Great, thanks Bob!! ... View more

Thanks Greg - that did the trick. Not sure why I didn't think of just using the future custom time. ... View more

Unfortunately these commands don't really give me what I'm looking for. What I keyed off of in 4.1 was the list of violations with the dates on them. Looks like I may need to change things around a bit. Thanks! ... View more

I'm glad that it works now ... View more

Thanks for the reply Simeon. I figured out the problem. Somehow my inputs.conf file got poplulated with a bunch of things that shouldn't have been in there, and missing what should have been in there. Once I got that fixed, the licensing information was OK. ... View more

I would turn off JS minification. I've seen bugs around that feature that resulted in the same symptom back in 4.1.x and I think in 4.2.X, so it's worth a shot. In $SPLUNK_HOME/etc/system/local/web.conf, in the [settings] stanza, put minify_js = False if you have no etc/system/local/web.conf, then create it, and have its contents be: [settings] minify_js = False ... View more

Awesome - that worked. Wasn't able to find that anywhere so thank you!! ... View more

Looks like the upgrade to 4.1.4 may have just uncovered incorrect licensing in prior versions. Before the upgrade from 4.1.3 to 4.1.4 we had 6 violations in the last 30 days, but no issues with using search - not messages about exceeding our license, except for the logged violations. After the upgrade, we got the licensing error and search was disabled. After rolling back to 4.1.3, the error went away. ... View more

Sorry took so long to answer, first time I've been back out here since. You can confirm you see the log data by just executing the lea-loggrabber.sh executable. If its working correctly, you'll see the log data on the screen until it catches up to the current date/time. We're actually trying to figure one out right now in which the communication link seems to be fine, but when we execute that command, it just gives the prompt back - no log data seen. Strange because with 4 of our Checkpoint connections, they worked fine using "18184" in the putkey command. This one that's not working needed "fw" for it to work. The other way to confirm its working is to just search in the gui for a device that you know exists in the checkpoint, not to mention it will have "opsec" as the sourcetype. If you do a "snoop host (ip of checkpoint)" at the splunkbox cli, you should also see communication every x seconds (however you configured your inputs.conf file). Also, you can use the '-debug' option for the lea-loggrabber.sh and see if communication is working. ... View more

New command is splunk list licenses ... View more