I believe since the data does not come through raw, it is considered already "cooked" and no index-time extractions can be applied. We are missing a severity field as well as the timestamp being 4 hours off. This is using the Splunk HEC connector. We might have to default back to syslog! Thanks for the help!
... View more
I believe we are on an older version, working to get it updated now. Are you using a TA for the props / transforms or just built your extractions custom?
... View more
Ahh, yeah I don't see the configuration page on BT. Unless you are referring to Tools-->Alerting-->Actions, but that doesnt have anything Splunk related other than the host value to send to
... View more
Lguinn I agree with you but I also think it's worth noting that if there was any legacy data from before the cluster was built on any indexers currently (older data existing on any standalone splunk indexers originally), then that data will not be available to the search heads when that particular indexer is down - unless the old data was copied to be replicated. Probably not something Daniel will have to worry about, but it's good to thoroughly understand that index clustering when a cluster is first set up only replicates new data coming into Splunk.
... View more
Have you made any customization to sendemail.py in the app you are in or in the search app? You can try this....Stop Splunk, Copy the sendmail.py from the default "Search" app and paste it to the app you are facing this issue with and then start it & see if that fixes it.
... View more
I also do not get the password prompt error. I just get the "Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform" ERROR.
... View more
I am not trying to connect remote. This is for local access. I get the following error when running this command as root.
python ossec_agent_status.py
Server: hostname, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
version: 2.3 ($Revision: 399 $)
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/var/ossec/bin/agent_control', '-l']
... View more