Unfortunately the password field is not actually checked during test connectivity. We had a bad password that we didn't realize, because the test connectivity always came back as passed.  I'm running into an issue where we can successfully create an issue, but when we run get ticket or update ticket we get a generic error message that the issue doesn't exist or the permissions are not correct. Is there something different that needs to be done for get/update ticket?  ... View more

Here is another solution I came across https://community.splunk.com/t5/Splunk-Search/Field-results-as-table-column-headings/m-p/66771 that might work. It's using the chart command.      ... View more

Not sure what happened. I moved the "old" app to /disabled_apps, installed 2.2.2 from scratch and configured just like the old one was and everything is working just fine now. Now I just need to make sure that the log cleaning configuration is in place ... View more

I am having this problem. My $SPLUNK_HOME/etc/apps/eStreamer/log/ directory had filled up and stopped Splunk from functioning. I cleared out the log directory and restarted splunk, but now eStreamer is not functioning at all. There are no logs and no new data in Splunk. The client is reporting that it is running just fine. I also upgraded to 2.2.2 with no change. We are running version 5.4.1 of Defense Center. It was working fine before the log directory filled up. ... View more

Hi, where do you have the components? On the cluster master I have $SPLUNK_HOME/etc/master-apps /SplunkforPaloAltoNetworks /TA-paloalto On the SyslogNG server I have $SPLUNK_HOME/etc/apps /SplunkforPaloAltoNetworks /TA-paloalto The mistake I made originally was on the cluster master I put all my apps in $SPLUNK_HOME/etc/master-apps/_cluster/ Only local should go in _cluster ... View more

Hi Brian, The answer solves the case of using a Heavy Forwarder as the means of ultimately getting the data into Splunk, however this hasn't solved the issue of a UF on a Syslog-NG server that sends the data onto the indexers. I am still confused why the sourcetyping works correctly when the app is installed in SPLUNK_HOME/etc/apps on the indexer, but it DOES NOT WORK when the app is in the SPLUNK_HOME/etc/slave-apps/_cluster directory on a clustered indexer. ... View more

My configurations/apps are deployed via $splunk_home/etc/master-apps/ The PA app/transforms that change the sourcetype are NOT working when they reside in the $splunk_home/etc/slave-apps directory, they only seem to work when in the $splunk_home/etc/apps directory ... View more

The app in both /etc/apps and /etc/slave-apps have the same OS level permissions and the same Splunk app permissions as listed below Application-level permissions [] access = read : [ * ], write : [ admin, power ] EVENT TYPES [eventtypes] export = system PROPS [props] export = system TRANSFORMS [transforms] export = system [lookups] export = system OTHER [savedsearches] export = none [commands] export = system ... View more

As a test, I copied the app from .../etc/slave-app/_cluster to /etc/apps on one of the clustered indexers and rebooted the box. The sourcetyping is now correct for indexer02, but incorrect on indexer01 and indexer03 There appears to be something unique with the clustered indexer setup ... View more

The sourcetype is set to pan_log . The following is the inputs.conf stanza for my syslog-ng server Push PaloAlto Syslog to Splunk: [monitor:///var/log/syslog-ng/paloalto] disabled = false index = pan_logs sourcetype = pan_log no_appending_timestamp=true host_segment = 5 The architecture is now: - PA sends syslog to syslog-ng server with UF - UF forwards to indexer cluster load balancing between three indexers - Each indexer has the app in the $SPLUNK_HOME/etc/slave-apps/_cluster directory - The search head has the app in $SPLUNK_HOME/etc/apps Our 2nd site with just PA --> UF --> Standalone indexer <-- Search Head parses the logs just fine with the correct sourcetypes. Our primary site did have a stand alone indexer and it worked. When we changed to the indexer cluster is when the parsing/sourcetyping stopped working. ... View more

Thank you both. However, I am still not getting the correct sourcetypes. I have my PAs sending their syslogs to a Syslog-NG server with a UF. The UF's inputs.conf sets the index to pan_logs and the sourcetype to pan_log. Both the Search Heads and the Indexers have the app installed. The standalone (non-clustered) Indexer is reassigning the correct sourcetypes (pan_traffic, pan_config, etc), however the indexers in the cluster are not. I only see the original set pan_log. Is there a different required config for a clustered instance? ... View more

David, Did this resolve your issue? Thanks, Robert ... View more