When I create a timechart using dashboard studio, the visualization only partially loads.  Until I click to open the visualization in a new window, then it loads as expected. We are on Splunk 9.0.5 but I don't see any known issues about this. ... View more

Hello, Are data transfer costs built into the cost model for Splunk Archive?   Customer is concerned about surprises (in the form of a bill, or data caps) associated with freezing their data into the Splunk managed archive solution ... View more

How do we specify multiple output groups on a HEC token, like _TCP_ROUTING for monitor stanzas? ... View more

We are, unfortunately, having to change index names to match a naming convention.  I have a list of indexes that need to be "renamed" ... for routing to the new indexes, rather than track down all the configs which are managed with DS, chef, and other tools, I would like use props\transforms on the HWF's and IDX's to look at every event, and if it was destined for index foo, send it to index foo.   Here is what I have on a single Splunk instance, in system/local (for simplicity and testing the config): props:       [default] TRANSFORMS-foo_idx_rename= foo_idx_rename       transforms:       [foo_idx_rename] SOURCE_KEY = MetaData:Index REGEX = (foo) DEST_KEY = _MetaData:Index FORMAT = bar       I've tried: REGEX = foo REGEX = "foo" REGEX = "*foo*" REGEX = index::foo Nothing I've tried seems to work. Questions I have: What is the actual value that the regex needs to evaluate for the index metadata field? (ie-  index::foo or just foo) Are double quotes required in the regex?  Must there be ()'s? I've seen a couple examples that say they work, but when I copy them verbatim, they do not. ... View more

Just want to confirm this behavior for a scripted input: The script I want to call, actually runs perpetually... it calls an API, outputs the data, waits 120 seconds, calls the API again, wash rinse repeat. What I'm wondering... can I schedule this script, say every 5minutes, and will the scheduler go "script is still running... not starting again"  ... if for whatever reason it stopped, it will just start it again? Or will it just keep starting multiple instances of the script if it's still running?   ... View more

Scenario:  Two large organizations with two separate Splunk implementations.  Org A acquires Org B and in a consolidation effort they'd like to consolidate their search heads and search 2 indexer clusters. What are some approaches to this?  One caveat is both Org A and Org B have some overlapping index names (ie both have index=network). Is it possible to give a role a "default" cluster, so anytime OrgA user searches, they default to OrgA, BUT can be overridden by specifying splunk_server_group=OrgB or splunk_server_group=* ?   ... View more

In a StaticSelect module, the parameter to set the pre-selected value is: All But when I try to use that for a staticRadio module, I get an error when I try to save the XML. No matter what I try, I can't get a radio button to be selected by default. What's the paramter I'm missing? ... View more

I'm working on a POC with devs of a web application and we want to send personally identifiable information across our network into Splunk. The concept is 1, get the forwarder as close to the application as possible, 2, avoid writing to disk anywhere other than on the indexer (which is being written encrypted, but that's taken care of), and 3, use the forwarder to encrypt data in flight. I was thinking about setting up the forwarder listening on a network port, using iptables to restrict access, and have the app log out via network socket right into the forwarder. Any thoughts on this? I want to avoid writing to disk of possible, but also want to ensure we don't miss any events. I want some way to hand off events straight from the app to the forwarder, making sure the forwarder is actually running and taking events. ... View more

On Windows 8-based Splunk Forwarder- C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf [deployment-client] disabled = false [target-broker:deploymentServer] targetUri = 192.168.0.100:8089 On Linux-based deployment server- /opt/splunk/etc/system/local/serverclass.conf [global] [serverClass:testClass] whitelist.0 = * restartSplunkd = true [serverClass:testClass:app:testapp] I restart splunk and reload deployment configuration (./splunk reload deploy-server) but I still get: No deployment clients have contacted this server. I've verified that the win8 machine can connect to the deployment server on 8089, restarted both services, but nothing. Is there a command I can run on the forwarder to verify the deployment server it's trying to connect to? ... View more

I have a linux-based universal forwarder that gets multiple apps from the deployment server. I'd like to find out exactly what apps it's receiving. What command to I run on the forwarder to get a list? ... View more

When I try to upgrade to V5 from 4.3.3 in Windows, I get: "Splunk Installer was unable to launch Splunk's pre-flight checks Error code: 10" Anyone else getting this? ... View more