×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
DerekB
Splunk Employee
Member since: ‎07-06-2012
‎04-30-2025
Community Statistics
Posts 62
Solutions 20
Karma Given 280
Karma Received 168
Member Since ‎07-06-2012
Activity Feed
Topics I've Started
View All

With the latest version of the Splunk App for Unix...

by Splunk Employee in All Apps and Add-ons
‎01-25-2017 11:10 AM
‎01-25-2017 11:10 AM
If I have thousands of unix hosts, will I run into a problem with the Unix app working correctly? Is there some kind of limit of number of hosts for this app to work successfully? ... View more

Re: Getting an "invalid certificate" error when us...

by Splunk Employee in All Apps and Add-ons
‎08-25-2016 02:43 PM
4 Karma
‎08-25-2016 02:43 PM
4 Karma
Double check your Account and/or Input names do not have any spaces in them. If they do, delete and recreate without spaces and you should be able to get this certificate to generate successfully. ... View more

Getting an "invalid certificate" error when using ...

by Splunk Employee in All Apps and Add-ons
‎08-25-2016 02:41 PM
‎08-25-2016 02:41 PM
I'm going through the process of setting up the Splunk Add-on for Microsoft Cloud Services and when I get to the certificate piece, I constantly get the "Auto-generated but invalid" message. I've tried both custom and auto generated and it's always this error. What can I do to fix this? ... View more

Re: How do I set permissions for 'View Results in ...

by Splunk Employee in Alerting
‎07-26-2016 04:20 PM
‎07-26-2016 04:20 PM
This is a known bug and fixed in 6.3.2. Try the latest release and see if that helps you. ... View more

Re: Why am I getting "The view you requested could...

by Splunk Employee in Alerting
‎07-26-2016 04:20 PM
‎07-26-2016 04:20 PM
This is a known bug SPL-108433 and fixed in 6.3.2. Try the latest version and see if that helps. ... View more

Re: Why is my scheduled alert not sending email?

by Splunk Employee in Alerting
‎01-26-2016 03:31 PM
‎01-26-2016 03:31 PM
Ubuntu was the OS. ... View more

Re: Why is my scheduled alert not sending email?

by Splunk Employee in Alerting
‎01-26-2016 03:06 PM
‎01-26-2016 03:06 PM
Check your TLS setting. In this case, it was found that the "TLS" delivery had been set for email settings. No credentials or target defined. Reset the TLS delivery to "none" and that restored e-mail flow from Search Head ... View more

Why is my scheduled alert not sending email?

by Splunk Employee in Alerting
‎01-26-2016 03:05 PM
‎01-26-2016 03:05 PM
I have a scheduled alert configured and I am not receiving any email from it. The search is valid and matches records. I have the proper permissions. Alert history shows 'successful' result and job inspection shows e-mail was sent. Where is my email? ... View more

Re: An update was made to the identities.csv and n...

by Splunk Employee in Getting Data In
‎09-15-2015 02:48 PM
‎09-15-2015 02:48 PM
Take a look at the python_modular_input.log file. This will give you clues as to what is happening. In this case, a field called _time was created and that is not allowed. I saw this error message: ERROR pid=7888 tid=identity file=lookup_modinput.py:streaming_merge_task:283 | status="Exception when reading input files" exc=Field names cannot start with an underscore: '_time' Once the field was corrected to not start with an underscore, things worked fine. ... View more

An update was made to the identities.csv and now I...

by Splunk Employee in Getting Data In
‎09-15-2015 02:47 PM
‎09-15-2015 02:47 PM
If I run: | inputlookup identities.csv xxxx results That shows a different count in the results than | datamodel("Identity_Management", "All_Identities") yyyy results What is going on? I thought I built my indentities.csv correctly. ... View more

Re: Splunk Cloud user invitation login

by Splunk Employee in Security
‎09-04-2015 09:27 AM
‎09-04-2015 09:27 AM
Just sent you an email from a support ticket to help get this fixed. ... View more

Re: Why am I seeing this error? Failed to find a v...

