Hi, I'm ingesting journald logdata, and would like to exclude all rows with "apparmor=ALLOW". To me, the journald-filter parameter would do the trick, if I can invert the selection, i.e. "grep -v"   Is this possible, or is there another way to do this, without adding everything else to the journald-filter-parameter? I'm using UF and Enterprise 9.4.1 TIA Johan Nilsson ... View more

Hi,   I have issues with Splunk Enterprise 9.4.2 not expanding $_index_name from etc/system/local/indexes.conf. My default-section: [default] ... coldToFrozenDir = $SPLUNK_DB/$_index_name/frozendb ... This should be fine if I read the docs for indexes.conf  The config file is read, especially since it creates the $SPLUNK_DB/'$_index_name'/frozendb, i.e. without expanding the variable. $SPLUNK_DB is still expanded correctly.    Googling turned up the answer in Splunk data retention - Splunk Community, but the resolution there is to manually expanding it and putting the $SPLUNK_DB/"indexname"/frozen under each stanza. And I'm not that keen on doing that.   TIA Johan ... View more

Hi, We're setting up a Splunk enterprise instance in an air-gapped environment.  In addition to this, the server is situated behind a diode, making all traffic one-way. I've gotten the Splunk Universal Forwarders to send logs over http to the HEC, but the diode doesn't support chunked http-encoding. It isn't possible to turn off http 1.1-support in the diode.  In the server, there's the option "forceHttp10", but since the client and server doesn't negotiate the http-version it has no effect. Is there an option in the UF to turn off http 1.1 or chunking for httpout?   TIA Johan ... View more