Hi, The btool command lists the configuration options as they are on the disk. Can you run the btool command with some switch to see the currently loaded configurations ? Thanks, Termcap ... View more

Hi, My design:   1. Search Head: splunk-sh 2. My search peers: splunk-idx1 and splunk-idx2 3. My forwarders: splunk-fw1 and splunk-fw2     My Data Flow:   splunk-fw1 -> sends data -> splunk-idx1 into index mail splunk-fw2 -> sends data -> splunk-idx2 into index mess IMP NOTE: index mail only exists on splunk-idx1 and index mess only exists on splunk-idx2     My Search on the search head:   index="mess"   When I run the above search I am expecting the search head to send the search to both the search peers, splunk-idx1 and splunk-idx2 but I find that Splunk, quiet intelligently, only sends the search to the search peer that has the index mess and does not send it to the other search peer. Is this by design ? Another question. Is it a valid architecture to not have the same indexes on all the search peers because I just want a single querying interface(search head) but at the same time I want to spread the data onto multiple indexers.   Thanks, Termcap ... View more

Hi, Considering that the deployment server, Search Heads, Universal Forwarder and Deployers are full Splunk Enterprise Installs, how does the licensing work ? I know that indexer licenses are based upon the data ingestion, so what are search head, Deployer, Deployment Server and Heavy Forwarder licenses based on ?  Thanks, Termcap ... View more

Hi, I have the following outputs.conf on my Splunk Heavy Forwarder:   defaultGroup = indx1 [tcpout:indx1] server=1.1.1.1:9997 [tcpout:indx2] server=2.2.2.2:9997   As expected, the heavy forwarder is forwarding all data to the indx1. Then I manually stopped the Indexer indx1 expecting that Splunk will start sending the data to indx2 as indx1 is not available, but this did not happen and all forwarding was blocked by the heavy forwarder waiting for indx1 to come back online. Logs below.   05-31-2021 18:14:45.039 +0000 WARN TcpOutputProc [16471 indexerPipe] - The TCP output processor has paused the data flow. Forwarding to host_dest=1.1.1.1 inside output group indx1 from host_src=splunk-hf has been blocked for blocked_seconds=480. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.   Is this the expected behavior ? Should the heavy forwarder not switch to indx2 once indx1 is down ?   Thanks, Termcap ... View more

Hi, While adding an HEC input on the Splunk heavy forwarder, Splunk does not provide the option to select the app. I am using Splunk version 8.1.3 and build 63079c59e632 Is this a bug in the web interface in version 8.1.3 or has the option been removed do to some reason. HEC input addition screenshot: Thanks, Termcap ... View more

Hi All, I have set up a continuous monitor of the /var/log directory and set the host to "vps" Now when I am searching the oslogs index, I'm expecting all the logs to have the host value to be set as "vps" but that is not the case, instead of having one host "vps" I have two hosts "vps" and "ip-172-31-17-23" which is the hostname of my machine.  There is no additional input for the oslogs index, this is the only one that I've set.     What explains this anomaly and how can this be rectified ? Thanks. ... View more

Hi,   I have the following CSV data that I've uploaded into Splunk   iso_code,continent,location,date,total_cases USA,North America,United States,2020-01-22,1.0 USA,North America,United States,2020-01-23,1.0 USA,North America,United States,2020-01-24,2.0 USA,North America,United States,2020-01-25,2.0     My props.conf is as below   [csv-c1] BREAK_ONLY_BEFORE_DATE = DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = date TIME_FORMAT = %Y-%m-%d category = Structured description = Comma-separated value format. Set header and other settings in "Delimited Settings" disabled = false pulldown_type = true     Now, when I perform the search on this data the events are listed with the expected _time values But when I try to create a table with _time field, it appears as if Splunk treats the _time field as a string and not as a date object. Notice that the chronological order of the dates is lost as well as the HH:MM::SS part. Can someone please point out why Splunk is behaving this way ? Surprisingly if I index the same data with the current timestamp, everything works fine and _time does not lose its chronological order or its HH:MM:SS part its displayed using the table command   ... View more

If I want to buy a subscription for on premise Splunk Enterprise Security, what is the way to go about ? Some Questions: 1. Is Enterprise Security just an app that is to be installed on Splunk Enterprise or is it a separate Splunk bundle all together ? 2. If I install Splunk Enterprise Security on Splunk Enterprise, will it use the data ingestion license of Splunk Enterprise or will I have to buy a separate ingestion license for Enterprise Security ? 3. Does Splunk Enterprise Security care about the daily ingestion limit or its a function of the underlying Splunk Enterprise installation ? 4. Can I deploy Splunk Enterprise Security as follows: Install Splunk Enterprise and apply a daily ingestion license of xGB/day. Buy subscription for Splunk Enterprise Security, download the app and install it on my Splunk Enterprise install. In case I need to increase the ingestion limit, buy the upgraded license and install it on the Splunk Enterprise ? 5. Can anyone point out a ballpark figure for the price of Splunk Enterprise Security ?  Thanks, Termcap ... View more