cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
plymalebl
Engager
Member since: ‎01-16-2020
‎12-02-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎01-16-2020
Activity Feed
View All

Re: Cisco eStreamer eNcore issues

by in All Apps and Add-ons
‎12-02-2022 06:32 AM
‎12-02-2022 06:32 AM
I know this is an old thread, but just ran into this in my own instance running Splunk 8.2.8 and Cisco eStreamer eNcore for Splunk (3.7.4). The problem is that in the encore.conf file it is using a different file path than what is in the splencore.sh for datapath. That is why the clean-up script isn't working properly. "uri": "relfile:///../../data/encore.{0}.log" } } ], The file location is different than what is in the default.conf and is causing it to save data in the full path of $SPLUNK_HOME/etc/apps/TA-eStreamer/data rather than the clean hardcoded path in the app of /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data Hopefully this will help someone else get their system cleaning data properly. Either adjust the value in encore.conf or adjust the clean path in splencore.sh to the appropriate location. ... View more

Universal Forwarder not reading user-seed.conf (ve...

by in Getting Data In
‎05-18-2020 10:28 AM
‎05-18-2020 10:28 AM
I have read other articles but haven't found an answer. I recently pushed the universal forwarder to Windows clients to upgrade from 6.5.1 to 7.2.6 and did not set the user password. The forwarder is functioning, but on start throws the error for "No user configured". I created a user-seed.conf using the instructions with a hashed password and pushed it from the Windows SCCM with a restart after placing the file into system local as described in the user-seed.conf.spec page. However, the forwarder does not seem to be reading it on restart since I am still seeing the same error. Has anyone else found a reason for this? We have checked file permissions and don't see a problem. The forwarder is running as a local system service and is seen as a local administrator for the user. The local admin has permissions to the user-seed.conf file. ... View more

FIPS and Splunk Compatibility

by in Splunk Search
‎01-16-2020 06:18 AM
2 Karma
‎01-16-2020 06:18 AM
2 Karma
I have inherited a Splunk Enterprise and FIPS is on for about half of the environment. My experience has always been negative with FIPS compliance so I am interested in disabling it. Preliminary checks show it is on for my search heads and LM, but not for the Indexer Cluster, CM or DS. I am also reasonably certain it is not on for most if not all of my forwarders. I had to disable it on a heavy forwarder to get some applications working which is a known and documented issue. The application of note was e-streamer which is most likely due to the firepower also not being FIPS enabled. I know Splunk documentation says you can only enable Splunk in FIPS mode from install, but there is nothing about disabling FIPS mode. Any insight, experience or advice would be appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-02-2022 12:09 PM
Karma from
View All