Hi All, Do we need an indexer restart in non clustered search peers for these changes? Is reloading not enough?  https://docs.splunk.com/Documentation/Splunk/8.2.0/Indexer/Determinerestart   in particular "coldPath.maxDataSizeMB" and "Enabling or disabling an index that contains data" I don't think Splunk throws any errors or blocks subsequent indexes.conf changes when this happens. I need to check the logs, when any change is made in coldPath.maxDataSizeMB. But I am sure when disabling an index, the things go smooth without a restart. Why do we need a restart then?   Thanks!   ... View more

which props.conf setting does splunk use to extract interesting fields from _raw field. I am trying to use collect command to get _raw data from one index into another. However, it does not extract interesting fields. If I give sourcetype=splunkd. It extracts interesting fields. I understand using a different sourcetype other than stash will take license usage. So, I should be able to create a custom field extraction for the stash source file paths without taking any license. I did a ./splunk btool props list splunkd and this is what it shows.   [splunkd] ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml DEPTH_LIMIT = 1000 DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<event_message>.+) HEADER_MODE = LB_CHUNK_BREAKER_TRUNCATE = 2000000 LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 40 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = false TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z TRANSFORMS = TRUNCATE = 20000 detect_trailing_nulls = false maxDist = 100 priority = sourcetype = termFrequencyWeightedDist = false   for default stanza, it shows :   [default] ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml DEPTH_LIMIT = 1000 DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false HEADER_MODE = LB_CHUNK_BREAKER_TRUNCATE = 2000000 LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = True TRANSFORMS = TRUNCATE = 10000 detect_trailing_nulls = false maxDist = 100 priority = sourcetype = termFrequencyWeightedDist = false   I verified the data and it is not in json format. So, AUTO_KV_JSON would not apply to it. The only thing I could find in transforms and props.conf which separate fields based upon "=" is   [ad-kv] CAN_OPTIMIZE = True CLEAN_KEYS = True DEFAULT_VALUE = DEPTH_LIMIT = 1000 DEST_KEY = FORMAT = KEEP_EMPTY_VALS = False LOOKAHEAD = 4096 MATCH_LIMIT = 100000 MV_ADD = true REGEX = (?<_KEY_1>[\w-]+)=(?<_VAL_1>[^\r\n]*) SOURCE_KEY = _raw WRITE_META = False   which is being called by    [ActiveDirectory] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+---splunk-admon-end-of-event---\r\n[\r\n]*) EXTRACT-GUID = (?i)(?!=\w)(?:objectguid|guid)\s*=\s*(?<guid_lookup>[\w\-]+) EXTRACT-SID = objectSid\s*=\s*(?<sid_lookup>\S+) REPORT-MESSAGE = ad-kv # some schema AD events may be very long MAX_EVENTS = 10000 TRUNCATE = 100000     ... View more

Hi,  I have a few questions for  splunk-enterprise-certified-architect exam. I could not find any phone number or email address I can send to splunk directly. If someone has a contact, can you please share? I did my Splunk Enterprise Certified Admin few months ago. I am planning to sit for splunk-enterprise-certified-architect exam. https://www.splunk.com/en_us/training/certification-track/splunk-enterprise-certified-architect/overview.html It says:   All candidates who wish to access the exam must be Splunk Enterprise Certified Admin and complete the Architecting Splunk Enterprise Deployments, Troubleshooting Splunk Enterprise, Cluster Administration, and Splunk Enterprise Deployment Practical Lab courses. Are these trainings compulsory? Can I not sit in the exam if I do want to do these or pay for these? https://www.splunk.com/en_us/training/courses/troubleshooting-splunk-enterprise.html https://www.splunk.com/en_us/training/courses/splunk-enterprise-cluster-administration.html https://www.splunk.com/en_us/training/courses/architecting-splunk-enterprise-deployments.html https://www.splunk.com/en_us/training/courses/splunk-architect-certification-lab.html Are these trainings or an exam? As in will these be one sided teaching by the instructor or will I be given a pass/fail thing, if I am unable to do it successfully?    In particular: https://www.splunk.com/en_us/training/courses/splunk-architect-certification-lab.html The wording seems to indicate it will be an exam? This 24-hour practical lab exercise is designed to take you through the tasks of a complete mock deployment. Each participant is given access to a specified number of Linux servers and a set of requirements. Participants then perform a mock deployment according to requirements which adhere to Splunk Deployment Methodology and best-practices. The trainings are in multiple time zones, can I register for any time zone, say "EMEA UK Time - Virtual" even though I am in US West. What is the difference between the two? Will the UK one be given by someone in UK. If I am unable to do the training after paying for it, as in I am not well, can I postpone it? I think it said somewhere I have 30 days to complete the training. Not sure if any one else has thought about it , these are very expensive. 1000-1500$ for each one.   Thanks     ... View more

What does is the logic behind below stanzas under   splunk/etc/apps/customappname/metadata/local.meta [app/ui] version=7.3.7 modtime=epoch time   [app/launcher] version=7.3.7 modtime=epoch time   What is it referring to ? and I suppose these settings are app local only and will not be exported globally since there is no  export=system here?   Thanks ... View more

We have a set of non clustered indexers. around 20. There is a duplicate entry of an index definition in indexes.conf. So, splunk is identifying the latest entry and implementing it. If I delete the entry which is not active, what impact will it have? Secondly, how is disc space allocated to indexes on indexer? For example, if disc space allocated to index is 80% full, and I decrease the disc space by 50%, or  FrozenTimePeriodinSecs is increased or decreased, is the current indexed data deleted 100%, and new space is allocated or are the new policies, applied to the already existing data and the data which should not be available as per the new Policy(i.e. FrozenTimePeriodinSecs and/OR homePath.maxDataSizeMB and/or coldPath.maxDataSizeMB values) rolled off? We are not archiving any data. So, after cold it is being deleted.     ... View more

Hi, Why am I getting below error? Validating connection with URL [jdbc:sqlserver://xx.xx.xx.xx:1433;databaseName=ABC;selectMethod=cursor] failed: java.sql.SQLException:,Cannot create PoolableConnectionFactory (The TCP/IP connection to the host xx.xx.xx.xx, port 1433 has failed. Error: "connect timed out. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.".) ... View more

Hi Splunkers, I am working on installing Splunk DB Connect in our Program and we have many users with the admin role that we do not want to have the dbx_user role. I want to create a single user with the dbx_user role and use it for any dbconnect configuration tasks. I don't want any other user including admin(role) to have the dbx_user role inherited. Is that possible? Appreciate early response.. Thanks ... View more

Hi, Can I request, if someone can help me with below: I have installed splunk free download initial 30 days on Centos 6.5 server edition. When I start spunk with root user from init.d somehow the variables from splunk-launch.conf are not getting set. I had to manually put spunk_home in bashrc and it is not an issue. For indexes.conf file I copied default copy from default to local. and it uses spunk_db and other environmental variables. I can set them all as well in bashrc, but that would make it more error prone because I will have to review each and every file where it is used. I was wondering why the launch config is not being used when I try starting spunk. Thanks !! ... View more