Well , I logged in as an admin , and it does has access to _internal index as I am able to search the data when I give index=_internal ... ... View more

thank you for the response.. so do I need to click on each object and then edit the role permission or is there a way I can edit the permission for all the objects at a single go (like if I wanted to edit and give power role for all the 50 + objects) ... View more

hi, .though I edited the access permissions of the app to "power " however when I looked into the permission of the objects in the app they still donot have power user read/write... do I need to explicitly check the option in the objects as well ? ... View more

also the app "SplunkAppForXenDesktop" is actually disabled from Splunk UI, any possibility if that could lead to the above error when we are restarting the splunk d process? pls share your thoughts. ... View more

Indeed , it does start after we ignore these errors, but I thought as the Splunk d processs set to "automatic" it should start by itself. ... View more

Hi jensonthottian , did you find any other capability apart from "indexes_edit " that one would require to create/edit index? ... View more

Hi ddrillic , any thoughts to resolve the issue on windows, in this scenario when "splunk display boot-start" command is giving you the correct output .. ... View more

Hi, even we are facing the same issue but the output is fine when I run the command as shown below, can you please tell me by your exp what could be the cause for this. also we did setup the splunkd service startup type to be automatic. E:\Program Files\Splunk\bin>splunk display boot-start Windows services installed. Windows services are configured to run at boot. ... View more

Hi miguelayala, even we are having the exact same issue.. any luck with the solution that you can share with us .. ... View more

Ok thank you. ... View more

Thanks a bunch Chris, so all that I have to do now is to download the latest version of Splunk add on for Service now and install in our Splunk environment to have it integrated with the Helsinki version of Snow, to have the snow event flow into Splunk. Pls correct me if am wrong anywhere.. ... View more

Ok thank you. ... View more

@ surekhasplunk : Is the issue resolved ? if so , can you share with us the solution... ... View more

Hi somesoni2, in your statement "Assuming your threshold time period for not reporting is 1 hour/3600 secs. Run below search for a period longer then 1 hr and setup alert when there are records retured" did you mean " setup alert when there are records "NOT "returned ? ... View more

@ jkat54 : It would not let me download the app.. can you please check... ... View more

Hi Surekha , this is how we fixed the issue : "we had to edit "change_request.sys_updated_on" in the location "%SplunkHome%\var\lib\splunk\modinputs" and change the date to the one from where we were missing the Change data through search query i.e from 08/25/2016, as it was holding the future date i.e 2017-09-03, files were not getting indexed. The issue was caused when SNOW team had installed a plugin that generated bogus Change tickets with future time stamps... Also you can see the ta_snow logs for any other errors and let us know if this does not work. ... View more

@somesoni2 :thanks much for the answer. I should have put the question in the right way ..my bad ! Basically I wanted to check if critical "indexes" but not "indexer" are receiving the data or not.. Does the above answer's apply for indexes as well? ... View more

you might want to check in ta_snow.logs to find more info .. ... View more