... "src_hostname"? The reason I ask, is that I can not seem to find it, and it is generating "odd" results in a search someone set up for us an age ago. Thanks, Matt ... View more

Hi there, I was just looking through our splunkd logs, and I notice multiple errors for the following: <dateTime> ERROR SearchOperator:copyresults - You must provide a search id. I couldn't really find much on splunkbase, so I turned up the logging for the copyresults command, and I can now see the following as an example: INFO SearchOperator:copyresults - mapped lookup name=system_uptime_tracker to fn=C:\Program Files\Splunk\etc\apps/SA-EndpointProtection/lookups/system_uptime_tracker.csv INFO SearchOperator:copyresults - copy results.csv.gz to C:\Program Files\Splunk\etc\apps\SA-EndpointProtection\lookups\system_uptime_tracker.csv, success=1 INFO ExecProcessor - Ran script: python "C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\bin\notable_owners.py", took 2168.4 milliseconds to run, 0 bytes read ERROR SearchOperator:copyresults - You must provide a search id. ERROR SearchOperator:copyresults - You must provide a search id. Does anyone have any thoughts on this? I am seeing the events for other apps as well. Thanks in advance, SplunkFu ... View more

Hi there, We are currently looking at the using clustering to introduce redundancy/HA into the deployment. I have a few questions which I may have missed in the documentation... Is there a minimum number of peer nodes that can be used in a cluster? - we are looking at 2 nodes, are there any major restrictions to this setup? In the documentation it states that a reference server should suffice for the master node, however as it is not performing any indexing/searching does it require that much in specification? Any issues with using clustering with the ES App? Are there any issues in having a search head searching between clustered and non-clustered indexers/nodes? Finally, I didn't see any notes on how to calculate storage requirements for clustering. Any thoughts? Thanks in advance, and I look forward to your help 🙂 Best regards... ... View more

Hi there, We are just looking at using Netflow for our Cisco ASA's rather than using syslog (networks request). However, we are experiencing issues with the "NetFlow for Splunk powered by NetFlow Integrator" App... We can see traffic for UDP/9995 being received by the hosting server. However we are not seeing any data in Splunk. There are no errors in any of the app log files, or in Splunk log files This is a standard installation of the app (i.e. standard install/config, accepted license) on a single server. Is there any points that we can look into? Thanks in advance. ... View more

Hi there, I was looking at the videos for the "Splunk App for VMware", and in it, it says to expect between 600MB and 1024MB per host per day... To clarify is this per ESX/i host, or is this per virtual machine host? For example, does it mean: 600MB - 1024MB x 10 ESX hosts = 6000MB - 10240MB/day OR 600MB - 1024MB x 100 VM hosts = 60,000MB - 102,400MB/day (values are just random) Thanks. ... View more

Hi there, We are just doing some internal capacity predictions on our deployment, and was wondering if there were any guidelines with the estimating the VMware ESX/i syslog volumes? - Yes I know this is ambiguous, but I was checking whether someone has seen any trends in their environment. Additionally what value have people seen in the syslog, i.e. what are they getting out of the logs. We are also looking at the Splunk VMware app, but it may be a bit over our license expectations, based on the guidelines provided. Thanks. ... View more