Hello, I have a setup similar to the example shown in this page, we noticed that the firewalls showing systematic tcp session breakdown/rebuild.    So it looks like the the default setting of autoLBFrequency=30 is in use. Further it looks like in the newer versions of the Splunk UF which we are on have deprecated the disabling LB functionality. Can I set this setting to 86400 or something like that so that it doesn't break and recreate connections all the time?  Are there any pitfalls with this approach?  Are there any other hacks that will allow me to disable LB which makes no sense if a group has just 1 IDX in it? https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configureforwardingwithoutputs.conf [tcpout] defaultGroup=indexer1,indexer2 [tcpout:indexer1] server=10.1.1.197:9997 [tcpout:indexer2] server=10.1.1.200:9997   ... View more

Hello, I am playing around with enabling TLS in the chatter between the UF and the IDX and all is working well.  I am curious as to how much compression do I achieve when I enable TLS, I tried searching for it but I am not finding any clear answer ... View more

I just added a metrics index and have populated it with a bunch of metrics.  I am able to slice & dice the data with no issues in the Search app, but I am unable to get the index to show up in the Analytics work space.  The only thing that shows up is the _metrics index.  I have poured through the documentation and I am at a total loss here. Any pointers are appreciated. Thanks! ... View more

I have a csv file that I am monitoring with the props.conf for the sourcetype associated with this file with the parameter CHECK_METHOD = modtime set. This works well, but I occasionally have a scenario where I need to get the fishbucket to "forget" the file being monitored.  I tried the usual procedure using btprobe and reset $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ --file < full path of somefile.csv> --reset btprobe says it is unable to find the file.  I further went down this rabbit hole and tried to find the hash of the file in question, but once again no luck. $SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv> Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg. crc=0x5db5b08c29b4b08d decimal=6752497332353544333 I used the crc and tried to grep for it $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0x5db5b08c29b4b08d $SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv> -salt < full path of somefile.csv> Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg. crc=0xa5cb29c8fe9d6ace decimal=11946688379772299982 I used the crc and tried to grep for it $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0xa5cb29c8fe9d6ace I tried this too, I *know* the splunkforwarder is monitoring the file,  as btools & inputslist and monitor etc are all showing the file, what am I missing?  Any help is greatly appreciated.  I am really stumped here. ... View more

Hello, I have an universal forwarder configured to watch a file using the inputs.conf(crcSalt=<SOURCE>).  This works perfect, but I need to test sending the same file over and over again by prodding the local fishbucket instance to "forget" the file being monitored. Unfortunately when I run the btprobe command, I get file not found. btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /path/to/somefile --reset I did a btool list input status, and the correct file shows up. I then did a compute crc with the salt set to "/path/to/somefile" and used that in the btprobe command earlier and still doesn't work. btprobe --compute-crc /path/to/somefile --salt "/path/to/somefile" I used the results of the above command and did this and still found nothing. splunk cmd btprobe -d $SPLUNK_DB/fishbucket/splunk_private_db -k ALL | egrep 0x34a86c35e2c71990 Can somebody point me in the right direction to get around this issue?   ... View more

Hello, I have syslog events that come with the _time either in  seconds(epoch 1620685037) OR time in microseconds from epoch(16206722176.001440).  Can a props.conf handle either of these formats and set the time stamp appropriately?  I realize there is going to be some performance impact on timestamps going all the way to micro, but the searches are not too bad and the data set if not tremendous. How should the props.conf look like? g ... View more

I am new to Splunk. The cluster command gives me results that I am looking for and some. I would like to filter the results of this command with a list of regular expression patterns that I have stored in a KV store, but I am having a tough time getting the answers that I am looking for. When I run the map command below it looks like the $payload$ ends up with the value rather than the field name. The app_critical_warning KV store has a list of regexp patterns with one of the column names being regexp_pattern. Here's the search that I have come up with: index="someindex" msgtype::warning | cluster t=0.9 showcount=true field=payload | table cluster_count payload | map [|inputlookup app_critical_warning | regex $payload$=regexp_pattern ] maxsearches=10 Does anybody have any suggestions on how to go about this task? I can compose the search with all the regex patterns, but I would like to maintain it in a KV store for logistic reasons. Thank you! ... View more