hi @belka, Thanks for posting on Splunk Answers. I'm glad to see that you are using the Karma bounty feature! However, it won't work if you don't engage with the user trying to answer your question. Please approve the question below so the user can receive their Karma points. Or, if the solution didn't help you, please explain why so that they — or someone else — can. ... View more

Belka, how far have you made it with your project? We are going the same route at my location ... View more

I found that reference. We are working through it and trying to see if that will solve the issue. ... View more

When you have an app with a lookup in it properly working on your test search head, you would have to verify app/file permissions on all the files in the app, need to be owned by the account running splunk on all the search heads, if not running as root. Do you have the lookup table assigned to a sourcetype? One other thing to check would be the default.meta file that your lookup app contains. Make sure that you export everything in the app to system, so that it can be used on any search head by any splunk app. I've been bitten by permission issues like that plenty of times. ... View more

We certify and support ojdbc6.jar with Java 1.8. I suspect there is something else going on, perhaps related to permissions. You might be best off opening a support case. ... View more

Hello, Writing to say that the Splunk Mobile Access Server has been deprecated in favor of use of the Splunk Add-on for Mobile Access. You can read about the product here: http://docs.splunk.com/Documentation/MobileAddon In terms of VPN login, you can access the Splunk Mobile App via a VPN by following the steps listed in the "Log in using VPN" section of this link: http://docs.splunk.com/Documentation/MobileApp/2.3.0/Install/Login ... View more

I do this via the command line: splunk set deploy-poll <IP_address/hostname>:<management_port> splunk restart This call gets made by our config management, when we need to make a change. For a new install this cmd is part of the install script. ... View more

Check to see if your DCN has enough disk space in the $SPLUNK_HOME/ directory. The DCN vm ships with 5GB set, which is also the default minimum for the dispatcher to run. You can run a search or two, but then it runs out of space and you cannot search, that is, gather VMWare data at the DCN to forward to the VMWare App. You can increase the size of the $SPLUNK_HOME/ directory to fix it or configure the minimum disk space for the dispatcher to under 5 GB. The five GB limit makes it easier to ship the VM. A vm of say 10 GB storage would take up 10 GB and be harder to move around (5GB was hard enough). Try that and see if that helps solve the problem. ... View more

Just to add one more note, found this to also be an issue if "Enterprise Mode" is checked under Tools in IE. That is not an option available by default but some environments will enable it to enforce compatibility. Once unchecked, Splunk will not render correctly. Here is a link with more information about "Enterprise Mode":http://www.eightforums.com/tutorials/43972-ie11-enterprise-mode-enable-disable-users.html ... View more

You must take the courses directly from Splunk. The good news is that the courses all have a virtual classroom offering. You can find a virtual course in a time zone that fits your schedule, and sign up for that course. But you MUST take the courses from Splunk and you must pass each course. The Splunk courses are prerequisites to sitting for the Splunk certification exams. Each certification has its own set of courses that must be taken from Splunk. Currently there is no "self-study then take the exam" path to Splunk certification. I can recommend a very good book for learning Splunk. "Splunk Operational Intelligence Cookbook" offers many recipes for creating Splunk queries that will help you understand Splunk and help you along to becoming an expert. ... View more

Try this |inputlookup AD1.csv | fields hostname | join type=left hostname [|inputlookup DC1.csv | fields hostname | eval hasDC="Y"] | eval hasDC=coalesce(hasDC,"N") | chart count(eval(hasDC="Y")) as HasDC, count(eval(hasDC="N")) as NoDC ... View more

Perhaps this can be of help? Either stop forwarding the _internal events from the forwarders altogether with the forwardedindex setting in outputs.conf, or configure the logging levels for the various components through log.cfg; http://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/WhatSplunklogsaboutitself ... View more

The HF in front of the Firewall could index the data, let's say in index=intermediate. Then you could have scheduled searches, for example every five minutes, which would search the events from index=intermediate and write this search result without any processing locally on the HF to CSV files. You can use the outputcsv cmmand for that.The name of the csv file can be generated dynamically during search, so you could have individual csv file names for each output, e.g. containing the timestamp of the search, similar as you would have with rotating log files. Finally you will have a steadily growing number of csv files locally on your HF, which could be passed through the firewall to the indexer, for eaxmple using scp or rsync or whatever makes sense (note that I am not the Linux expert 🙂 ). Or if you don't want to have those files on the indexer, you could move them from HF to any other Linux behind the filrewall and use a Universal Forwader from here. On the indexer, you you proces those CSV files as a usual file input. I have currently no access to my Splunk, in case you need help with the dynamic CSV file names please get back, I am happy to help. ... View more

Thanks! I had forgotten about that command. ... View more

Glad to have found this fix, but patching Splunk's code (vs. maintaining config state) is not really maintainable for most users. A similar issue exists in data/ui/views/job_management.xml . Many enterprises have more than 250 users, and this seems like something that should be a configuration option. I'd also point out that you can workaround the hardcoded limit w/out modifying the code by entering the desired userid in the search input (not as clean) or manually modify the url, replacing &pwnr=- with &pwnr=targetuserid ... View more

As it turns out the parameter is fieldname, not field 🙂 http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addtotals ... View more