Thank you!  This was the solution! 👍 | stats latest   ... View more

Thanks J.! I will follow your advice and try to modify the filename and have crcSalt in place! Regards Robert ... View more

| spath path="data{@text}" output=sales | rex field=sales max_match=0 "\n\s+(?<cartype>[^;]+);(?<quantity>\d+);(?<price>[^;,]+);" Just add a comma to the exclusion list for the price. ... View more

Hi RobertRi, from experience I see that the problem you are trying to solve is just a subset of the troubles that you face. Again, depending on where you come from, a lot of things have changed and IMHO there is only one efficient way to find out if your dashboards still work or not. Aside from that, looking for the tag is a way to identify your views that use the deprecated xml. Oliver ... View more

The dbconnect app adds 2 roles which you need to assign appropriately: dbconnect_admin and dbconnect_user : https://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Configuresecurityandaccesscontrols ... View more

Thank you! ... View more

Is SAML the better choice for authentication? It depends. Does your environment already run ADFS or some other product that can talk SAML? If you're already leveraging SAML in your institution then you can take advantage of true SSO. If not then just authenticate using LDAP. A SAML Identity Provider is not a trivial thing to get up and running. Of course, I'm assuming that your splunk instance is on-premise or, if it's splunk cloud, then your security policy allows ldap connections from outside your domain. SAML is definitely something to look into (in the future) as it's inherently more secure. ... View more

Hi! The query is embedded in a form search and via a time token, the user has the Chance to define the time ... View more

This skipped saved searches behavior is very painful. One thing you can do is to look at the scheduling of these saved searches and try to space them out. If 30 of them are scheduled at the top of the hour and nothing else in the next couple of minutes, go and distribute them evenly. It's interesting because it goes to the area of distributed administration - power users don't have a view into the over-all scheduling and naturally they would keep their alerts at clean intervals. We, the admins, need to go and separate them. The product should help us more in this regard and potentially offer the power users "open reliable" spots... ... View more

As @FrankVI also said, your problem is most likely based on broken timestamp recognition. Do you read that file locally, or is it send to you via syslog? ... View more

You're right, my mistake, that wouldn't work... ... View more

I am also now seeing this behavior after upgrading our forwarders to 6.5.0. I noticed in the splunkd.log that watchedfile appears to be digging deeper into our directory. We do have recursive enabled but I don't have an input at all for followTail = false/true. This was not an issue before but we are now seeing some delay in ingestion during the times that watchedfile is kicking off. ... View more

Not that I can find, but I suggested that this be done by adding a comment on the release notes page. ... View more

Thanks,that works! Regards Robert ... View more

Ok thanks that helps Regards Rob ... View more

for best performance, you want to set SHOULD_LINEMERGE = false, which disables all rules other than LINE_BREAKER. but generally indexing performance is not a problem and so a clearer rule may be better. ... View more

Did you say you are running on a 2-core machine? Indexer+SH? If so, I am not at all surprised that you see skipped searches. Indexing on a single indexer can consume up 5-6 cores alone, which leaves no headroom for searches to execute. The fact that your search gets skipped means that the previous run has not completed when the next one is scheduled. In other words: Your search scheduled to run every five minutes sometimes takes more than five minutes to run, very likely because your system is completely starved for (compute) resources. You are running on a completely underpowered system, even without doing any searches. If you have any option of increasing your core count, that is your best bet for sure, no matter how little data you may be indexing. Your problem may be compounded by having suboptimal disk storage underneath, but without more details about your environment, it's hard to provide guidance. The bottom line is that any Splunk indexer running with less than 8 cores is likely to expose these symptoms with any amount of search workload; depending on data ingest volume sooner or later. You need more horsepower. 🙂 ... View more

That's great that you got it working, but there's really no need to rewrite the search like that - format is called implicitly at the end of a subsearch anyway, and table is possibly worse performance-wise than fields . ... View more

Nice to see the answer, exactly solved my question! ... View more

Thanks a lot buddy. This solved my problem. 🙂 ... View more

you gave me the necessary hint, thanks ... View more

Thank you jonuwz for your detailed explainaition. I'm not firm with syslog but I will give it a try and check how this works. I know the ras1log tool, this was my prefered tool to troubleshoot. ... View more

Thanks, that was it ... View more

I just got done setting this up, so I'll post my full SSL setup. It might be a little more than needed, but this is the first Google result I saw for multiple Splunk SSL searches. So, use as much or as little as you like, and lets hope it helps some other poor schlub like myself. 🙂 This was done on a Red Hat system. Since linux considers ports under 1024 sacred, you need to use a higher port when running as a non-root user. Otherwise, you have to run Splunk as root, which is a NO NO. In order to fix that, I used iptables and redirected from 8443 to 443. So, some commands are Red Hat specific, but usually it's pretty easy to Google the distro specific method. Setup Splunk to run using SSL with Apache redirects 1) Transfer your cert and private key files to ${SPLUNK_HOME}/etc/auth/splunkweb/. They have to be in PEM format. Make note of the file names for the next step. 2) Edit /opt/splunk/etc/system/local/web.conf replace any lines with the ones below: [settings] enableSplunkWebSSL = 1 httpport = 8443 privKeyPath = etc/auth/splunkweb/${splunkPrivateKeyFile} caCertPath = etc/auth/splunkweb/${splunkCertificateFile} Obviously, you can use whatever SSL port you want. Don't forget to substitute the key and cert filenames too. Finally, that's not a typo, the paths are relative to ${SPLUNK_HOME}. 3) Use IP tables to redirect port 8443 to 443 I think the method to permanently save your iptables lines differs for other distros. So, do some googling if you're not using Red Hat. iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443 /sbin/service iptables save 4) Setup an Apache redirect for common ports This might be overkill, but I started my two Splunk servers on the default port (8000). So, having a bunch of people thinking Splunk is down, or having to help them update bookmarks sounded like a drag. So, since an Apache redirect is so easy, I just took anyone going to port 8000 and shot them over to port 443. I also included port 80 just because I could. If you have something running on port 80, just remove that VirtualHost. Make a new conf file in your apache dir, I called mine: /etc/httpd/conf.d/splunkRedirect.conf Put this in that file: NameVirtualHost *:80 <VirtualHost *:80> ServerName splunk.integral7.com RewriteEngine On RewriteCond %{SERVER_PORT} ^80$ RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </VirtualHost> Listen 8000 NameVirtualHost *:8000 <VirtualHost *:8000> ServerName splunk.integral7.com RewriteEngine On RewriteCond %{SERVER_PORT} ^8000$ RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </VirtualHost> 5) Restart Splunk, then Apache The order is important here, you need Splunk to let go of port 8000 so Apache can grab it for the redirect. service splunk restart service httpd restart And, you're done! Since the redirect is done using mod_rewrite, any bookmarked pages should work the same, but use HTTPS instead of HTTP. ... View more