by Splunk Employee in All Apps and Add-ons
‎04-15-2015 11:03 AM
3 Karma
‎04-15-2015 11:03 AM
3 Karma
The problem here is because the multikv.conf file that is located in the Splunk_TA_aws does not exist on the indexer. In this case, it was only installed on the search head. To remove the error, either install the Splunk_TA_aws on the indexer or copy the multikv.conf file located in etc/apps/Splunk_TA_aws/default from the search head to the indexer and then restart the splunk service. ... View more

Why am I seeing this error? Failed to find a valid...

by Splunk Employee in All Apps and Add-ons
‎04-15-2015 11:01 AM
2 Karma
‎04-15-2015 11:01 AM
2 Karma
If I click through the Data Summary box and select sourcetype = cloudwatch, I receive the following error message from my indexers: Failed to find a valid configuration for multikv stanza = 'tsv_cloudwatch' ... View more

Re: Clicking on the "SQS queue name" field in the ...

by Splunk Employee in All Apps and Add-ons
‎02-26-2015 09:27 AM
3 Karma
‎02-26-2015 09:27 AM
3 Karma
This is acting like it's missing the ListQueues permission. Review the AWS permissions that are configured and make sure the following are setup: Required permission for the SQS subscribed to the S3 bucket that collects CloudTrail logs: ReceiveMessage, SendMessage, ListQueues, GetQueueUri Per this doc page: http://docs.splunk.com/Documentation/AddOns/latest/AWS/ConfigureAWSpermissions ... View more

Clicking on the "SQS queue name" field in the Splu...

by Splunk Employee in All Apps and Add-ons
‎02-26-2015 09:25 AM
‎02-26-2015 09:25 AM
I'm trying to configure Cloudtrail in the Splunk for AWS app. I fill in my fields and click on the SQS queue name drop down field and I get the following error: Failed to fetch data: In handler 'splunk_ta_aws_sqs_queue_names': Unexpected error "" from python handler: "'SSLError' object has no attribute 'status'". See splunkd.log for more details. Why? (This is a work in progress, no final answer yet.) ... View more

Re: Are there any plans to upgrade the ability of ...

by Splunk Employee in #Random
‎10-03-2014 10:13 AM
4 Karma
‎10-03-2014 10:13 AM
4 Karma
Working on it, but It's Tricky. ... View more

Re: When trying to start Splunk, I'm getting an "e...

by Splunk Employee in Getting Data In
‎09-10-2014 01:47 PM
6 Karma
‎09-10-2014 01:47 PM
6 Karma
The problem here is that splunk was configured with boot start enabled. On AIX, this will put a line in the /etc/inittab file which will then be run by startsrc. This seems fine except startsrc is run by root and if your Splunk install is configured to run as a different user, you can get a "permission denied" error. To fix this, remove the line in /etc/inittab that references Splunk and restart. If you do want Splunk to start at boot time, you could configure it with the "enable boot start" but just make sure to set the user Splunk will run as correctly. This doc page is a good reference. http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/ConfigureSplunktostartatboottime ... View more

When trying to start Splunk, I'm getting an "execv...

by Splunk Employee in Getting Data In
‎09-10-2014 01:43 PM
1 Karma
‎09-10-2014 01:43 PM
1 Karma
Trying to start Splunk but getting an "execve: Permission denied " error This is Splunk 6.1.x and my OS is AIX. bin/splunk start --accept-license Checking prerequisites... WARNING: File size limit (ulimit -f) is set low (1073741312 bytes) Splunk may not work. You may want to run "ulimit -f unlimited" before starting splunk. Checking mgmt port [8089]: open Creating: /opt/splunkforwarder/var/lib/splunk Creating: /opt/splunkforwarder/var/run/splunk Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css Creating: /opt/splunkforwarder/var/run/splunk/upload Creating: /opt/splunkforwarder/var/spool/splunk Creating: /opt/splunkforwarder/var/spool/dirmoncache Creating: /opt/splunkforwarder/var/lib/splunk/authDb Creating: /opt/splunkforwarder/var/lib/splunk/hashDb New certs have been generated in '/opt/splunkforwarder/etc/auth'. Checking conf files for problems... Done All preliminary checks passed. Starting splunk server daemon (splunkd)... execve: Permission denied ... View more

