i'm not familiar w/PFsense & the log format it emits but it sounds like the fields are not being recognize/parsed correctly by Splunk.
In the absence of a TA that might supply the needed sourcetype definition, you may have to define one.
... View more
typically, in a case like this, i try to run the script by hand w/the effective UID of the same user that owns the splunkd process. If the script(s) are having problems running as non-root (or otherwise), there should be some indication in STDOUT, if not, then splunkd.log should contain some info.
... View more
version upgrade, though license upgrade is always an option. If you're not using the latest version then i recommend upgrading the version. i sympathize w/you but i assure you it does work "out of the gate".
... View more
really only looking for "ERROR" log entries, not "INFO". Also note that the search: "index=_internal ERROR" is a directive to show all "ERROR" events from the _internal index.
What about that upgrade option?
... View more
ugh, well there's no "grep" in windows but i'm pretty sure $SPLUNK_HOME/var/log/splunk is still there. i'm not much of a windows user but i think the explorer has some "find in file" functionality. Also, if you're not running the latest version of SL then i'd recommend upgrading.
... View more
Assuming your cron scripts/actions can get the files off the hosting system & on to a system that splunk has access to, you could configure a local dir input on the splunk server (or forwarder, etc) & associate the desired metadata to any data that's indexed from that source. The cron actions could then just put the data there.
... View more
Not sure about being able to deploy a script via REST to a cloud instance but the webhook alert action might work for you:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Webhooks
... View more
any chance of this being a time-zone issue? Perhaps check to see whether the splunk account profile you're using has a different timezone setting than the firewall system.
... View more
This is a simple configuration where a forwarder on S2 where the db resides queries the db via a scripted input & forwards the data to the indexer on S1
... View more
As rbittner says above:
You have to convert your SL instance to an Enterprise instance. Installing SE on top of SL will work. The SE trial license will trump the SL license. Once you have your instance running as SE point it to the master license server.
... View more
sorry, i'm unclear on the issue.
Where is MySQL installed? on S1 or S2?
Do you need data that's inside MySQL (stored in tables, etc) or data that's on the filesystem?
... View more