appreciate it, but... Have you actually used this? I can't get it to work (it's in beta now, zero reviews or ratings). Even it's own demos and samples throw errors. Running on RHEL8, 9.2.2. ... View more

(how do I give negative Karma?)   ... View more

FYI, converting to Dashboard Studio fixes the diagrams, but truncates the tables. yay. ... View more

Same here, for as long as I can remember (don't ask me the versions) -- but still currently an issue with 9.2.2. Funny thing is, I have about 9 graphs, and three work OK. Tried all kinds of tactics like: putting the graphs on on it's own line, putting all together, changing the order, trying landscape v.s. letter, changing the paper type, "plain text", "HTML & plain text".... ... View more

Great, wonder if it's been re-introduced. We're on 9.2.2 and still getting flooded... (edited) My bad, I thought they meant on the Heavy Forwarders -- our clients (UF) are still prior to 9.2.2. ... View more

Holy Cow! Per that document, I tried enabling: mc_auto_config = enabled ...and it removed all my indexers from the cluster. Good times. I think I'll just learn to live without those volume dashboards, wouldn't be the first time I had to ignore missing functionality. Pro tip:  don't bother taking the advanced troubleshooting class at Splunk.conf -- didn't prepare me for anything useful... ... View more

ah, gotcha. Yes, it's configured, setup is correct, server roles are set, and I use it often for various things -- I can see data in pretty much every other dashboard, and even in the "Index Detail: Deployment" -- it *does* show some volume information, as does "Indexes and Volumes: Deployment". In "opening in search" pretty much any panel in the monitoring console, I can see the query and the macro or rest it uses. But in these volume detail pages, they all are "undefined". The info reporting on the individual indexes is correct -- I use it to trim and set limits on various indexes. I do see in the "Volume Detail: Instance" -- I each indexer populated in the dropdown, but the Volume (token) is empty. To recap:  all my dashboards in Monitoring Console on my Management server have data except for:  VolumeDetail: Instance and VolumeDetail: Deployment. Honestly, if it's NOT configured correctly (the management server/console), then I'm not sure what to fix. I know this doesn't always mean a Good Thing, but I have been using Splunk since v3.x.   ... View more

I'm not following you... It's a cluster of indexers (4) and a single Management node. ...and I'm failing to see how setting the volume size affects the missing queries in the management dashboard. But to answer the questions: of course I did. I have multiple volumes per best practices. ... View more

This is nuts. Go figure. I ended up fixing this my removing the "Deployment Server" role from the system, saving it, then adding it back, restarting the service, bam! Fixed. I'd rather be lucky than good... ... View more

FWIW, happening here as well, with 9.2.0.1. Checked all The Things mentioned in that doc everyone keeps referencing, including those stanzas mentioned numerous times here. Another symptom of mine is that the ForwarderManager (deployer) doesn't appear in my monitored servers in the SplunkManager (aka Master). ... View more

additional: It appears the forwarder manager is servicing clients, but they are not being reflected in the GUI or at the commandline: [root@splunkdeployer ~]# /opt/splunk/bin/splunk list deploy-clients Splunk username: admin Password: Login successful, running command... No deployment clients have contacted this server. Go figure... More Googling... ... View more

Darn. Nope. All those conditions check out OK in my environment. New indexes are where they should be, it's a stand-alone deployment manager, etc.. ... View more

No, I haven't, thanks!  Missed this in the release notes... Will let you know how it works out. ... View more

did you ever get resolution on this? My deployment server stopped servicing clients -- start throwing this error. No firewall or selinux issues as suggested below... ... View more

Holy Cow, great stuff -- thanks! why, oh why, could Splunk not have had something like this...? ... View more

wow, definitely a case of "your mileage may differ"... this is just a small sample of these alerts here, and on the ones triggered by Splunk, they still seem to function OK: ADPClientService.exe, version: 4.1.38.0, time stamp: 0x62c69205 AUEPMaster.exe, version: 1910.24.6.725, time stamp: 0x5d39726f AdAutoUpdateSDK.dll, version: 0.0.0.0, time stamp: 0x61dc3463 AdskAccessServiceHost.exe, version: 1.27.0.4, time stamp: 0x61dc35ae AdskUpdateCheck.exe, version: 1.27.0.4, time stamp: 0x61dc3558 CcmProfiler.dll_unloaded, version: 5.0.9106.1000, time stamp: 0x642d9f3d FMEngine.dll, version: 19.2.2.234, time stamp: 0x60451558 KERNEL32.DLL, version: 10.0.17763.4720, time stamp: 0xa2ec4df3 KERNELBASE.dll, version: 10.0.19041.3393, time stamp: 0x6b4de7c9 OUTLOOK.EXE, version: 16.0.10402.20023, time stamp: 0x64ef06a7 smartscreenps.dll, version: 10.0.19041.3031, time stamp: 0x92650ce8 PDFMEngine.dll, version: 23.6.20320.0, time stamp: 0x64f8d26b RPCRT4.dll, version: 10.0.17763.4644, time stamp: 0x565f63ab RtkAudUService64.exe, version: 1.0.0.176, time stamp: 0x5c6f93ad VCRUNTIME140.dll, version: 14.16.27033.0, time stamp: 0x5d30eadf biwinrt.dll, version: 10.0.17763.2989, time stamp: 0x790cc0bc splunk-winevtlog.exe, version: 2304.1280.25713.15594, time stamp: 0x64713ec1 ... View more

I think this is all a "non issue" as it relates to Splunk.... read on:  if you search for this error as posted by the OP, you will see faults generated by Splunk. To illustrate, use this ugly query (don't do this at home, this for demonstration purposes only): index=*wineventlog "faulting" "*splunk*" HOWEVER, take off the "*splunk*" from this, and you'll see that hundreds of other apps are doing this too. I'm calling this a Windows issue, not a Splunk issue. 🙄   FWIW:  version 9.1.1. ... View more

100% -- this is causing all kinds of FUBAR in our organization. I get a half-dozen sales oriented announcements from Splunk -- but they couldn't be bothered to warn us about something that breaks all the forwarders? ... View more

Good point. I'm afraid if that works, it's still not a fix as we can't run processes with elevated privs... I'll still see about testing it though. ... View more

wow, almost two years and now answer? I'm getting this too, on about 383 different UF clients (out of about a1,000). I'm using the latest 9.0.4.0... ... View more

Thanks! That's it, for some reason that was commented out. # SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder ... View more