Yes, Wcolgate. ... View more

We tried the same for Win Server 16, and via GPO, but the services never came up, but when assigning local administrative privileges, the services executes. According to MSA (user needs to be part of local administrator group). We are currently struggling to make it up. ... View more

Please share the resolution or RCA? ... View more

Hi Ssievert, We do not have HF, where we can apply these configs. We have 500 devices and have 98% of them sending data from UF, so as per optimization, we did not go for HF. When applying the settings, UF is not able to process them. ... View more

But after lot trials, not able to forward data from indexers. ... View more

Sometimes the service is not reachable, so gives this error. You can use inbuilt user account or domain account. ... View more

Question: I have one thought, that, how do we come accross setting the values for max_fd= ? What are the rationals setting values or it's random, what feels good for us? Some people say, increase or double in sequential way, using default value, till it resolves. ... View more

It resolved our issue. ... View more

This is an issue of bucket corruption. Your bucket movement will also not happen and you will see, your disk utilization going very high. To resolve this issue, you need to, 1. delete the bucket creating issue (either with zero size, or did not complete properly) 2. check the bucket movement (observation, if approx retention - 90days (24hrs observation required)) 3. check all equivalent number of buckets based on your replication factor(very important) What causes this issue: 1. Properly not restarting or non-graceful shutdown of indexers. 2. network disruption such as huge flip flops (very rare, but one of possible reason). ... View more

Cause of this error: Cluster-bundle applied, but SH was busy, could not take up the update. Resolution: 1. restart the splunkd service on SH. 2. Rejoin the SH to the cluster ... View more

https://answers.splunk.com/answers/406009/why-is-splunk-crashing-whenever-i-try-to-start-the.html ... View more

Please look for Splunkd.log. Observation: 1. bucket replication or bucket duplication 2. Indexes execution issue (if cluster enviornment) Resolution 1. check carefully entire (try to find for "error", you may get duplicate buckets. 2. In case of indexes, you may not have your master cluster speaking, or bucket under other indexes may be creating this issue. Regards, Anand ... View more

you need to check you bucket status. check your splunkd.log. you will get the actual reason for it. ... View more

in case of non-root user, what should be the option? ... View more

blacklist5 = EventCode="4625" ComputerName="server-name" Message="\sAccount Name:\s_USER_NAME_\s" In windows events, there are lot many spaces, which we need to tackle. ... View more

blacklist5 = EventCode="4625" ComputerName="server-name" Message="\sAccount Name:\s_USER_NAME_\s" ... View more

Thank You for the idea. It does not read, because of additional spaces ... View more

There is no options yet, where Indexer to be used as Heavy Forwarder and forward data. I too had the same requirement, but it did not work. ... View more

@mhtedford: Please check one most important thing at your source, which is your inputs.conf, the very reason, the duplicacy may occur again and reaching to root is important. Two possibilities would have happened. Inputs.conf is added with this additional configuration made to read data 'ignoreEarlierThan=xdays' and, Splunkd service at the source would have been stopped or restarted with some reason/cause. Because of this pause of UF or HF, it will pick up data, as there is no method in Splunk yet to compare or verify, if the data is already indexed for so and so and so, matches or criterias. As action, 1. You can verify inputs.conf 2. delete this additional record[caution], but please [imp] take help from splunk administrator, even though you have privileges. Any mistake, may lead to corrupt bucket or create issue in index. Looking for your update, ... View more

did you precisely checked the peak time information. Manually checking for the results will really help. Devices work as they are made for and events generate, as we use them. We can work together to resolve this issue.. ... View more

Two ways to solve: option 1- Let the forwarder create multi-line. Use "transaction" keyword to group similar based on common field you prepare for. Option2- try using trail method for the log. Let rsync write to file.log, but use another crontab to send data to another file - rysnclistner.log. Now listen to this log file. Reason: 1. Changes the frequency of reading data for fowarder 2. You can use it in form of Queue and data purges as new entries keeps come. (FIFO) Hope any of the option can help. But most important, we also would like to see some sample _raw to be able to decide. Thank You ... View more

mvexpand 'field_name' works!! ... View more

it is additional step for authenticating your splunk indexers. For example- If it FALSE, setup an indexer, add and define common certificate and configure to forward the event, it will start ingesting. In this case, certificates, verify, whether it is forwarding events/logs to correct indexers only, but based on certificates You need to have two more configs need to be added in case, you want it to work, output.conf, (splunk forwarder - DS client) sslCommonNameToCheck= server.common.name.com.fqdn between server to server sslCommonNameList = splunk.servers.names.with.comma.for.all.making.communication, server1.com, server2.com Always configure these config in last, as any communication break, can be rolled back, as this would be only check. ... View more

*/5 * * * * will make it work. Its correct, but space is required to give. ... View more