As an addition to this thread, one of my customers pointed out that they applied their renewal license and  received the same "FROM_THE_FUTURE" status. The cause of this is that the "create date" field, which is in epoch form and the actual start date of the renewal, is in the future. This should clear once the create/start date arrives, but it may require a restart of Splunk. ... View more

Hi! What has worked for me, especially when I would run into permission issues early in my splunking career, is to follow the steps listed above, but then add the following touches (assuming splunk is the user you want to use): sudo $SPLUNK_HOME/bin/splunk stop (no need to have splunkd cling to files/process that retain the previous ownership) sudo su splunk sudo chown -R splunk:splunk /opt/splunk(or where ever splunk is installed) sudo $SPLUNK_HOME/bin/splunk start Let splunk run through it's initialization process and BAM! Splunk is running as the new user, all of the ownership should be changed recursively throughout the file structure, and you've removed the need to reindex data or run chown multiple times. Hopefully this works with the same magical flair for you as it has for me. But you have shout "Bam!" with an exaggerated motion or else you break the magic. 🙂 happy splunking, my friend. ... View more

Thanks aholzer. That's exactly how I thought it would work, but wanted confirmation. ... View more

hello there, per this webiste: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740 this is an example of EventCode 4740 A user account was locked out: Subject: Security ID: SYSTEM Account Name: WIN-R9H529RIO4Y$ Account Domain: WORKGROUP Logon ID: 0x3e7 Account That Was Locked Out: Security ID: WIN-R9H529RIO4Y\John Account Name: John Additional Information: Caller Computer Name: WIN-R9H529RIO4Y it does not contain a message. therefore, message field as no value hope it clears it a little ... View more

I guess these configurations should be in heavy forwarder not on indexer. In case of universal forwarders it should be in indexers. ... View more

That explains it. Thanks. ... View more

Thanks. I will try re-installing. ... View more

But that is most of the dashboards right? I set the ontap index to be searched and can search it just fine. I see the info about each filer and when I go into filer view I see the number of CPUs, memory and aggregates but below that where the dashboards are I do not get results. The only dashboard that works is the one that shows the total storage space. ... View more

The radio button does nothing more than change this web.conf setting... so there must have been an overruling web.conf somewhere, such as etc/ystem/local. ... View more

This issue was caused by the linux servers not having the correct time configured on them. Basically the servers thought it was 2013 when it was actually 2014. This caused the enterprise license not to activate because licenses are valid from date issued, which was 2014. ... View more

This issue was caused by the linux servers not having the correct time configured on them. Basically the servers thought it was 2013 when it was actually 2014. This caused the enteprise license not to activate because licenses are valid from date issued, which was 2014. ... View more

FOLLOWED THE SAME PROCEDURE BUT ITS NOT WORKING, LOCALHOST:8000 PAGE DISPLAYS - PAGE NOT FOUND . ... View more

Agree with @soutamo , yum remove is always better practice, if available on your distro. ... View more

The Architect Certification Lab is a "class", so just register for it! Once registered, it will send you a confirmation email that says the class is 4 hours long - which is not quite true. You will have a proctor/instructor online for the first 4 hours to answer questions, but you have 24 hours to complete the exam. (So don't make any afternoon appointments.) ... View more

Nope, it cannot. You could use external scheduling mechanisms like cron to have the forwarder stop or start at certain times, but the forwarder itself has no functionality like this. ... View more

Thanks mcronkrite. I'll install the TA_Windows and see if it makes a difference. ... View more

Thanks again. I'll give it a try. ... View more

To solve this: Modify file- C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf All types of logs you don't want as a source should be edited to: "disable = 1" The above file path is for a default install of Universal Forwarder on Windows2008R2. ... View more

Permission problem then. Glad you got it working. ... View more

Hello Bill, That explains, with your current level of authentication the installer will not be able to find the server that is why the error. if you have any service account which has access to both the server, try installing the splunk forwarder and then configure the inputs in WMI.conf later. Thanks ... View more

Feel free to accept the answer... 🙂 ... View more

Yer welcome, but be warned. Trying to monitor logon logoff transactions with Anything is fraught with peril because Windows often times loses the logoff part. Perhaps with the 6.1 Splunk you can create a knowledge object that associates a system shutdown with a logoff, but I've not tried it. ... View more