am having same problem running splunk WEB on my second and third indexers as i wanted to go and configure their listening ports however, the first indexer is connecting to the web without any problems. I didn't experience this yesterday   ... View more

This App seems to be really useful - https://splunkbase.splunk.com/app/5482/. The App auto-updates the MaxMind database without going into the backend. It also allows you to run a search command on Splunk search to manually download and update latest database.  ... View more

You should do it on both (SH and indexers) otherwise you are going to have discrepancies. Iplocation is a streaming command and depending on your search it can either be applied at the indexers level or at the SH level. ... View more

Thanks Cedric. It makes sense. I just wanted to confirm my understanding before putting forward the solution design ... View more

I got rid of the HTML Tags using 4SED statements to get rid of all the HTML tags & formatting: rex field=SOLUTION mode=sed "s/&q u o t //g" ->(without spaces) rex field=SOLUTION mode=sed "s/<[^>]*>//g rex field=SOLUTION mode=sed "s/- - & g t//g --> (without spaces) rex field=SOLUTION mode=sed "s/& g t//g --> (without spaces) ... View more

Excellent. That was it. I disabled the sucker for this sourcetype (DATETIME_CONFIG = NONE) and is all good now Thanks man! ... View more

i had the same problem, couldnt connect to indexer in windows for universal forwarder installation ( 5.0.4) please check the files in: path "\SplunkUniversalForwarder\ etc\ system\ local " replace the config files under with those from: path \SplunkUniversalForwarder\ etc\ apps\ Windows\ local restart splunkforwarder: splunk restart it should get connected in splunk host i can see the forwarder has been connected and it has send logs. i had activated some advanced audit features. ... View more

I will also add to this thread - I've been having a similar issue for quite some time now, and it's getting worse as time goes by. I'm on Splunk 6.2 ... View more

well, your provided example is a simple 'if else' script and I still think it is the best and easiest way to check for the files you want and not for any rolled ones. feel free to supply your solution 🙂 ... View more

Above solution doesn't work for me (Splunk 5.0.4) but I found a way to accomplish this very nicely by changing just one file instead of two Edit ../etc/apps/search/bin/sendemail.py and comment out lines #189-213 as shown below. (you'll need to change the file permissions from read-only first) No need to restart Splunk, the change will be picked up at the next Alert The "inline" alerts will show only the search results without any additional text. The PDF or CSV alerts are not impacted by this change sendemail.py section.....line 189 # else: # intro += "Saved search results.\n\n" # if settings != None: # user = settings.get("user", None) # if user: # intro += "User: \'" + escape(user, plainText) + "\'\n" # if ssName: # intro += "Name: \'" + escape(ssName, plainText) + "\'\n" # query = getarg(argvals, "ssquery", None) # if query: # intro += "Query Terms: \'" + escape(query, plainText) + "\'\n" # ssLink = getarg(argvals, "sslink", None) # if ssLink and not plainText: # ssLink = "<a href=\"" + ssLink + "\">" + ssLink + "</a>" # if ssLink: # intro += "Link to results: " + ssLink + "\n"; # ssSummary = getarg(argvals, "sssummary", None) # if ssSummary: # intro += "Alert was triggered because of: \'" + escape(ssSummary, plainText) + "\'\n" ... View more

index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | lookup dnslookup clientip | timechart distinct_count(clienthost) by clienthost span=1d limit=100 This command worked very well ... View more