Copy the splunk.secret file from $SPLUNK_HOME/etc/auth/ on your cluster master node and place it in the same location on your Monitoring Console node.
Once copied, start your instance.
Take the hashed Pass4SymmKey value from the existing cluster master.
Create a Splunk app ci1_unhash_app with an passwords.conf file containing a credential stanza with your reclaimed Pass4SymmKey.
Add the following to $SPLUNK_HOME/etc/apps/ci1_unhash_app/local/passwords.conf, for example:
[credential::test:]
password = $pass4symmkeyvalue
Use the following command to retrieve your credentials.
$SPLUNK_HOME/bin/splunk _internal call /storage/passwords/test
You can now use that value to join your new Monitoring console node to your cluster.
The command above may not work in it's current form. Make sure you check your app permissions or adjust the command to match the namespace of your app.
Once successfully joined to the cluster with a fully configure monitoring console, make sure that you delete the ci1_unhash_app.
Configure the Monitoring Console
... View more
The d{1,3} is used to denote that there might be min of 1 digit and max of 3 digits , when it comes to IP's we know the range can be from 0 to 255. So best practise is to use " d{1,3}.\d{1,3}.\d{1,3}.\d{1,3} ". In your case error might be with the fieldname.,
... View more