wow. just. wow. took me a week to find this  ... View more

Thanks PeteAve! I'll try that and see what happens.....  ... View more

I'm also having a similar problem. The "user menu" for my Splunk UI is simply not there. With this being the case, I'm not able to change my preferences or simply logout. Any help would be greatly appreciated.  ... View more

This thread is almost a year old with an accepted solution.  For a better chance at helpful responses, please post a new question. ... View more

You can add the following to your search head to solve the issue. server.conf [introspection:distributed-indexes] disabled = false ... View more

Can anyone please help on this? ... View more

OK. I got a bit too far ahead of myself 🙂 The TZ setting is only applied if there is no timezone specified within the timestamp parsed from the event so in your case this setting - even though it is set - will not apply because you have your "IST" in your time string. Time is generally being parsed on the first "heavy" (based on a full installation, not the universal forwarder binary) component in event's path. So if you're sending your events straight from UF to indexers, the events are parsed on indexers (including timestamp recognition and parsing). If you're sending them from UF to HF(s) which are sending to indexers, parsing is done on HFs. And on those parsing components (in the first case - indexers, in second - on HFs) you need the TZ_ALIAS config. So if you deploy your config only to UFs, it won't work since UFs don't parse events. They just read/receive them (depending on the type of input) and forward them to indexers/HFs. ... View more

Are you seeing this with Linux systems? I had an issue like this with our Linux logs forwarding to our syslog server. Turned out being an extra space at the end of our syslog outgoing template. After the \n" someone had \n " ... View more

I would check the server name on the UF and search what you find in the Forwarder Management on the deployment server. It sounds like everything is working.   Forwarder management > click on your server class > search the server name found on UF To get it to show in the monitoring console: Monitoring console > settings > Forwarder Monitoring Setup > Rebuild Forwarder assets. Hope this helps. Matt ... View more

hi @aa0, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

@richgalloway that worked!  ... View more

Make sure your Splunk user has the proper permissions to read the certs. web.conf enableSplunkWebSSL = 1 privKeyPath = /opt/splunk/etc/auth/mycert.key serverCert = /opt/splunk/etc/auth/mycert.pem   Depending on the method you used, you must combine the server certificate, the private key, and the public certificate, in that order, into a single file. The combined file must be in privacy-enhanced mail (PEM) format. cat <server certificate file> <server private key file> <certificate authority certificate file> > <combined server certificate file> https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/HowtoprepareyoursignedcertificatesforSplunk  ... View more

Try this in the CLI, path to where splunk is installed on the master indexers: ./splunk apply cluster-bundle     ... View more

So its hard to help without seeing the data but you could try something like this. main search that pulls the two event ID in 24 hrs |stats values(EventID) as Group_ID by user EventID |eval removal=if(Group_ID=4756 AND Group_ID=4729, "Yes", "No") |search removal=Yes   Something like this should work.   Matt ... View more

Hi, So you can easily change this at search time with a regex. Try something like this: Your main search |rex field=_raw "src\=(?<src>\d+\.\d+\.\d+\.\d+)"     ... View more

How are you indexing the JSON data? Are you indexing the JSON fields individually at index time? What do your props and transforms look like? Check that your props.conf has INDEXED_EXTRACTIONS = json Note: If you set INDEXED_EXTRACTIONS=JSON, check that you have not also set KV_MODE = json for the same source type, which would extract the JSON fields twice, at index time and again at search time. I have had similar issues when I created a custom indexed field at index time and did not put it in the fields.conf. If you are indexing the fields at index time, you need to tell Splunk they need to be treated as indexed fields.   ... View more

Noticed one issue with your TIME_FORMAT. Looks like  your You have: TIME_FORMAT = %Y-%m-%d %H:%M:%S Should be: TIME_FORMAT = "%Y-%m-%d %H:%M:%S" For the parsing issue, I have seen issues like this when we had a sourcetype from a different app with the same sourcetype name. I would run the btool to double check that is not the issue. Another thing you could try is breaking on the gz at the end of the log. That is assuming that value is in every event LINE_BREAKER = .csv.gz ... View more

I'm guessing its a permission issue with your syslog-ng directory. I would check that your user running splunk has the proper permissions to ingest the logs. I would compare the permissions of the files that work to the syslog-ng files. ... View more

@guilmxmFYI ... View more