the issue is definitely your regex. This part is wrong: 192\.168.\1\.1 \1 doesn’t make sense there unless you previously captured something. You just want to match the literal IP. To drop all events containing 192.168.1.1, your transforms.conf should look like this: [null_1] REGEX = 192\.168\.1\.1 DEST_KEY = queue FORMAT = nullQueue That will drop any event that contains that IP anywhere in the line. If instead you want to drop all traffic with port 123, and assuming the port appears as a full field like in your example: ...,192.168.1.1,192.168.6.225,123,123,... You can match it like this: REGEX = ,123, That makes sure you’re matching the port field and not something random like part of another number. If you want to drop events that contain either that IP or port 123, you can combine them: REGEX = 192\.168\.1\.1|,123, That’s all you need.       ... View more

Thank you all for this thread!   I've been working on Splunk for close to 10 years and JUST ran into this today for the first time and thought I was losing my mind because I can't find any record of etc/system/default/deploymentclient.conf on any of my systems.     Thank you for confirming that I'm not the only one thinking this is really, really weird but seems "normal"   ... View more

Again, to avoid confusion of future readers and stress woodcook's point: One instance of Splunk can fulfill multiple roles! So to have one Splunk instance act i.e. as license master, cluster master and DMC you do not have to install 3 instances! Instead you configure the necessary stuff for the 3 roles on the same instance. There's some role Splunk tells you not to combine them (i.e. Cluster Master and Deplyoment). But generally this works like a charm while installing 3 instances on the same server is definitively a mess and 3 VMs would be unnecessary and lot of overhead (ressource- and managment-wise). ... View more

Hello there, I encountered the same issue, did you get to resolve it? ... View more

Even this is old case, I would like to add which the one can do with current versions. Just run this: | dbinspect index=* OR index=_* corruptonly=true | search state!=hot Select enough long time period to found all corrupted buckets. r. Ismo  ... View more

Hi nbayko, Setting replication factor depends on many factors. is yours a multi-site or are you running it as a single site cluster? how many sites involved in the cluster. What is your high-availability requirements? With a replication_factor=3 with 2 sites (origin:2, total:3) seems like working fine in many cases as it provides site level HA and this is just an example. Increasing replication factor also comes with the cost of storage. So you need to check and validate your requirements with the settings you have. For the detailed analysis on multi-site and how the replication_factor setting comes into an action, you can refer to the below link. http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Sitereplicationfactor ... View more

and if you have default access to any indexes and those are the ones show up in the data summary when you login. Hope that explains the last bit of your question. ... View more

There is no overlap between msta and mstb clusters. All the VM names are correct (as well as the names within the Splunk instance). I have built the clusters but not defined any indexes yet. The GUI in the cluster, msta, shows the correct indexer peers (idxa and idxc) and search head (splunka) The GUI in the cluster, mstb, shows the correct index peer (idxb) and two search heads (mstb and splunkb). If i was getting similar behavior in both clusters it would not cause concern. ... View more

The interesting thing is that btool check does not detect this collision. ... View more

I think that you meant to make this a reply to my comment on your answer above... ... View more

Adonio thanks fr your help, ¡¡ Mi index its OK 🙂 ... View more

Also event if you have not created field extraction you can try with the second search (change field name my_lookup_ip with one of your own in the lookup file) ... View more

If there is anybody still looking at finding an alternative for using commas in a csv lookup file, because they CAN'T use commas, because their fields contain commas, GOOD NEWS: You can use quotes as text delimiters and commas as field delimiters in the following fashion: "field1","field2" "example1, that contains commas","something" "example2","" "","example3" Splunk correctly extracts field value pairs! ... View more

Splunk won't change the values of the columns in the table as it indexes them, it will set the splunk field _time to the current_index_time. ... View more

Here is the rex you need if you only need the last part of the responseMessage: rex "<responseMessage>[^<]*?:(?P<fieldToBeExtracted_callMeWhatYouWant>[^<]+)<" That should extract everything from after the colon (:) on to the end of the field. ... View more

@raghu0463 plz upvote the comments are helpful 🙂 ... View more

rangineniarunkumar, Are you troubleshooting the migrated data to the new instance? or the new data flowing into the new instance? I would go through the instance and see what settings the old instance is running. splunkdata system/local etc/apps etc/deployment-apps (if it is all one single system does everything?) If this instance configurations managed from a deployment-server, then you can point the new instance to deployment-server and that will take care of some of the configurations. If this also a search head, then check all your dashboards etc. to see if any hard coded urls with your old hostname etc. ... View more

@chadmedeiros did you ever add the submit functionality ? This is awesome, I just want it to send the selected checkboxes to another table when i hit submit.. ... View more

Check the documentation for the "mode" setting in the inputs.conf, in the past changing to "online" mode helped a bit. Also check the no-resolve as this takes up the cycles, you don't want to resolve the objects. https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup2 It also depends on the number of checkpoint managers/connections you are handling on one forwarder. When it gets to millions of events from 50 different connections on forwarder can really get overloaded and you might need to look into distributing the load. This is just one of the scenario I have seen, but the yours might be different. ... View more

There are two things to consider here. First, remember that "permissions flow from the search head". Allowing a "foreign" (not in your control) search head to peer with your index cluster gives the admin on that foreign search head full power and authority over all indexes, roles, and data access controls on your index cluster. So in your example, team XYZ allowing team ABC to search-peer would give the admins of team ABC's instance full access to any data ( or deleting data ) on XYZ's index cluster. Second, data model accelerations are specific to the search head they belong to. So, in this scenario, there will be two ES search heads running independent accelerations on XYZ's indexers. There will also be twice as many correlation searches running against that data. XYZ's indexers may need to scale up or out in order to deal with the added stress. ... View more

Looks like I only have limited events populated with the values and rest blanks. and I was moving fast between sort asc/desc. Tried to run more specific queries with the where condition and saw some values populated. Thanks everyone for your comments and quick replies. ... View more

As far as the documentation is concerned, the process for importing them are exactly the same, so I would assume that the lists could be the same. ... View more

Changing the interval is not going to solve this. Let's be extreme and say indexers check every ten seconds while forwarders check every ten days. There still will be a case where eventually one forwarder's ten day interval will be up just after you deployed changes, and it will restart faster than your indexers. To get around this, make changes to your indexer's server classes first. Reload deployment server, wait. Then make changes to forwarder server classes, reload, wait. Even better, use clustering and roll out indexer changes from the master before touching the deployment server and therefore the forwarders. ... View more

Hi Martin, Thanks for clarification. I do see those apps names in the URLs, but I still had a question, when I add inputs in the GUI, (I was changing the sourcetype, creating new sourcetype), I see the props.conf created under system/local and inputs.conf created under search (I was in search app). Wondering why props.conf created in global? Thanks for your response. ... View more