We have heavy forwarder that accept logs over HEC.  inputs.conf  [http://dd-log-token1] index= ddlogs1 token = XXXXX XXX XXX XXX [http://dd-log-token2] index= ddlogs2 token = XXXXX XXX XXX XXX [http://dd-log-token3] index= ddlogs3 token = XXXXX XXX XXX XXX ________________________________ I want to forward only below inputs to 2 different splunk Instances - 1- splunkCloud (hosted by Splunk) 2-SplunkOnPrem  [http://dd-log-token2] index= ddlogs2 token = XXXXX XXX XXX XXX   ________________________________ This is my inputs.conf looks like  inputs.conf  [http://dd-log-token1] index= ddlogs1 token = XXXXX XXX XXX XXX [http://dd-log-token2] index= ddlogs2 token = XXXXX XXX XXX XXX outputgroup = splunkonprem, splunkcloud [http://dd-log-token3] index= ddlogs3 token = XXXXX XXX XXX XXX _____________ outputs.conf  [tcpout] defaultgroup = splunkonprem,splunkcloud  forceTimebasedAutoLB = true  [tcpout: splunkonprem] server= zyx.com:9997, abc.com:9997 [tcpout: splunkonprem] server= mmm.com:9997, bbb.com:9997 But these settings are only sending logs to Onprem indexers not to SplunkCloud indexers. Please suggest if any idea whats wrong with my configuration. ... View more

Hello, I am working on a project to get logs from Vcenter and ESXi host to Splunk . question 1 ) Is Vcenter app for splunk is license based ?or is it a free app ? question 2 ) Can I install Vcenter app on my Splunk Heavy Forwarder and make it act as DNC ( as per documentation, we need to have DNC server, if we pulling logs using API ) question 3 ) what is the best process and to fwd logs from Vcenter and ESXi server to splunk ? Thanks in advance. ... View more

Hello, For the past couple of weeks, we’ve seen events from the past being recently indexed. I assume that these few of the boxes were just powered up, and because of the forwarding infrastructure, that these are “current” events? what can be done to keep the past in the past? Thanks. ... View more

Hello, I have installed Cisco TA 2.1.6 on HFW and trying to get logs from CISCO IPS devices. I have configured the settings under inputs.conf : [script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py ] sourcetype = cisco_ips_syslog source = SDEE disabled = false interval = 1 I don't see any logs under - sensor_ip.run I execute this as per troubleshooting docs- index="_internal" sourcetype="sdee_connection" ERROR | rex "Connecting to sensor - (?[^:]+)" | rex "[Errno\s+(?[^]]+)" | stats count values(EN) as error_number by sensor error_number= 110 when I run - index="_internal" sourcetype="sdee_connection" on Mar 5 21:37:35 2018 - ERROR - Connecting to sensor - X.XX.XXX.X: Traceback (most recent call last): File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 103, in run sdee.open() File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 191, in open self._request(params) File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 167, in _request data = urllib2.urlopen(req) File "/data/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/data/splunk/lib/python2.7/urllib2.py", line 429, in open response = self._open(req, data) File "/data/splunk/lib/python2.7/urllib2.py", line 447, in _open '_open', req) File "/data/splunk/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/data/splunk/lib/python2.7/urllib2.py", line 1241, in https_open context=self._context) File "/data/splunk/lib/python2.7/urllib2.py", line 1198, in do_open raise URLError(err) URLError: Also tried - wget https://X.X.X.X/cgi-bin/sdee-server/ --2018-03-05 21:06:17-- https://X.X.X.X/cgi-bin/sdee-server/ Connecting to X.X.X.X:443... failed: Connection timed out. Retrying. Please suggest ... View more

Hi, we had a user who is no more with our company and we had deleted his account from splunk long back. Now I still see that I keep getting report from his ID. I tried to look for that report and could find it. Any idea how can I find this report and stopped it? Thanks. ... View more

Hi, I am trying to replace the existing TA which is Symantec Syslog TA with the Splunk supported Symantec TA 2.3.0 ver. Please advice how I can get this done in a proper way. Because some of the fields extraction regex is different when compare from Symantec Syslog TA vs Symantec TA. Thanks. ... View more

Hello, I am using Splunk Managed cloud service ( SH and Indexers are in Cloud) I have 2 Heavy forwarder in my environment ( on premises ) I am trying to install and configure CISCO IPS logs in Spunk and have few questions: Step 1) IPS and Splunk are pingable with no firewall between them. Do I also need to check for any specific also ports to opened ? Step 2) I have installed CISCO IPS add on to my heavy forwarder. Do I also need to install the add-on on Indexers and SH as well ? Setp 3) Do we also have any app for supporting this Add-on ? ( Although, I have Enterprise Security installed already ) Step 4) If I have more than 1 IPS devices, how I am going to configure them ? Please advice. ... View more

Hello, I have a resultant data like this: Server Name Status Location Owner Email Id A-Z1 Missing. Spain. AAA AAA@domain.com A-Z2 Active Japan BBB BBB@domain.com A-Z3 Missing Japan CCC. CCC@domain.com I want to send email to individual owners with servers details, who's status is shown "MISSING" ... View more

We are trying to configure Splunk SAML onelogin. After we did all the configuration, when i am trying to open Splunk though onelogin page it gives me a message : Https://. Saml/acs because the server where this page is located ints responding ... View more

Hi, I am configuring Splunk access control with SAML onelogin and I have uploaded the onelogin IdP meta data file to splunk. After configuration splunk app is redirecting to onelogin login page, but I am getting error message below : Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :/dnbusr1/raomu/splunk/etc/auth/idpCerts/idpCert.pem; Please suggest . ... View more

Hi, We are using Splunk managed cloud services and I am trying to send an alert using Search Processing Language. Schedule alerts work fine, but when I am trying to send an alert using SPL it never works. Here is my query : | eval emailDistributionTO = if (Contact = "MACK","mack@XXX.com") | eval emailDistributionCC = "SEOUL@XXX.com" | eval AlertName="Domain Controllers Missing " | eval SeverityLevelMsg="[*INFO*]" | table Domain_Controllers Status SeverityLevelMsg Location Contact AlertName emailDistributionTO emailDistributionCC ... View more

Hi, We recently have deployed Palo Alto App in our environment and noticed performance is degraded. I went to see all the searched running under Job -> activity and see most of the jobs are executed under System-user and all are related to Palo Alto that too span of every 2 min. Spunk Environment details : Spunk Managed cloud service 24 Indexers 2 SH not in cluster mode Any suggestion why so many jobs are running for Palo Alto ? ... View more

Hello, We are using Spunk Managed cloud service. I want to know if we have any mechanics to monitor the performance of my cloud environment? Like - ( Although I am aware of monitoring console ) 1) metrics of search head 2) metrics of indexers Do we have any documentation or recommendation as how we can work on capacity planning. currently we have 100 users using Spunk we have 24 indexers 2 SH not in cluster but we usually see performance degradation sometimes, let us know how we can work on scaling ? ... View more

We want to enable SSO in Splunk using Onelogin. I have gone through the steps in splunk documents, but not really sure, if we disable the local accounts on Splunk, how login is going to work ? or we don't delete the local accounts then how we can restrict the users not login to splunk using local account ? ... View more