Glad to know that it worked. ... View more

Can you try moving the app which basically resides in cluster master to some other directory and then push the bundle(which basically will push the app without TA-nix) and see if the app is still in etc/apps on the slaves. ... View more

This link might help you.. https://docs.splunk.com/Documentation/Splunk/8.0.3/Indexer/Updatepeerconfigurations#Settings_that_you_should_not_distribute_through_the_configuration_bundle ... View more

Hi @spaniard047 , Where have you installed the addon? The addon should be on search head, indexer and forwarder. ... View more

Hi dyude @dmenon , You can try this, rex field=username "(?P<username>[^\.]+)" ... View more

This might help you! https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad ... View more

Hi @satoishi , これを試してもらえますか ポート8089が開いているかどうかを確認します。 ユニバーサルフォワーダーから8089にtelnetで接続できます 次のコマンドを実行して、展開サーバーが正しく設定されているかどうかを確認することもできます ./splunk show deploy-poll Linux用 .\splunk show deploy-poll Windows用 展開サーバーを指しているかどうかを確認します これが役立つかどうか教えてください ... View more

Glad it worked for you 🙂 ... View more

Hi dyude @jonsantos , Can u try this, On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file. [WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625 An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder. Search the logs with the given index name(if any). Let me know if this helps ... View more

Hi dyude @sandeepmakkena , You can try this , index=your index |rex field=gauge "ProcessorResponse\.Country\[(?P<Country>.+)\]Processor\[(?P<Processor>.+)\]PaymentType\[(?P<PaymentType>.+)\]\s(?P<reason>\w+)" ... View more

dyude @geoffmx , Can you try this, props.conf [msad:nt6:dns] TRANSFORMS-set= domain1,domain2 transforms.conf [domain1] REGEX = query\=subdom\.domain01\.com DEST_KEY = queue FORMAT = nullQueue [domain2] REGEX = query\=domain02\.com DEST_KEY = queue FORMAT = nullQueue Llet me know if it works for you! ... View more

hi dyude @dhirendra761 , its inputs.conf and outputs.conf, you can check the spelling. if it's proper then you can give this a shot... outputs.conf [tcpout:Group1] server=server1:9997 [tcpout:Group2] server=server2:9997 inputs.conf [WinHostMon://Service] _TCP_ROUTING = Group1 [monitor://D:\SATS\SecureLog\*\Logs_Status\*] _TCP_ROUTING = Group2 ... View more

Hi dyude @charlesukah, You can refer this blue print.. https://www.splunk.com/pdfs/training/Splunk-Test-Blueprint-Admin-v.1.1.pdf ... View more

@raphabaroudi, Did u check the connectivity between those forwarders and the Splunk instance? ... View more

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input ... View more

In the link it says it can be done through uf ... i thought that could be a workaround! But thanks for clarifying it 🙂 ... View more

Hi @koshyk dyude, This link might help you! https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad ... View more

Hi @t_kubota , サンプルイベントをいくつか教えていただけますか？ ... View more