Ok… this question and the answers are a bit older, but maybe my post could help other Splunkers. You need up to two kinds of services: Splunk (with Splunk Web) as an SH Cluster Member and a Load Balancer (optional). "Optional" because you can also configure it so that User A has to use SHC Node 1, User B has to use SHC Node 2, and User C has to use SHC Node 3, or keep the other nodes as a kind of hot spare. …If you choose a Load Balancer (which makes sense outside of Dev or Test environments), it does not necessarily need to be an external one for a Search Head Cluster. A customer used a 3-node SH Cluster in production. On 2 nodes, an additional Apache instance was installed as an LB and configured for high availability (HA) by swapping the Virtual IP for the SH Cluster. I just finished the Splunk Cluster Administration Course. There they use just 3 virtual machines for a multisite cluster and SH cluster with deployer and manager node. Kind Regards SierraX ... View more

With this kind and quality of screenshot it's very hard to help. Take a look to Fields in settings and there especially for Field extractions and Field transformations ... View more

Hi, regex _raw is here the wrong command… regex - Splunk Documentation but rex seems wrong too rex - Splunk Documentation because it can't do a key value extraction in search. I found an odd way tho handle this: | spath | rename _raw AS temp date AS _raw | extract pairdelim="|" kvdelim="=" | rename _raw as date temp as _raw reference: extract - Splunk Documentation Is this what you are searching for? Kind Regards ... View more

I just checked our Searchheads for this issue: We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3. Kind Regards ... View more

If you want to use the Splunk internal openssl, you have to source setSplunkEnv first. To `source` something in linux you can use the command source or like in my example a . (dot) $: which openssl /bin/openssl $: . /opt/splunk/bin/setSplunkEnv Tab-completion of "splunk <verb> <object>" is available. $: which openssl ~/bin/openssl ... View more

I would handle it with an Orchestration Tool like: - Puppet - Chef - Ansible - CFEngine ... View more

Login is just possible when a LDAP/AD Group is maped to a Splunk role. e.g. In AD are two Groups: splunk_user splunk_admin On SH splunk_user is mapped to role user splunk_admin is mapped to role admin On Indexer/HFw etc splunk_admin is mapped to role admin On SH - Users can login... on the others not. ... View more

Hi, Sorry I can't reproduce the error with the provided informations. How do you install Splunk Enterprise? Because the official Packages shouldn't try to start splunkd with a "bad option". From source package the installation runes without any problem. Also when I remove the user-seed.conf part. Tested on vagrant with a Centos 8.2.  Here the Vagrantfile example… with shell provisioning.   # -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.define "splunkserver" do |server| server.vm.box = "bento/centos-8.2" server.vm.box_check_update = false server.vm.network "private_network", ip: "192.168.130.182" server.vm.provision "shell", inline: <<-SHELL hostname "testsplunkserver" yum install wget -y useradd -m -d /opt/splunk splunk wget -O /opt/splunk/$(curl -s https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -o "data-link[^ ]* " | grep "Linux" | sed "s\/data-link=\\"\/\/;s\/\\"\/\/" | sed "s\/.*\\/\/\/") $(curl -s https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -o "data-link[^ ]* " | grep "Linux" | sed "s\/data-link=\\"\/\/;s\/\\"\/\/") echo "file=\\$\(ls /opt/splunk/\*.tgz\) mkdir \\$\{file%.tgz\} tar xvzf \\$file --strip-components 1 -C \\$\{file%.tgz\} ln -s \\$\{file%.tgz\} /opt/splunk/current echo \\"\[user_info\] USERNAME = admin PASSWORD = changeme\\" \>\> /opt/splunk/current/etc/system/local/user-seed.conf echo \\"SPLUNK_WEB_NAME=splunkweb SPLUNK_HOME=/opt/splunk/current SPLUNK_SERVER_NAME=Splunkd SPLUNK_OS_USER=splunk\\" \>\> /opt/splunk/current/etc/splunk-launch.conf /opt/splunk/current/bin/splunk start --accept-license --answer-yes --no-prompt rm -f \\$file" >> /opt/splunk/splunk_install.sh chown splunk:splunk /opt/splunk/splunk* chmod 766 /opt/splunk/splunk_install.sh sudo -u splunk /opt/splunk/splunk_install.sh echo "# .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=\\$PATH:\\$HOME/.local/bin:\\$HOME/bin:\\$HOME/current/bin export PATH" > /opt/splunk/.bash_profile /opt/splunk/current/bin/splunk enable boot-start -user splunk SHELL end end     Video of a vagrant up without user-seed.conf https://youtu.be/VO_r8JX4Su0 ... View more

