230.21:9991, 192.168.230.23:9992 [tcpout-server://192.168.230.21:9991] useACK = true [tcpout-server://192.168.230.23:9992] useACK = true App 4. Props on the Forwarder to define which route and which index file to use for particular hosts: [host::d*cr01] TRANSFORMS-netwcr = set-idx-netwerkswitches0000s, set-rt-p App 4. Transforms on the Forwarder: [set-idx-netwerkswitches0000s] REGEX = . FORMAT = netwerk-switches_0000-s DEST_KEY = _MetaData:Index [set-rt-p] REGEX = . FORMAT = to-idxr-p DEST_KEY = _TCP_ROUTING App 5 . indexes for the Cluster Peers to deploy using the Master configuration bundle [netwerk-switches_0000-s] homePath = $SPLUNK_DB/netwerk-switches_0000-s/db coldPath = $SPLUNK_DB/netwerk-switches_0000-s/colddb thawedPath = $SPLUNK_DB/netwerk-switches_0000-s/thaweddb # Rotate Hot Buckets daily maxHotSpanSecs = 86400 # Max size of Hot Bucket is 750 MB maxDataSize = auto # After 184 days (July + August, 4 months of 31 days), delete the buckets # If no FrozenDir is given, /dev/null is used frozenTimePeriodInSecs = 15897600 # Total size of Hot, Warm and Cold Buckets should never exceed 184 GB # Based on maximum daily volume of 1 GB maxTotalDataSizeMB = 184000 # Replication setting repFactor = auto Then I deploy the TA-cisco-ios onto the Cluster peers and onto the Search Head I deploy the TA-cisco-wsa, TA-cisco-esa, TA-cisco-asa, TA-cisco-ios onto the Search Head I deploy the SA-cisco-wsa, SA-cisco-esa, TA-cisco-asa onto the Search Head I deploy the dasboard apps Cisco Security Suite cisco-ios onto the Search Head. I modify the configuration, because I do not have to deploy indexer files onto the Forwarder or onto the Search Head ofcource. So finally your answer: I deploy the dashboard app onto the Search Head only. 😉 Regards, Frank Maasdam ... View more

You can check your eventually combined transforms.conf by executing the command. splunk cmd btool transforms list. Then you can check which transforms are active or not. ... View more

Or to add an another solution. You can add an acl on that particular file. ... View more

It was the answer on your first question. ... View more

You can ofcourse place your config files in an self created app with any name like configapp. This is how I deploy my inputs, outputs, props, transforms etc. ... View more

I know. You can use the directives in the xml file to configure the pollinterval after how many seconds the scom_client.ps1 script pull the events out of SCOM into Splunk. ... View more

http://operatingquadrant.com/2009/08/22/webmon-a-scom-management-pack-for-basic-web-site-monitoring-configured-with-a-single-xml-file-part-ii/ ... View more

In the SCOM add-on xml configuration file 300 ... View more

If it is a new index don't forget to set the rights correctly in de settings security for the admin rule. There you can set the index as one of the standard indexers to be able to search in. ... View more

Yes you can. I have a Master Deployment Forwarder 2 indexers and a Search head instance. In total 6 instances rrunning on 1 server. ... View more

Check the ownerships of ALL your Splunk files. ... View more

So permission rights? Files root:adm 640 right? splunk member of adm group Start Splunk with su -l splunk -c etc in initfile Tried 650 rights on dir and files? ... View more

Some ideas If you are unable to read the files there must be some lines in the splunkd.log of the forwarder saying permission denied. If not the files are read. Are you sure of the inputs syntax? Do you something in the output configuration? Check the props and transforms Are they indexed in a different index and you have not given the rights to view this index? Are they in the index and you are searching with an incorrect date or time? ... View more

Please notice my remark on the GID bug. ... View more

Do you share the solution when you have it working again? ... View more

You can find your SA in Splunk_CiscoSecuritySuite/appserver/addons You have to copy the desired SA directory to $SPLUNK-HOME/etc/apps This will enable the SA asa dashboard in the SecuritySuite dashboard ... View more

Standard files from your app: SA-cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm") SA-cisco-asa/default/props.conf:[cisco:asa] Splunk_CiscoSecuritySuite/lookups/cisco_device_info.csv:cisco:asa,cisco:asa,Firewall,network,Cisco,ASA,Adaptive Security Appliance Splunk_TA_cisco-asa/default/eventgen.conf:sourcetype=cisco:asa Splunk_TA_cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*" Splunk_TA_cisco-asa/default/props.conf:sourcetype = cisco:asa Splunk_TA_cisco-asa/default/props.conf:[cisco:asa] Splunk_TA_cisco-asa/default/transforms.conf:FORMAT = sourcetype::cisco:asa Splunk_TA_cisco-asa/lookups/cisco_asa_ids_lookup.csv:cisco:asa,network Our inputfiles from our UFW: WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa ... View more

Of course you can check within your dashboard the search that has been done and failed. ... View more

Another remark. Check your sourcetype! So far I know it has been changed from cisco-asa ? to cisco:asa ... View more

You have to install the Suite, your TA's and SA on the search head. You also have to install your SA's (yust copy that part from your Suite app directory) as separate apps in $SPLUNK-HOME/etc/apps/ ... View more