I would try to forward the data to the main index to double check the communication between the forwarder and the peers. I would also go to the UI of every peer to Manager->Indexes and take a look if the index is visible there, enabled, and the configuration of it works fine. You might use this: | eventcount summarize=false index=* | dedup index | fields index to see if you index is seen by the search head. ... View more

The *nix app is designed to work on both Windows and Linux indexers. However it needs to communicate with *nix TA (Technology AddOn) which needs to be installed on the Linux machine you want to collect the data from. If the UDP Syslog data you want to collect is not specific for *nix app, but is your own -> you don't need to have the *nix app. ... View more

The key/value pairs haven't been extracted because Splunk extracts automatically only key/value pairs in form: key=value. ... View more

Do you know to which index this sourcetype belongs? Do you have rights to view the events of this index? What role are you using? ... View more

4 hosts, 2 clusters on 4 hosts, each cluster on 2 hosts. Each cluster: first host - cluster master + peer, second host - peer + search head. The forwarders switch the indexers every 60 seconds. My rep factor = 2, search factor = 2. I do not need to put all the hosts at once down, I can do that sequentially. I can easily put down the hosts with peer+search_head down, but I do not know how to put down the host with the cluster master so the cluster starts working properly after starting cluster master again. ... View more

Yes, the restart is described there, but unfortunately my case is not a restart. I need to stop the entire cluster (4 instances on 2 hosts), then the hosts are patched and restarted, and after that I need to start the whole cluster again. The patching might take few hours. ... View more

Yes, the restart is described there, but unfortunately my case is not a restart. I need to stop the entire cluster (4 instances on 2 hosts), then the hosts are patched and restarted, and after that I need to start the whole cluster again. The patching might take few hours. ... View more

If I understand properly, the excel file is your outcome, and what form has the input? To find first/last occurrence of something I would use streamstats with first()/last() function. ... View more

Could you provide some more data? Maybe some example log data to work on? ... View more

Are the fields also unavailable under the "View all X fields" link? ... View more

From the docs 🙂 http://docs.splunk.com/Documentation/Splunk/latest/Viz/Aboutthismanual ... View more

Thanks a lot for the detailes! ... View more

This may be helpuf: http://splunk-base.splunk.com/answers/6358/can-i-change-the-splunk-login-page On my login page these kind of messages never appear since I bloked the conectivity to splunk. ... View more

I think you should be looking at the config files at etc/apps/SplunkUniversalForwarder/local folder. If you have an universal forwarder installed, thats where you should put your config. In the inputs.conf you tell the forwarder which files to monitor. In the outputs.conf you should configure where the data should be sent (your destination (indexer)). Also you should also enable receiving the data on the indexer side (add the [splunktcp://:9997] to the $SPLUNK_HOME/etc/system/local/input.conf). You should also create an index for the data. ... View more

Have you also defined outputs.conf for each config? ... View more

Could you paste maybe some extracts from config files (inputs/output.conf?) and tell more about your architecture? Is it only forwarder-indexer or do you have a deployment server installed, too? My good way to test the installation is to configure passing forwarders own splunkd.log to the indexer - if I see the data than I know that the basic functionality works fine. If you would like to troubleshoot you should also take a look at the splunkd.log in your var/log/splunk directory. ... View more

Hi Konrad! Pozdrowienia z Polski 🙂 To map the groups to roles go to: Manager->Access Controls->Authentication method->Configure Splunk to use LDAP and map groups->In the Actions section of your LDAP strategy you'll see "Map groups". Select the right group and the role you want to match with it. Hope it helps 🙂 asia ... View more

take a look at: http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/WhatSplunkcanmonitor http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Setupcustominputs http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Aboutgettingdatain ... View more

Hi, I would be great if you could give some more details. To get data from database you would probably need splunk DB Connect app. What info do you need from websites? execl file can also be an input for splunk just like any other log file (for that you need splunk forwarder). After you will have all the data you need I would recommend to make a dashboard and schedule generating it as a pdf to get reports. More details would be nice 🙂 ... View more