Ok it's maybe a bit late … but for future searchers the other answers are to complicated, no help or wrong ``` index=main sourcetype="test2" | stats values(source) as sources by _raw | eval sources=if(mvcount(sources)>1,"match","no match") ``` Beware of linecounts>1 in the main search, this could create false "no match" ... View more

Sorry for the late response... when this is a 1to1 copy of the search, you forgot a = (equal) between wday and "Sun" ... View more

index=aw_dispenser sourcetype=EnrolledDevices UserName!="SYSTEM" | where NOT UserName=serialNumber| table UserName OutletID serialNumber Keys are always Case sensitive - Values are not Case sensitive by default, Field-names are Keys When you are starting to develop a search: Do first the search (without a where and table) to make sure you got Events Then add your where modifier and see you have not as many events like before Then add your table modifier and change from clever search mode to verbose search mode When Fields in a Table are empty , means in general the Field is empty (with a "" ) or does not exist (with a NULL)... you have to take a look to the events to figure out Without the events nobody here can say where your problems are. Especially when you are always change the case of keys in your descriptions of your problem. ... View more

A search at splunk can't compare values from one key to another. Not sure other BigData tools can do that directly at the search. Anyway... the search was written very quick and the eval can also used as automatic generated field when needed. When you have it in a auto generated field... you can also filter it in your Base search ... View more

{Base search} | eval eq=if(userid=snr, 1,2) | search eq=2 ... View more

Thanks for the link... didn't know that before forwarded to splunk to update the documentation. ... View more

Ok again... I'm not sure this is correct ... and I haven't the time to test it the next couple of days for free. To test: Build up a Test-Splunk Server in a Virtual Machine with a http-event collector and another Linux VM as sender. Send a few times events with this sourcetype from Linux VM to http-event collector to see it's running in... when this is working correct... write the 2-liner in a props.conf (e.g. in $SPLUNKHOME/search/local/props.conf) ... restart the server and look there are any error messages which are not there before... Send a few times events with this sourcetype again, and see the source type is still running in or not. When not check also the licensing, that the events are also not counted on your license. Time to check this way... I think 1 or 2 hours. ... View more

http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Splunk-launchconf Thought that link are also parsed automatically ... Anyway... The 'Configuration file reference' in Admin section of docs is the first place to search for "what key-value pairs are available in this .conf file" ... View more

There is no proxy key-value pair in splunk-launch.conf And there are a few proxy key-value pairs in server.conf ... View more

At the moment I have not the time to build a similar setup to develop and test for Karma. Possible immediate solutions for you: - Learn how Splunk works and how to build an app. - Ask Splunk or Solarwind for support. - Hire a Splunk Consultant ... View more

Hi The position of the your subsearch seems wrong... when you are using a subsearch at this position, it's a filter for the "outer" search. To get results from the second search you should use a join. Also an eval with the subsearch could work. Kind Regards SierraX ... View more

it's to early for me in my country *stifle a yawn* ls -l /opt/splunk/current/etc/apps/Splunk_TA_nix/bin/common.sh -rwxr-xr-x 1 splunk splunk 3864 12. Nov 15:28 /opt/splunk/current/etc/apps/Splunk_TA_nix/bin/common.sh ls -l $(which uname) -rwxr-xr-x 1 root root 33048 16. Feb 2016 /bin/uname ... View more