I am aware there is an accepted answer that helped me, but the connection was not established with the message 'need further details.' However, I need to do some extra configuration to establish the connection. I followed accepted answer for jdbc driver(downloaded snowflake-jdbc-3.15.1.jar ) and to configure db_connection_types.conf ( don't copy and paste it from accpeted answer. see below db_connection_types.conf Followed below link to fix the issue: could not initialize class net.snowflake.client.jdbc.internal.apache.arrow.memory.util.MemoryUtil https://community.snowflake.com/s/article/JDBC-OutOfDirectMemoryError I added the first two options from the above solution (you can see below in case the above link is broken or removed) to the JVM Options in connection settings with a space delimiter. It didn't work. However, the connection got established with the third solution. (See db_connections.conf also to understand how that parameter is used.)   1.) Increase the maximum heap size, which in return will increase the maximum direct memory size. You will need to refer to the application's documentation for instructions on how to configure this value because it is application-specific. If you were starting the application using the java command then any of the following JVM arguments will set the maximum heap size to 1 GB: -Xmx1048576k -Xmx1024m -Xmx1g 2.) Explicitly increase the maximum direct memory size. E.g., the following JVM sets the value to 1 GB: -XX:MaxDirectMemorySize=1g 3.) If for any reason you do not have any control over the amount of memory you can allocate to your JVM (e.g., you are limited by the size of the container you're running in and it cannot be configured) then change the query result set from ARROW to JSON. You can pass this setting as a connection parameter using your JDBC driver: JDBC_QUERY_RESULT_FORMAT=JSON   Final db_connections.conf and db_connection_types.conf   local/db_connection_types.conf [snowflake] displayName = Snowflake serviceClass = com.splunk.dbx2.DefaultDBX2JDBC jdbcDriverClass = net.snowflake.client.jdbc.SnowflakeDriver jdbcUrlFormat = jdbc‌‌//:/?db= ui_default_catalog = $database$ port = 443 local/db_connections.conf [Snowflake_DB] connection_properties = {"JDBC_QUERY_RESULT_FORMAT":"JSON"} connection_type = snowflake customizedJdbcUrl = jdbc‌‌//.snowflakecomputing.com:443/?user=&db=snowflake&warehouse=&schema=public database = snowflake disabled = 0 host = .snowflakecomputing.com identity = SnowflakeUser jdbcUseSSL = false localTimezoneConversionEnabled = false port = 443 readonly = false timezone = Etc/UTC       ... View more

Thanks! If I could, I would give you 10 Karma for this solution. It makes the panel so much nicer ... View more

For a better and easy, you can use below SPL and replace your index name for any duplicates in Splunk. index=* | stats count by _raw, index, sourcetype, source, host | where count>1   ... View more

One thing to keep in mind is that for a Splunk Forwarder .../etc/system/local takes precedence over /etc/apps directory.  So a deploymentclient.conf residing in /etc/system/local will take precedence over deploymentclient.conf in /etc/apps directory.  It is not a best practice to make a deploymentclient.conf app available from Deployment Server for the forwarders to download since it will be downloaded to /etc/apps directory. ... View more

You must use search heads and/or heavy forwarders: http://docs.splunk.com/Documentation/DBX/3.0.3/DeployDBX/Distributeddeployment Forwarders can handle the load balancing without adding hardware: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Setuploadbalancingd ... View more

This default app is configured for port 514 in the props.conf file in the add-on/default folder. To fix it, if you are new, just create a folder/directory called local in the add-on directory and add a new props.conf with the following information. A local props.conf with the stanzas below overrides the ones in default per the order of precedence in Splunk. Do not alter the default/props.conf file. Directory Path: $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local/props.conf props.conf [source::tcp:5555] TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm [source::udp:5555] TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm ... View more

Hi Andrew, many greetings. We were colleagues and shared Splunk informations a lot. I have very similar problem as you have described. Did you solve your problem in the mean time? I wish you all the best. Michal Spisiak ... View more

