@splunktrainingu, Please check splunk-launch.conf for SPLUNK_OS_USER then su to this user and start the Splunk service like below; (assuming SPLUNK_OS_USER is splunk) sudo su splunk - /opt/splunk/bin splunk start   If this reply helps you upvote is appreciated. ... View more

Installation might have been done in root & service is running under splunk user which could have created the splunk file. Changing it to splunk user will not have any impact if service is running under splunk. chown splunk:splunk /opt/splunkforwarder ... View more

Hi @splunktrainingu, network inputs are the inputs from syslog in TCP or UDP protocol that you can find in [Settings -- data Inputs -- TCP/UDP]. Anyway, I understood that you already have logs in files, so you don't need Network Data Inputs. You don't have any extracted field for the format of your logs and because you don't have a Technical Add-On (specialized Apps to parse logs)At first see in splunk baseline (apps.splunk.com) if there's a TA already done. If not, you have to create your parser extracting the fields you need. to do this you can use regexes and/or the spath command e.g. running this search: your_search | rex "[^\{]*(?<_raw>.*)" | spath | rex field="session.saml.last.attr.friendlyName.eduPersonAffiliation" "^\|\s+(?<member>[^\|]*)\|\s(?<staff>[^\|]*)\|\s(?<employee>[^\|]*)\|\s(?<alum>[^\|]*)\|\s(?<faculty>[^\|]*)\|" Ciao. Giuseppe ... View more

I'm talking about ANY inputs.conf file. It doesn't make much difference. You can use $SPLUNK_HOME/etc/system/local/inputs.conf if you prefer, but I prefer to put my custom configs in an app I create, like $SPLUNK_HOME/etc/apps/my_inputs/local/inputs.conf. It's not possible to make an index point to the location of the syslog. You must define an input that reads from the syslog file(s) and writes to an index. ... View more

Real-time alerting is only useful when you have real-time responses to those alerts.  Otherwise, schedule them for every 5 or 10 minutes.  That's still often enough to catch problems early without tying up a CPU like a real-time search does. ... View more

As richgalloway stated: "Splunk's PDF generator has its quirks. Consider putting the results inline instead of as an attachment (or both)." he recommended using the inline result ... View more

Silly me, so under forwarder management you have to go to the apps tab and check the splunkd restart box and this fixed the the problem. ... View more

I was able to find that there was an application called Splunk TA (splunkuniversalforwarder/etc/apps) which resided on that machine simply deleted it because I know I do not have this on my fresh install of Splunk so it won't be pushed out again also checked my deployment server and made sure it is none existent there. ... View more

Permissions make sure splunk owns opt/splunk. ... View more

Check this out. https://www.splunk.com/en_us/blog/tips-and-tricks/controlling-4662-messages-in-the-windows-security-event-log.html I think this is along the line of what you are looking for. You need to use regex to create the filter. (Edit: Formatting) ... View more