I have several VM servers from an image. The host names have been changed but somewhere the old host name is populating the messages file. when I monitor the messages file on all the hosts they all have the same host name for that source OCT 13 08:02:29 OLDHOST fprintd ** Message: No device in use, exit Splunk sees this log as process fprintd coming from source "/var/log/messages" from host "OLDHOST" I have set the server.conf and the inputs.conf to the new host name but it is still pulling from the log file. Any help would be great ... View more

I am using TFTI agent with a splunk script to get user authentication. I use the "usermapping.py" file to map the user requesting access through the TFTI client to the role the user is assigned to have. I am using the "passwd" file to map the user to the display name. I have changed the pamscripted.py file to look for the passwd file in ~/etc/system/local and to get the user info like this. def getUsers( infoIn 😞 # just going to use /etc/passwd here but you may use any method you wish. FILE = open("/opt/splunk/etc/system/local/passwd" ,"r") fileLines = FILE.readlines() All is working fine and only authenticated users that are in the usermapping.py file are granted access and are restricted to there role. Here is my problem. Only the first 50 users show up in the Splunk Web as scripted users and only the first 50 users can see their saved reports/alerts/dashboards. The users can save the work and call it with the link but they can not select it or see it in the Splunk Web. Any help would be great We started using scripted authentication in 4.1 and are now at 6.5 I don't know when this limitation was introduced. Any ideas help would be greatly appreciated. ... View more

I have a search that will show me the top 3 processes like this host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f I want to add the total line to the top three to combine them into one total CPU line. I tried this but it did not work host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | streamstats sum(pctCPU) as TOTAL Any help would be appreciated ... View more

Somehow all users on my staging server are restricted to some kind of search term. When I do this each on any other search head it works as expected index=_internal host="license-master" source=*license_usage.log type="Usage" idx=foo when I execute this on the staging system i can only get info about the "os" index and the "sos" index. No other index is showing. There are a few other really strange things about limited search capabilities on the staging system. How too I look for search restrictions that would affect all users, even admin. Thanks for your help ... View more

I have my frozen time set like this frozenTimePeriodInSecs = 47304000 (1.5 years) yet when I do this search | metadata index=foo type=hosts | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time) my "firstTime" is more than two years from my "lastTime" lastTime firstTime 02/06/2017 07:10:40 01/16/2015 09:18:53 this is more than 2 years of data. How can I force retention time pruning or find out why pruning it not running correctly? ... View more

I have a Red-hat Enterprise Virtualization Hosts that I would like to put the Splunk Universal Forwarder on to collect logs. Is there any reason that I should not do this? ... View more

I installed the Splunk TA for Solaris 11 in my UF (Universal Forwarder) and left the default collection from the inputs.conf The stanza: [script://./bin/ldoms.sh] disabled=0 index = ia interval=600 source=solaris:ldoms sourcetype=solaris:ldoms is default but no data is being collected. When I run the ldoms.sh as root, it outputs the expected results. I do not see any errors in the splunkd.log file associated with the script. Any help in troubleshooting this issue would be great ... View more