Hi, I came accross this old question via google search on alert on splunk-control-group topic. As there is not much information in docs and answers, it might be still relevant. Did you specify action.hipchat.param.color in apps/README/alert_actions.conf.spec file as <boolean>? If so, you can change it to <string> and see, if it makes a difference? Best regards ... View more

According to our documentation, AIX is not supported. Has this changed in Version 8.x ? Until 7.3.5 the documentation is listing the supported versions. Beginning with 8.0.0 it revers to the Supported Operating Systems, which includes AIX as suppported for Universal Forwarder: http://docs.splunk.com/Documentation/Splunk/8.0.0/Installation/Systemrequirements#Supported_Operating_Systems ... View more

I had the same problem in Splunk 7.3.4.2 and DB-Connect 3.2.0 I tried to made a new Oracle-DB-Connection and got mySQL error message. When I removed mySQL driver from DB-Connect I got the correct error message from Oracle jdbc driver. As suggested by earlhelms it seems to be a bug in the mySQL jdbc driver, so I updated this driver from version 8.0.11 to 8.0.19 and this seems to solve the issue. ... View more

I had the same problem in Splunk 7.3.4.2 and DB-Connect 3.2.0 I tried to made a new Oracle-DB-Connection and got mySQL error message. When I removed mySQL driver from DB-Connect I got the correct error message from Oracle jdbc driver. As suggested here it seems to be a bug in the mySQL jdbc driver, so I updated this driver from version 8.0.11 to 8.0.19 and this seems to solve the issue. ... View more

Yes, the SplunkBase site is showing combatibility to CIM Version 4.x https://splunkbase.splunk.com/app/1915 ... View more

I think best idea is to file a case at Splunk support to receive the most current beta version of props/transforms. Or to wait for version 3.0.1 of the Add-On. Best regards ... View more

Hi, I have the same problem with rotated logfiles. I'm using Universal Forwarder in version 6.4.5 to monitor a log file and it's rotated versions. There was a network outage and the UF was not able to send it's data for some time. In the meanwhile the logs were rotated and zipped. The files it never began to read were read fine after the Network problem was resolved - even the zipped ones. But the file it was reading at the beginning of the outage was only unzipped and then commented with "already read, so skipped". When I manually unpacked the file and put it in place the UF started reading where it stopped because of the outage. So I think UF is skipping the check of the seekCRC at seekAdress as mentioned here: https://docs.splunk.com/Documentation/Splunk/6.4.5/Data/HowLogFileRotationIsHandled Does anyone know, if this is resolved in any Version? ... View more

I opened a case and it's confirmed, that the ER was not implemented by now. Our need is now added to ER SPL-175134, but no big hope for having this implemented soon. ... View more

Hi, yo you have any information, if this Enhancement Request was implemented? ... View more

I had problems using the [default] stanza, too. You can try this: You can also define global settings outside of any stanza, at the top of the file. ... View more

Have you tried setting the _SYSLOG_ROUTING via props/transforms as suggested here: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad Can you please give a config example of your props/transforms which is not working as expected? ... View more

For those who come to this page looking for an answer how to avoid giving a user admin_all_objects capability, if you only want the user to do a "splunk apply shcluster-bundle"... We opened a case for this (1165853) and there is a solution: You can build a custom role for this. Step 1: Define a new capability and assign it to a role - via authorize.conf [capability::deployer_capability] [role_deployer] deployer_capability = enabled Step 2: Assign the capability to the correct REST endpoint, which is used by this CLI command - via restmap.conf [apps-deploy:apps-deploy] capability.post=deployer_capability This is working pretty fine for us and we can now have a techical user doing a "splunk apply shcluster-bundle" without having a technical user with admin priviliges. ... View more

We opened a case for this (1165853) and there is a solution: You can build a custom role to not need a user to have admin_all_objects capability. Step 1: Define a new capability and assign it to a role - via authorize.conf [capability::deployer_capability] [role_deployer] deployer_capability = enabled Step 2: Assign the capability to the correct REST endpoint, which is used by this CLI command - via restmap.conf [apps-deploy:apps-deploy] capability.post=deployer_capability This is working pretty fine for us and we can now have a techical user doing a "splunk apply shcluster-bundle" without having a technical user with admin priviliges. ... View more

We opened a case for this (1165853) and there is a solution: You can build a custom role to not need a user to have admin_all_objects capability. Step 1: Define a new capability and assign it to a role - via authorize.conf [capability::deployer_capability] [role_deployer] deployer_capability = enabled Step 2: Assign the capability to the correct REST endpoint, which is used by this CLI command - via restmap.conf [apps-deploy:apps-deploy] capability.post=deployer_capability This is working pretty fine for us and we can now have a techical user doing a "splunk apply shcluster-bundle" without having a technical user with admin priviliges. ... View more

We opened a case for this problem (1175734). There is a quite simple workaroud for this (if you know about it): Just add the following code to etc/system/local/restmap.conf: [eai:conf-transforms] capability.write=allow_access_to_all But the problem is also filed as a bug: SPL-162527 ... View more

Helped for me - nice solution. Should be accepted answer 😉 Thank you very much. ... View more

Did you try the TERM() keyword? The magic behind it is described in this session for example: Indexed Tokens and you I was able to greatly improve searches for single IP addresses with TERM(). It's working even better when the logs you are searching in do not have quotes (") around the value of dest_ip and have field=value in the _raw data. Because you can then do something like TERM(dest_ip=192.168.1.1). You can even use the inputlookup @masonmorales suggested, when you know how to format the output of a subsearch: index=network sourcetype=fgt_traffic [|inputlookup match_address | eval search="TERM(".match_address.") OR " | stats values(search) as search | nomv search | eval search="(".rtrim(search, " OR ").")"] Edit: Insert " OR " between terms. ... View more

Already answered here: https://answers.splunk.com/answering/11189/view.html If there are multiple timestamps, you can use a custom DATETIME_CONFIG instead of specifying TIME_FORMAT and TIME_PREFIX. ... View more

Thanks. Can you keep us informed about the bug status here or should I open a case? You workaround is a good idea, but it's not working for us. If I switch log level to ERROR, I will not receive correct warnings anymore. We need the warnings to see, if someone forgets the line-breaking marker "\" if a search or any other value is using multiple lines. In worst case we have a saved search which is missing some lines, because of missing "\", which might result in a security event not recognized... ... View more

Is there any news on this? I have the same errors since updating from 6.4.4 to 6.5.3 ... View more

Looks like the same Problem here: https://answers.splunk.com/answering/492028/view.html Splunk states, that the message can be ignored and they are still working on a fix. A workaround might be to disable Boot-Start of the Forwarder. ... View more

Any news here? We have the same error with AIX and Splunk Universal Forwarder 6.4.5 ... View more

I downvoted this post because it is not respecting the fact, that _TCP_Routing = * is set by Splunk's default on Universal Forwarders as stated already in the question. ... View more