I'm installing the VMware app to monitor a rather large environment (1000+ esxi hosts, 10+ vCenters) and I'm not having a lot of luck finding rules for scaling. I can only presume that a single search head/scheduler is not going to handle the load gracefully, but I'm not sure what the best practices are for using multiple SH's and how that affects the end user, whether the scheduler can handle the load, or if it can be broken into pieces, etc. ... View more

I've extracted a field called QR from a sourcetype, and it's working perfectly, but is returning numerical data, and I need specific words for a Enterprise Security dashboard to work. When I type the following eval command into the search bar it works perfectly, but when I place it in props.conf it doesn't execute correctly (new field is not created): sourcetype = MSAD:NT6:DNS | eval message_type = if(QR==0, "RESPONSE", "QUERY") I'm wondering if I'm running into an order of precedence issue, where my EVAL is kicking off before a QR field is even created. I have the following in my transforms and props files. transforms.conf [MSAD:NT6:DNS] [dns_qr_extraction] REGEX = (QR)\s+(\d) FORMAT = $1::$2 props.conf [MSAD:NT6:DNS] REPORT-dns_qr_extraction = dns_qr_extraction EVAL message_type = if(QR==0, "RESPONSE", QR==1, "QUERY", "UNKNOWN") ... View more

Most, but not all of the field extractions, lookups, and aliases created in the TA-DNSServer-NT6 app are viewable when looking through the Search and Reporting application, but not when searching through the Enterprise Security application. The TA-DNSServer-NT6 sharing is set to Global (everyone-read,admin-write) Unsure why only a handful of Lookups generated fields are viewable through ES, but everything is viewable through Search&Reporting. ... View more

I create an alternate identities csv file in *Nix by copying ./SA-IdentityManagement/lookups/identities.csv to ./SA-IdentityManagement/<company>_identities.csv, and then populate it with a few records. I go to settings-lookups-lookup table and ensure the permissions are app=global, everyone=read, admin=write Then settings-lookups-lookup definitions and create a new entry and set the same permissions as above Then in Enterprise Security; configuration-Identity Management and create a new Identity. This lookup is never merged with the existing identities.csv file despite having completely different record data. More telling is that from Identity Management when I click on the lookup://<filename> instead of opening a screen showing the records I get a broken URL link, and an error stating "An error occurred while reading the page template. Has anyone else encountered this issue? I'm presuming it's a permissions issue somewhere but I can't track it down. ... View more