I want to add the dispatch.ttl=1800 to few reports which otherwise keep the search artifacts for 2p time.
1. Is there a way to set this value from GUI while creating a report or once the report is created? Or changing the config on deployer and pushing it to all SHs is the only option?
... View more
The alert.results csv file has __mv_field name for every field added in the search. Is there is a way to stop these fields from being added in the file? Or is there a way to remove them using python?
... View more
Hello,
Try using below in tensforms.conf.
[mytransform]
REGEX = \s+(\w+)='(.*?)'
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true
Use the correct name in props.conf(mytransform) e.g
[]
REPORT-fieldextr = mytransform
... View more
DO you get any warning/error when you restart Splunk Enterprise instance??
Ideally, once the restart is complete it should give a message like: The Splunk web interface is at https://hostname:8000
... View more
Also, verify if the user running Splunk has read permission to outputs.conf (the user should have access to all the conf files, in short to /opt/splunkforwarder)
... View more
1.Splunk universal forwarder does not have web UI.
2.Where is your outputs.conf file located? Please run ./splunk btool --debug outputs list and paste the response here.
... View more