Thanks, as commented below, tweaking the regex did seem to fix the issue but still not clear why the it happened. Because both regex rules do match the event. ... View more

Just like you said, use a deployment server. Create a server class, add an app with your input.conf and output.conf, and add servers to that class. ... View more

May I suggest you look at indexed_real-time: http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutrealtimesearches The number of concurrent real-time searches can greatly affect indexing performance. To lessen the impact on the indexer, you can enable indexed real-time search. This runs the search like a historical search, but also continually updates it with new events as they appear on disk. To enable indexed real-time search as the default behavior for your real-time searches, edit the limits.conf stanza called realtime and set indexed_realtime_use_by_default = true. Indexed real-time search is used when up-to-the-second accuracy is not needed. The results returned by indexed real-time search will always lag behind a real-time search. You can control the number of seconds of lag with the indexed_realtime_disk_sync_delay = setting. By default, this delay is 60 seconds. ... View more

thanks sir this is also working. ... View more

You're right. I created it in custom app with App permission but used the command at search app. Thank you. ... View more

On my splunk-launch.conf there are the following entry, I have to add a new entry? # Version 6.5.0 # Modify the following line to suit the location of your Splunk install. # If unset, Splunk will use the parent of the directory containing the splunk # CLI executable. # # SPLUNK_HOME=C:\Program Files\Splunk # By default, Splunk stores its indexes under SPLUNK_HOME in the # var\lib\splunk subdirectory. This can be overridden # here: # # SPLUNK_DB=C:\wrangler-2.0\build-home\ivory\var\lib\splunk # Splunkd service name SPLUNK_SERVER_NAME=Splunkd # Splunkweb service name SPLUNK_WEB_NAME=splunkweb ... View more

Thanks dmaislin [Splunk] ... View more

This? http://docs.splunk.com/Documentation/AddOns/released/Juniper/Setup o enable the Splunk Add-on for Juniper to collect data from your Juniper devices, you need to configure the Juniper devices to produce syslog output with an output format of default or splunk and push it to the data collection node of your Splunk platform installation, usually a universal forwarder. For syslog configuration instructions, consult the Juniper Networks documentation: Juniper OS (juniper:junos:idp and juniper:junos:firewall source types): http://www.juniper.net/techpubs/en_US/junos15.1/topics/example/syslog-messages-configuring-qfx-series.html Juniper Netscreen: http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 Juniper SSLVPN: Please search the Juniper Networks documentation. Juniper NSM (juniper:nsm and juniper:nsm:idp source types): http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 Juniper SRX: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16502 ... View more

doesn't the indexed_extractions do indexed time extraction, which I see in lots of documentation to avoid? ... View more

btool is your friend - https://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Usebtooltotroubleshootconfigurations IMO, it is the best way to validate what values are set to. ... View more

Yep, when I deleted the FIELD_NAMES and INDEXED_EXTRACTIONS lines and replaced it with an EXTRACT-Obfuscated regex line, the extracts work! If you can improve on my regexing for extra credit, please do! EXTRACT-Obfuscated = ^(?P<timeStamp>[^,]+),(?P<method>[^,]+),(?P<timing>[^,]+),(?P<transactionID>[^,]+),(?P<trackingNumber>[^,]+),(?P<transactionName>[^,]+),(?P<processID>[^,]+),(?P<threadID>[^,]+) ... View more

The data is just integers for each field 202,109,497,3455,223,227,884,334,964 (...level9) ... View more

But DATETIME_CONFIG=current will override the settings for timestamp configurations and will set all timestamps to the current time. I don't know your data so not sure if you need a custom DATETIME_CONFIG file. ... View more

Excellent! ... View more

thank you! ... View more

Thanks. Referred the same. Will try to implement incremental logic in UNIX shell script same as Python. Any document for shell script will help. ... View more

SEC can produce output by executing external programs (e.g., snmptrap(1) or mail(1)), by writing to files, by sending data to TCP and UDP based servers, by calling precompiled Perl subroutines, etc. You should be able to output and send data over syslog via TCP or UDP into Splunk. ... View more