jaxjohnny2000, It has been not. Splunk only gave it lip service but have done nothing about it in the 5 years the problem was first brought up. In secure environments such as I work in now and in the past the "workarounds" proposed by others are not allowed. It is one reason why we have been looking to drop Splunk as our main tool on our 3 major networks. ... View more

There should be no pipe in front of your saved search inside the brackets. "| savedsearch PausedTime_SS index_name=one_index | append [ savedsearch PausedTime_SS index_name=other_index ]" ... View more

That may work. Will see if we can get that to work for us. Thanks to you and ontkanin! ... View more

If I am reading ontkanin's workaround correctly , the problem is moved off of Splunk and on to the LDAP server. Not in giving every Splunk user admin capability which is mmuch much worse but in giving all Splunk users capability to run an LDAP search. We only want certain Splunk users by role the ability to run an LDAP search. Working within a high security facility and network, we are limited to what a user can and cannot execute. We cannot give everyone on Splunk the capability, just those whose job requires it. The best solution is still to have Splunk team to give LDAP search capability as a role attribute with no other capability/attribute required to be given that gives more privileges than they should have. Ontkanin's solution is great if you do not have limitations as we do on what regular users can be given permissions to. ... View more

It has been just short of three years since glancaster first received an answer from Splunk that an alternative was being looked into so that a standard Splunk user would be able to run ldapsearch without being given VERY dangerous admin_all_objects capability. AS I write this out organization has just come up against this same problem recently and yet NO solution been given even after enhancement tickets have been opened over the past three years. Very disappointing. ... View more

Fair enough but as stated it was as a comment and not an answer. I only mentioned that was the only way I got mine to work. I should of been more clear that it was how I got mine to finally work and not present it like it was the first and only way to fix the issue. You are right to call me on that. The official answer from Splunk Support is to run the clean locks command. I ran the official solution a couple of years ago and it did not work (lock file went away but 1067 error did not). I did state that if OP was not comfortable dealing with Windows Registry (I am and there are many cases when hardening a system it is required) to not attempt. The issue I had was an upgrade to early version of 6.x and not latest. Outside of the one time 1067 showed up Our Splunk system on Windows has run flawlessly for the 3000+ systems we monitor. I am not saying that Windows is better than Linux....I always preferred Linux over windows. It is just some organizations dictate the OS (especially government) and the Splunk Administrators have no choice but to use Windows and cannot make the conversion to the more stable Linux OS. You are correct Windows does have its drawbacks but I have found out in my experience with Splunk Windows (six years now) that official Splunk solutions given may work for Splunk Linux but many times not for Windows. ... View more

A 1067 error more often than not means you will need to go in to Windows registry and delete all key values referencing Splunk.. I had similar problem upgrading an older Splunk Version to a newer one. If you get a 1067 error and removal and installation does not fix issue, then only recourse I found that worked was going into the Window Registry (do not attempt if you are unfamiliar with manipulating Window Registry!) and do what I stated above. Make sure you uninstall Splunk first so the number of keys and values to delete are lower in number. Once done reboot machine and then do a new fresh install of Splunk v6.5. You should be good to go then. (No guarantees!) ... View more

Telling someone to "Avoid using Windows" is not an answer. If you are going to make such statements, keep it in the comment section of the individual's question. There are a lot of organizations where it is dictated to the Splunk administrators what OS is to be used and is beyond their control. ... View more

krellinst , I had to do the exact process that employed back last year when I went from 5.0.3 to 6.1.3. The worst was having to do it for the 300 v5.0.3 forwarders we had installed. Seems upgrading from 5.x to 6.0 was good for most but if you went from 5.x to 6.1.0 or higher this issue would present itself. I wish I had come across this question earlier for I could of saved you a couple of weeks of headaches by given you the exact process you ended up employing. ... View more

clientname = $HOSTAME under the deployment-client stanza is all you need to do. Create an APP called something like mydeploymentclient. Create a local directory folder under the mydeploymentclient APP folder In local directory folder copy or create deploymentclient.conf into it. Edit deploymentclient.conf to insert this stanza. [deployment-client] clientname = $HOSTNAME Add APP directory folder to deployment-apps of your deployment server Use forwarder management UI and add APP to your server class Run command 'Reload deploy-server' afterwards and your changes will take place. afret2007 ... View more

This is old but in case someone else has your question then I may have the solution. Install it like you normally would. Create an app called something like mydeployment on you r Deployment Server Under the app folder, create a local directory folder. In that folder copy your deploymentclient.conf file into. Restart deployment server so it deploys out to all the servers in your server classes. ANY CHANGES MADE TO APP deploymentclient.conf WILL override the etc\system\local\deploymentclient.conf. I have done this myself to change the clientname on all my forwarders using clientname = $HOSTNAME under the deployment-client stanza. Apps will override etc\system\local configurations if the app configurations are in a local directory folder as well. App configurations will not override if they have been placed in a default directory folder. afret2007 ... View more

I need to modify my answer. Please replace $COMPUTERNAME with $HOSTNAME. To reiterate, I did this for windows. The environment variable that Splunk uses for windows is $HOSTNAME. I do not know if it is the same for Linux for we do not have any forwarders installed on Linux systems. afret2007 ... View more

Your question does not specify windows or Linux and sounds like you do not have a deployment server in place. Once you have setup and configured a Deployment Server you can create your deploymentclient.conf file and put this in it. This was done for windows. I was in the exact same predicament as you are now. [deployment-client] clientName = $COMPUTERNAME-whatever you want to have after your clientname [target-broker:deploymentServer] targetUri = yourDeploymentServerName:8089 Once created, push out the deploymentclient.conf file via MSI to all your forwarders you want updated (push different versions of the file depending on what you named the computer and what it is used for) to your \Program Files\SplunkUniversalForwarder\etc\system\local directory on your forwarders. Once the forwarder service has been restarted you will be able to see the forwarders via deployment server UI and will have the Client Names you wished to have depending on hostname and what they are used for. In future you then can make changes via app update process. I hope this helps. It is pretty straight forward this way. afret2007. ... View more

I have same issue except I have Splunk Version 6.3.0 loaded on windows. The workaround is for Linux users. Is there a workaround for windows I wonder. ... View more

khutchinson_splunk, I want you to know that I had been racking my brain on this for three days until I finally ran across this post. Even though nearly two years later and version 6.1.6, I hit the EXACT same problem after an error caused the rollback to fail except splunkweb and not splunkd service was causing the error (I believe vince2010091 was alluding to that fact). Splunkweb got deleted leaving only splunkd. Manually deleting the splunkd service via command line and rebooting allowed me to successfully upgrade to v6.1.6. ... View more