Please use a command line like this - msiexec /i splunkforwarder-6.2.1-245427-x64-release AGREETOLICENSE=Yes /quiet
The /quiet is to suppress the GUI. You have to specify the msi in the command line which was missing in your invocation.
... View more
When we talk about automatic lookups, we're referencing the capability described here - http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents#Edit_existing_automatic_lookups_or_configure_a_new_lookup_to_run_automatically
This automatic lookup capability is not supported by KV store.
Regarding the question around the "restricting lookups to running on the search head tier" - This is intended to call out the fact that any KV store lookup will need to occur on a Search head; i.e all SPL commands on a search string occuring after a KV store lookup will need to be run on the search head.
... View more
Please take a look at the documentation here - http://dev.splunk.com/view/SP-CAAAEY7 ; specifically the table that discusses pros / cons of KV store vS CSV lookups.
... View more
No, this is not a supported scenario. You would have to craft the saved search so that you're doing the necessary filtering within the saved search.
... View more
This is a known issue - http://docs.splunk.com/Documentation/Splunk/6.0/ReleaseNotes/KnownIssues#Windows-specific_issues
It has been since fixed in UF 6.0.4+ and UF 6.1.x. You can upgrade to these versions which has the fix. Alternatively if you cannot upgrade, you can modify your props.conf file to also look for this lower case sourcetype.
... View more
Please capture traces and email them to devinfo@splunk.com so that we can investigate further.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Splunk ODBC Driver\Driver
set LogLevel to 5 and LogPath to a valid directory such as "c:" (without quotes) and then run the repro.
... View more
Hi,
Please do the following -
1. Open 32-bit ODBC administrator panel.
2. Click the System DSN tab; select the Splunk DSN and click configure.
3. What does your Server URL setting have ? It should be set like this - https:// : ; e.g https://10.225.196.112:8089
4. Make sure that the mgmt port on your Splunk search head is not being blocked by your firewall.
... View more
Yes, you need to enable DNS debug logging. See http://technet.microsoft.com/en-us/library/cc759581(v=ws.10).aspx for details on how to do this.
... View more
Hi - Can you be more specific about which dashboard you're encountering this error with; is it the User logon failures? Please paste the URL if possible.
Also, what version of the AD app are you running?
... View more
Ok , got it.
Yes, you should do the following -
1. Download and deploy the Windows Add-on - http://apps.splunk.com/app/742/ - to the relevant machine from which you want to collect the data.
2. Copy the contents of stanzas for "WinEventLog://" from $SPLUNK_HOME\etc\apps\splunk_ta_windows\default to $SPLUNK_HOME\etc\apps\splunk_ta_windows\local and set disabled=0 on them.
3. Restart splunk.
... View more
Are you looking at the CAS performance dashboard at the IMAP and POP3 panel? Can you paste in the URL for the dashboard which is causing a problem for you?
... View more
Hi Asohahn,
When do you get this error - "Driver's SQLAllocHandle on SQL_HANDLE_ENV failed."? Please provide the steps that you're doing in Excel.
... View more
If you're looking for data to populate the Application Installs and Application crashes dashboards - then you need to make sure you're collecting data for the Windows event log Application channel.
Hope that helps.
... View more
A couple of things to check -
1. Does this user role have access to the new indices that you've setup?
2. Have you modified eventtypes.conf stanzas to include the relevant indices? For example -
[windows_performance]
search = index=perfmon (sourcetype="powershell" OR sourcetype="Perfmon:" OR sourcetype="WMI:Perfmon")
3. You can specify more than one index to target in the searches.
... View more
The performance monitoring dashboard not showing any data might be linked to the fact that lookups needed for the dashboard to function properly did not get created in time.
Could you send the contents of the following files currently-
$SPLUNK_HOME\etc\apps\windows\local\inputs.conf
$SPLUNK_HOME\etc\apps\windows\default\inputs.conf
... View more