cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
plymalebl
Explorer
Member since: ‎01-16-2020
‎05-02-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 3
Member Since ‎01-16-2020
Activity Feed
View All

Re: Splunk Host Migration [Linux]

by in Splunk Enterprise
‎05-02-2024 04:52 AM
‎05-02-2024 04:52 AM
Essentially if the only change is OS it should be fairly easy to migrate. Ensure the new systems have the same IP or Hostnames depending on whether you use names or IPs in the configs. Ensure the splunk user and group are created on the new servers, follow instructions for installing by tar file. Stop the current servers, tar up the /opt/splunk folder and any data store folder. Then untar them onto the new boxes.  ... View more

Re: Why is Historical license usage page showing b...

by in Splunk Enterprise
‎09-06-2023 07:46 AM
1 Karma
‎09-06-2023 07:46 AM
1 Karma
I had this same issue after upgrading to Splunk 9.1.0.2 and found there was a missing choice value under the All Pools option inside of the view $SPLUNK_HOME$/etc/apps/splunk_monitoring_console/default/data/ui/views/license_usage_historic.xml    You will need to go in and manually update the xml at CLI or with the text editor of your choice. Adjust the choice value for the input from the blank value to the asterisk wildcard as shown below.     <input type="dropdown" searchWhenChanged="true" token="pool"> <label>Pool</label> <showClearButton>false</showClearButton> <fieldForLabel>name</fieldForLabel> <fieldForValue>value</fieldForValue> <search> <query> | rest splunk_server=$splunk_server$ /services/licenser/pools | rename title AS pool | search [rest splunk_server=$splunk_server$ /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval name=pool | eval value="pool=\"". pool . "\"" | table name value </query> </search> <choice value="*">All Pools</choice> <default>All Pools</default> <change> <condition value=" "> <set token="size_search">dmc_licensing_stack_size_srch</set> <set token="sz_clause">stacksz</set> </condition> <condition value="*"> <set token="size_search">dmc_licensing_pool_size_srch</set> <set token="sz_clause">poolsz</set> </condition> </change> </input>     ... View more

Re: Cisco eStreamer eNcore issues

by in All Apps and Add-ons
‎12-02-2022 06:32 AM
‎12-02-2022 06:32 AM
I know this is an old thread, but just ran into this in my own instance running Splunk 8.2.8 and Cisco eStreamer eNcore for Splunk (3.7.4). The problem is that in the encore.conf file it is using a different file path than what is in the splencore.sh for datapath. That is why the clean-up script isn't working properly. "uri": "relfile:///../../data/encore.{0}.log" } } ], The file location is different than what is in the default.conf and is causing it to save data in the full path of $SPLUNK_HOME/etc/apps/TA-eStreamer/data rather than the clean hardcoded path in the app of /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data Hopefully this will help someone else get their system cleaning data properly. Either adjust the value in encore.conf or adjust the clean path in splencore.sh to the appropriate location. ... View more

Universal Forwarder not reading user-seed.conf (ve...

by in Getting Data In
‎05-18-2020 10:28 AM
‎05-18-2020 10:28 AM
I have read other articles but haven't found an answer. I recently pushed the universal forwarder to Windows clients to upgrade from 6.5.1 to 7.2.6 and did not set the user password. The forwarder is functioning, but on start throws the error for "No user configured". I created a user-seed.conf using the instructions with a hashed password and pushed it from the Windows SCCM with a restart after placing the file into system local as described in the user-seed.conf.spec page. However, the forwarder does not seem to be reading it on restart since I am still seeing the same error. Has anyone else found a reason for this? We have checked file permissions and don't see a problem. The forwarder is running as a local system service and is seen as a local administrator for the user. The local admin has permissions to the user-seed.conf file. ... View more

FIPS and Splunk Compatibility

by in Splunk Search
‎01-16-2020 06:18 AM
2 Karma
‎01-16-2020 06:18 AM
2 Karma
I have inherited a Splunk Enterprise and FIPS is on for about half of the environment. My experience has always been negative with FIPS compliance so I am interested in disabling it. Preliminary checks show it is on for my search heads and LM, but not for the Indexer Cluster, CM or DS. I am also reasonably certain it is not on for most if not all of my forwarders. I had to disable it on a heavy forwarder to get some applications working which is a known and documented issue. The application of note was e-streamer which is most likely due to the firepower also not being FIPS enabled. I know Splunk documentation says you can only enable Splunk in FIPS mode from install, but there is nothing about disabling FIPS mode. Any insight, experience or advice would be appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-02-2024 08:13 AM
Karma from
View All