Little late on this, but yes, I just tried this with a kvstore and it fails under 9.1.4.  If I export a subset of my kvstore data to a CSV, it's fine.   No mv fields in my kvstore data, either. ... View more

What do you mean by the Indexer tier? Where would that be located in the file structure on a Windows syslog server? ... View more

I realise this post is 6 years old, but it still helped me. Just to add something that might be useful: When it asks for the Splunk username, this isn't a Linux user account, it's an application user account on the Deployment Server. It's confusing because many other Splunk commands can be run by Linux user accounts, but it seems not the 'deploy-server reload' command. $ /opt/splunk/bin/splunk reload deploy-server Your session is invalid. Please login. Splunk username: admin Also, you can append '-class [serverclass name] onto the end of the command and only changes made to the corresponding deployment apps will get reloaded, so this is perhaps a safer option if you're nervous about reloading everything. ... View more

I realize this is an old thread but rather than starting a new one for the exact same issue I want to use this to show some history, it is 2023 now and we are on version 9.0.0 on a Windows platform and are still getting this same exact error I have opened a technical support case with Splunk and hope to provide you with updates, troubleshooting tips and hopefully a proper solution for this issue  Note: in my case I found the "missing" buckets on the Index Cluster Master UI under Settings \ Index clustering \  Bucket Status \ Fix Up Tasks section     ... View more

Hi @kristian_kolb, If I create this in a specific app called e.g twistlock_parsing to remove events coming from host 127.0.0.1 only within a specific index e.g azure_twistlock - will this drop all events across all indexes containing that ip? I only want that IP address dropped in index azure_twistlock. I have already tried the solution from this page: https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-host-hosts-is-sending-logs-to-Splunk-via-TCP/m-p/289283 and it didn't work ... View more

This command will check both init-d and systemd on unix. Without the sudo should work on windows. sudo ./splunk display boot-start   ... View more

Hello, I have same kind of issue in the environment.. could you please elaborate in detail on how to identify which logs are useful and which can be omitted from using the splunk license. We have created a custom index that ingests the auditd logs from all the splunk enterprise instances only which includes all HFs, SHs, and Indexer components.   We had disabled the inputs as a workaround as it was breaching our license capacity.   Regards ... View more

Hi,    How to do the same thing on Linux servers ... View more

I need the same.  I've filled out the contact form a couple of times but have had no contact back.   ... View more

What solution found in this case? Was issue sorted out because I am also facing the same kind of issue. ... View more

I know this is a really old post, but this is exactly what I think I need to do.  I am too much of a noob to follow this.  Are you still out there? Specifically, I want to search for Windows Security 4776 sucess events, deduplicate the list based on the value in the "Logon Account:  UserX" string within the events message field.  SO I think I need to extract the "Logon Event: UserX" sting so the filed is Logon Account: and the Dedup is applied to the value of that field     ... View more

9 years down the line.. is this still the case? deduplication on a multi-value field is only done in search time? ... View more

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usesummaryindexing Does summary indexing count against your license? Summary indexing data volume is not counted against your license, even if you have multiple summary indexes. All summarized data has a special default source type. Events summarized in a summary events index have a source type of stash. Metric data points summarized in a summary metrics index have a source type of mcollect_stash. If you use commands like collect or mcollect to change these source types to anything other than stash (for events) or mcollect_stash (for metric data points), you will incur license usage charges for those events or metric data points. ... View more

This worked for me: [host::(10.3.4.2|10.12.3.4|IP3|IP4|and_so_on)] ... View more

Would you please show. How I can perform incremental Splunk Ent backups on Daily or weekly basis for small recoveries? Is there an app or process to do regular backups for a distributed environments? Thank u ... View more

The above eval statement does not correctly convert 0 to 0.0.0.0 and null values. Try this: Note: replace ip with the field name you would like to convert.   | eval o1=floor(ip/16777216) | eval o2=floor((ip-o1*16777216)/65536) | eval o3=floor((ip-(o1*16777216+o2*65536))/256)| eval o4=ip-(o1*16777216+o2*65536+o3*256) | eval ipv4=tostring(o1)+"."+tostring(o2)+"."+tostring(o3)+"."+tostring(o4) | eval ipv4=if(ipv4="Null.Null.Null.Null","",ipv4)     ... View more

For the restor.sh, change splunkExePath to splunkBinPath everywhere you see it mentioned. ... View more

Is there a way to rename the NULL to display something else?   ... View more

You can use ignoreOlderThan = 5d at Universal Forwarder to restrict indexing of logs older than 5 days. ... View more

What if Embed isn't in the Edit Pull down?  Edit Description, Edit Permissions...is. ... View more

You need to specify both the beginning and ending characters if you're going to extract the values from _raw. If you are looking at a specific field like 'AccountName' and you only want account names that end with $, then you can use wildcards in your search, like: YourSearch AccountName=*$ ... View more

You need to verify your user has the correct role associated with it. Here is a list of roles: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Rolesandcapabilities ... View more

I am not sure you need to escape the ' within the square brackets, so this should work too: [^']+ ... View more

You can extract the fields so that they show up in Interesting Fields, and use those fields directly in searches, but you cannot change how they display in the UI with config changes without using SEDCMD. ... View more

sorry for the long delay. this worked after we added the pass4SymmKey attribute ... View more