How can I change the default hostname in Splunk?

by Splunk Employee in Getting Data In
‎09-09-2014 09:31 AM
6 Karma
‎09-09-2014 09:31 AM
6 Karma
I don't like the default hostname that shows up in Splunk. I would like to change it to the FQDN. How can I do this quickly after my first install of Splunk? ... View more

Re: How can I tell what version of python my Splun...

by Splunk Employee in Splunk Dev
‎06-09-2014 03:25 PM
3 Karma
‎06-09-2014 03:25 PM
3 Karma
Run this command from your splunk /bin directory: ./splunk cmd python -V You'll see output similar to this: Python 2.7.5 ... View more

How can I tell what version of python my Splunk in...

by Splunk Employee in Splunk Dev
‎06-09-2014 03:24 PM
1 Karma
‎06-09-2014 03:24 PM
1 Karma
I want to know what version of python my Splunk instance is running. How can I tell? ... View more

I upgraded to 6.1 and now Splunk is crashing while...

by Splunk Employee in Getting Data In
‎05-23-2014 05:07 PM
3 Karma
‎05-23-2014 05:07 PM
3 Karma
It's crashing on the maintailingthread while reading the disk_objects.log. This is on Windows and the crash looks like this: Crashing thread: MainTailingThread for WatchedTailFile-WatchedFileState: path="C:\Program Files\Splunk\var\log\introspection\disk_objects.log [build 206881] 2014-05-09 04:01:09 Access violation, cannot read at address [0x000079646F626F00] Exception address: [0x0000000140614B21] Crashing thread: MainTailingThread MxCsr: [0x0000000000001FA0] SegDs: [0x000000000000002B] SegEs: [0x000000000000002B] SegFs: [0x0000000000000053] SegGs: [0x000000000000002B] SegSs: [0x000000000000002B] SegCs: [0x0000000000000033] EFlags: [0x0000000000010206] Rsp: [0x000000001192D1D0] Rip: [0x0000000140614B21] ? Dr0: [0x0000000000000000] Dr1: [0x0000000000000000] Dr2: [0x0000000000000000] Dr3: [0x0000000000000000] Dr6: [0x0000000000000000] Dr7: [0x0000000000000000] Rax: [0x000079646F626F00] Rcx: [0x0000000022C11268] Rdx: [0x000000001192E368] Rbx: [0x000000001192E2C0] Rbp: [0x0000000000000000] Rsi: [0x000000001192E368] Rdi: [0x0000000000000000] R8: [0x000000001192E2C0] R9: [0x0000000000000000] R10: [0x000000004E584490] R11: [0x000000004E584990] R12: [0x000000001192E420] R13: [0x0000000000000500] R14: [0x0000000022C11268] R15: [0x0000000000000000] DebugControl: [0x0000000000000000] LastBranchToRip: [0x0000000000000000] LastBranchFromRip: [0x0000000000000000] LastExceptionToRip: [0x0000000000000000] LastExceptionFromRip: [0x0000000000000000] OS: Windows Arch: x86-64 ... View more

Re: Email Report format

by Splunk Employee in Alerting
‎05-22-2014 04:24 PM
2 Karma
‎05-22-2014 04:24 PM
2 Karma
Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4. http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Setupalertactions ... View more

Re: Remove query from Emails

by Splunk Employee in Reporting
‎05-22-2014 04:23 PM
2 Karma
‎05-22-2014 04:23 PM
2 Karma
Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4. http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Setupalertactions ... View more

Re: Remove Search query from the email Alert

by Splunk Employee in Alerting
‎05-22-2014 04:22 PM
3 Karma
‎05-22-2014 04:22 PM
3 Karma
Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4. http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Setupalertactions ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-30-2025 10:45 AM
Karma from
Karma given to