@ITWhispererI tried this too, it's not working (picture attached). Any other suggestions, please? ... View more

Hi @kumar493  I am facing the similar issue with splunk boot start implementation. Could you please let me know what changes you made in init script.   Thanks in advance ... View more

Okay @richgalloway . Thank you. ... View more

1.  See https://docs.splunk.com/Documentation/Splunk/8.1.2/Installation/AboutupgradingREADTHISFIRST , https://docs.splunk.com/Documentation/Splunk/8.1.2/Installation/UpgradeyourdistributedSplunkEnterpriseenvironment and https://docs.splunk.com/Documentation/Splunk/8.1.2/Indexer/Searchablerollingupgrade 2.  See https://docs.splunk.com/Documentation/Splunk/8.1.2/DistSearch/UpgradeaSHC 3.  See https://docs.splunk.com/Documentation/Splunk/8.1.2/Installation/AboutupgradingREADTHISFIRST and https://docs.splunk.com/Documentation/Splunk/8.1.2/Installation/HowtoupgradeSplunk 4. See #3. 5.  I usually don't bother with backups since the upgrade procedure is nearly flawless.  If you prefer to bac up first then use your preferred backup method to copy $SPLUNK_HOME, excluding $SPLUNK_DB. 6.  Don't upgrade to version 8 without first installing and running the Splunk Upgrade Readiness app.  Read the Release Notes for relevant changes.  Read and follow the installation instructions. 7.  See Perform a rolling upgrade 8.  The most common issue is it just works.  Other issues arise with Splunk 8 because the use failed to upgrade their apps to a version compatible with Splunk 8. ... View more

You probably don't want all 5,000 entries on a single syslog server.  Use more than one to spread the load and risk. Writing 5,000 stanzas isn't difficult, it's just tedious and time-consuming.  Consider creating a script to do it for you. Depending on how you name the directories, it could be possible to use patterns to reduce the number of stanzas needed. ... View more

@gcusello  thank you so much. I got some info from the links. ... View more

Yes, there are a couple of ways. The core problem here is very simple, so maybe mentioning it again will bring to mind other ways to fix this.  The problem is, that zip files get read and ingested *in their entirety* every time they get read and ingested.  That's why you have duplicated data.  Because the 30 rows in that zip file now, when the device saves a new copy with another 5 rows in it, those 35 rows ALL get read again and ingested.  Because it's a zip file, and that's how it works. So, you need a solution that makes this zip-file-append-behavior not be an issue.  What's right for your environment, or easiest, isn't anything for me to tell you.  But here are options. 1) You could unzip the file via some other method (batch file/script), into another folder and have Splunk monitor that other unzipped file in that other folder.  Then a standard monitor input will work on that new location/file, because Splunk can generally handle this.  Though you might have to play with crcsalt and other similar settings a bit. 2) Or maybe you could try the batch/sinkhole input again, only this time use an absolute path.  Then the batch/sinkhole input will delete it each time and there will be no re-reading of the old contents of the file because they won't be there (as far as I know the path requirements between monitor:: and batch:: inputs are identical and you literally shouldn't need to change anything except "monitor" to "batch" and add the move_policy=sinkhole to it, but if it's complaining about absolute paths, well, change it to absolute pathing then.) 3) Reconfigure the sending/saving device to not zip the file it's saving and instead leave it plaintext.  If you can do this, then a standard monitor input will probably work on the non-zipped file because monitor inputs are really smart about appended data on "regular" files. 4) Reconfigure the sending/saving device to not append to an existing file when it builds a zip file.   Then a standard monitor input will work, because it won't be an appended-to file, but instead "new from empty". I'm sure there are probably other solutions too. If you continue to have problems out of the batch/sinkhole input, please post your input stanza here so we can take a look at it - it's probably some other typo not letting you do this.   In any case, do let us know what ended up working! -Rich   ... View more

| makeresults | eval _raw="<?xml version=XXX> <measCollecFile XXX> <fileHeader XXX> <measCollec XXX/> </fileHeader> <measData> <measInfo measInfoId=\"statsitics\"> <job jobId=\"AAA\"/> <measType p=\"1\">cpu</measType> <measType p=\"2\">cpu_avg</measType> <measType p=\"3\">cpu_peak</measType> <measType p=\"4\">cpu_min</measType> <measValue measObjLdn=\"Management 1\"> <r p=\"1\">5</r> <r p=\"2\">5</r> <r p=\"3\">6</r> <r p=\"4\">2</r> </measValue> <measValue measObjLdn=\"Management 2\"> <r p=\"1\">6</r> <r p=\"2\">6</r> <r p=\"3\">6</r> <r p=\"4\">2</r> </measValue> <measValue measObjLdn=\"Management 3\"> <r p=\"1\">4</r> <r p=\"2\">4</r> <r p=\"3\">6</r> <r p=\"4\">2</r> </measValue> <measValue measObjLdn=\"Management 4\"> <r p=\"1\">3</r> <r p=\"2\">3</r> <r p=\"3\">6</r> <r p=\"4\">2</r> </measValue> </measInfo> </measData> <fileFooter> <measCollec XXX/> </fileFooter> </measCollecFile>" | multikv noheader=t | streamstats count(eval(match(_raw,"meas[IV]"))) as session | stats list(_raw) as _raw by session | sort session | where match(mvindex(_raw,0),"\<\w") | rex ">(?<values>.*)<" | rex "\"(?<name>.*)\"" | eval name=mvindex(name,0) | transpose header_field=name | where column="values" | eval _counter=mvrange(0,mvcount(statsitics)) | fields - column | stats list(*) as * by _counter | foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>' , _counter) ] I can't make vertical. ... View more

I not able to find, can you post the URL? ... View more

| makeresults | eval temp="Time: 21:30 Total: 60 Running: 05 mt100 pool1 /root/user/bin/process1.sh mt100 pool12 /root/user/bin/process21.deb mt201 pool2 /root/user/bin/process321.sh mt301 pool3 /root/user/bin/process432.deb mt301 pool312 /root/user/bin/process52.sh" | makemv delim=" " temp | mvexpand temp | rename temp as _raw | erex processname examples="/root/user/binprocess1.sh,/root/user/bin/process21.deb" Also please. ... View more