We just encountered the same problem after upgrading from Splunk 5 to Splunk 6.1. We overcame the issue by commenting out the [sslconfig] stanza in server.conf and restarting splunkd. This forces Splunk to generate a new SSL password and all checks passed on start up. ... View more

Hi, If an extract reload isn't working for you, try doing a debug refresh (see 3rd answer for reference). Cheers, Matt. ... View more

No, you can leave it as win32 ... View more

Hi thanks for your comments. It's just as I thought then.. I'll use your recommendations for your setup 🙂 ... View more

OK. If you have an automated way (we use blade logic), you can set up a job to remove the inputs.conf and outputs.conf files from your forwarders and add a deploymentclient.conf file with the details of your deployment server (see splunk docs), then trigger a restart. If you don't have an automated way to do this, you will have to do the same thing manually... 😞 ... View more

What operating system are your forwarders running on? Do you have an automated way of installing the forwarders? i.e. how did you install on 500 servers in the first place? ... View more

We FTP our Mainframe logs every 5 minutes to a text file on a heavy forwarder. The logs are forwarded on from there and load balanced across our indexers. ... View more

Thank you. I would be very grateful. ... View more

It works for me too. I had to remove the authorize.conf file that was already in system/local, but it worked in the end. ... View more

I did it by setting up hMail server and running a VBScript to pick up all the PDF attachments and save them to disk. I did raise an enhancement request with Splunk regarding this, but haven't heard anything. With Splunk 6 coming out in October, I hope they have added this feature! ... View more

End of October ... View more

You need to replace "yoursplunkserver" with your server address. If you are using a local version of splunk, replace "yoursplunkserver" with "localhost". So, http://localhost:8000/en-GB/debug/refresh ... View more

Hi Jrodriguez. You can reload any number of config files at index time using the debug refresh endpoint in Splunk. I use this all the time when I make changes to props.conf. You can view all of the endpoints by typing the following into your browser: http://yoursplunkserver:8000/en-GB/debug/refresh and to explicitly reload the transforms.conf file, use the following: http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-lookup for new lookup file definitions that reside within transforms.conf http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract for new field transforms/extractions that reside within transforms.conf Hope this helps! ... View more

Hi Chris, http://docs.splunk.com/Documentation/Splunk/5.0.4/AdvancedDev/3rdParty All can be found in the above link.. Thanks, Matt. ... View more

Hi Bruce, I'm currently having the same issues. I'm not sure what the issue is with our VM's either. Did you get anywhere with yours? ... View more

I would like to say... Thank you so much for this answer!!! I used the following search to work out the duplicates: index= | streamstats dc(info_search_time) as count by _time | where count!=1 | eval delete_id=_cd."|".index."|".splunk_server | stats count by delete_id | fields - count | outputcsv dupes.csv and the following search to delete them: index= | eval delete_id=_cd."|".index."|".splunk_server | search [|inputcsv dupes.csv | format "(" "(" "OR" ")" "OR" ")"] | delete ... View more

You can also use post process with this to optimize even further! ... View more

I'm not sure, but I think you need to add autoRun="True" to your Search module. So module name="Search" autoRun="True" ... View more

A couple of ways I have done this in the past. We are currently using the automated option and is working for us. We are able to produce daily, weekly and monthly reports in Excel format using templates. Manual Using the export option from the search bar (after the search has completed) or use a saved search where the CSV file is sent via e-mail. Dump the contents of the CSV file into the template you created and it will be mapped to display the data in the correct way. (Look up "excel link values") OR Automated Install a free mail server (hMail server). Point Splunk to send emails to the mail server. Attach a VBScript to the mail server to scan each email for a CSV attachment and save it. A VBScript is run on a CRON job to copy the CSV file to the Excel template (stored locally). The template you created will be mapped to display the data in the correct way. (Look up "excel link values") The file will be saved locally, but you could always configure it to be sent to an e-mail recipient. ... View more

From my understanding of your question, would it just be like this? sourcetype=data | chart sum(purchases), avg(purchases) by username ... View more