cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kltest
Explorer
Member since: ‎08-26-2014
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎08-26-2014
Activity Feed
View All

Re: Override hostname to FQDN in etc/system/local/...

by in Getting Data In
‎10-08-2016 12:21 PM
‎10-08-2016 12:21 PM
Thanks rjthibod, but I know that if I change the inputs.conf on each forwarder that it fixes the issue. If I have to do this manually it's going to take a long time to login to each and every server to make the change. How can I accomplish this from the Splunk server without making changes directly on the forwarder? ... View more

Override hostname to FQDN in etc/system/local/inpu...

by in Getting Data In
‎10-08-2016 09:04 AM
2 Karma
‎10-08-2016 09:04 AM
2 Karma
Hello, I need to set Windows forwarders to use the FQDN as the hostname across all inputs, as I have duplicate hostnames in my environment. I've tried changing everything in a Splunk deployment app, but the only thing that seems to work is if I manually correct the entry in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf from hostname to FQDN. From: [default] host = svr-vCenter To: [default] host = svr-vCenter.domain.local The changes that I've made in the deployment app have meant that the splunkd.log reports the name correctly: 10-08-2016 16:46:59.063 +0100 INFO ServerConfig - Host name option is "fullyqualifiedname". 10-08-2016 16:46:59.063 +0100 INFO ServerConfig - My hostname is "svr-vCenter.domain.local". But anything sent to the Splunk indexer shows up as the shortname and the FQDN gets ignored unless I change the file above. Is there any way I can automatically set this during install or afterwards in Splunk other than manually changing the contents of the file? What am I missing as this is driving me nuts! Thanks, Andy ... View more

Re: How can I run this query more efficiently with...

by in Splunk Search
‎08-24-2016 08:35 AM
‎08-24-2016 08:35 AM
Wow that's amazing!!!! So much quicker and I get all the info I needed. Thanks very much, our OpsTeam will salute you! 🙂 ... View more

How can I run this query more efficiently without ...

by in Splunk Search
‎08-24-2016 05:48 AM
‎08-24-2016 05:48 AM
Hello, I'm running the following query to combine data from two different sources and to create a table for our AppAssure monitoring: host="AppAssure1" source="WinEventLog:AppAssureMonitoring" EventCode=350| fields ServerName AgentStatus Version LatestSnapshot IsPaused LatestSnapshotStatus RepositoryName| dedup ServerName | rename RepositoryName AS LocalRepositoryName | join type=outer ServerName [search host="AppAssure2" source="WinEventLog:AppAssureMonitoring" EventCode=150 |fields ServerName ReplicatedStatus ReplicatedTimeStamp | dedup ServerName] | join type=outer ServerName [search host="AppAssure1" source="WinEventLog:AppAssureMonitoring" EventCode=250 |fields ServerName ExportedTimeStamp ExportedStatus | dedup ServerName| rename ExportedTimeStamp AS LocalExportedTimeStamp|rename ExportedStatus AS LocalExportedStatus ] | join type=outer ServerName [search host="AppAssure2" source="WinEventLog:AppAssureMonitoring" EventCode=250 |fields ServerName ExportedTimeStamp ExportedStatus | dedup ServerName | rename ExportedTimeStamp AS ReplicaExportedTimeStamp| rename ExportedStatus AS ReplicaExportedStatus] I'm aware that it's horribly inefficient, but can't see a way to get the same result without using the join command as I also need to rename the fields as I go etc. I have to run this query on multiple tables on the same dashboard and as you can imagine it takes quite a while to load. Can anyone clever point me in the right direction of where to go from here? Thanks, Andy ... View more

Re: Will IMAP Mailbox work for Splunk 6.2?

by in All Apps and Add-ons
‎01-14-2015 02:32 AM
‎01-14-2015 02:32 AM
Thanks Adauria, I managed to get it installed via this method but it wouldn't work. Eventually, I found that I needed to add the following line at the end of Splunk\etc\apps\IMAPmailbox\default\restmap.conf: handleractions=create,edit,list,remove,enable,disable,_reload I then deleted the generated imap.conf file and copied the one from default, edited it and put my server details in, edited inputs.conf to enable the section for Windows and added the complete Splunk path in and it worked fine. 🙂 ... View more

Will IMAP Mailbox work for Splunk 6.2?

by in All Apps and Add-ons
‎01-11-2015 02:28 PM
‎01-11-2015 02:28 PM
Hello, I can't see how to install IMAP Mailbox in 6.2, presumably because it hasn't been marked as compatible with this version. Any chance I can force install it somehow..? Thanks, Andy ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All