Deployment Architecture

Discussions

Thread Info

Does Universal Forwarder connection Loss cause data loss ?

Hello, I need help on understanding something. If I have a folder being monitored by a universal forwarder and ...

by Super Champion in

spath truncation

We have a log format which contains a JSON payload. When we attempt to parse using spath, anything after a certain ch...

by Explorer in

"ERROR ClusteringMgr - VerifyMultisiteConfig failed" when trying to join cluster

I have a cluster master up and running, and was able to add a single search head. Now, when I login to splunkweb on t...

by New Member in

Why are my thawing frozen buckets not restoring as expected?

Running Splunk v.7.0.2 in a distributed environment with 3 clustered indexers. Trying to restore frozen data to my st...

by Path Finder in

Issues with rolling restart (index cluster) & idea to add additional index peers

We have in index cluster: two node index clustertwo sites (one index peer in each site) We are seeing an issue ...

by Path Finder in

('Cannot connect to proxy.', error('Tunnel connection failed: 503 Service Unavailable',))

Hi, I am getting various errors while trying to upload data into splunk enterprise. I have tried uninstalling and re...

by New Member in

Multi-site cluster , wrong Restrictive retention caused data delete. Anyway to stop splunk from deleting rest of teh data.

Issue: Cluster Master with multi-site, by mistake wrong retention file was replicated and for the entire indexer in s...

by Communicator in

Wrong retention caused buckets to freeze in cluster- Need to restore frozen data

What happen is we were changining index cold volume..The change the size of warm db and force bucket to roll to cold ...

by Communicator in

Why are our logs being truncated to 10,000 characters?

I have set... [default] TRUNCATE = 20000 ...in $SPLUNK_HOME/etc/system/local/props.conf for our search heads ...

by Explorer in

Does replication happen on hot buckets?

The replication subject is a major one in the Splunk 7.1 Cluster Administration class. However, the instructor wasn't...

by Ultra Champion in

Accessing the Cluster Master situated on a private network using a windows machine

Hello, I am currently using Splunk sitting on a machine connected to public network. What I want to do, is, ope...

by Path Finder in

I deleted the trusted.pem in /splunk/etc/auth/ directory. Is there a way i can recover it?

by Explorer in

Is there an option to automate "restart Splunkd" on the Deployment server?

Hi, I am required to restart Splunk service on deployment clients at mid night everyday . Selecting "Restart Sp...

by Explorer in

how to manually control app config reload of specific deployment client

Hello, I have several critical UF/HF that providing equivalent service in a load-balanced topology. I would like t...

by Communicator in

File not indexing

Hi Team, I have an issue when i try to index one file (this one in picture) My input file is like this ...

by Explorer in

How do i configure a Splunk cold data path for separate indexers(peers) in an indexer cluster?

I currently have 4 indexers. I have a new mount drive that I am trying to send Splunk cold data to. [volume:cold] ...

by New Member in

SHC Deployer not showing up in the Monitoring Console overview

Hi guys, I've just set up a new SHC with the label shcluster1. Each search head and the deployer have this label....

by Communicator in

"Restart Splunk for your changes to take effect"

From the documentation (Getting Data In, v6.2.1): Restart Splunk for your changes to take effect Changes to con...

by Builder in

How do you reduce an index size that's taking a lot of space?

How do I reduce an index size in a way so that I can delete older data from the index to make the size of the index c...

by Builder in

What is the effect of annotate_punct on indexing time?

The architecting Splunk 7.1 Enterprise Deployments class empathizes that setting annotate_punct = false in props.conf...

by Ultra Champion in

Feature Request: register License Slave at License Master with token

With scaling infrastructure and the requirement to bind machines to a pool instead of using catch-all (slaves = *) we...

by Explorer in

Audit event generator: Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes

I see warning message in splunk master node. "Audit event generator: Now skipping indexing of internal audit event...

by Engager in

Over 50 buckets went from hot to warm. How do I manage when they roll?

Have never had this error before, but today we had an alert that 100 buckets were created and it appears to be a lot ...

by New Member in

What will happen to our index cluster if we add another 5 Index Servers to the existing cluster?

Hi Guys, Maybe a bit of a challenging question, but how "intelligent" is the Splunk clusters really? Say you ha...

by Explorer in

servicesNS/undefined when using a domain for search head

We have notice the following behaviour when using a domain to hit a search head If we hit the search head directly...

by Engager in

Get Updates on the Splunk Community!

Deployment Architecture

Discussions

Does Universal Forwarder connection Loss cause data loss ?

spath truncation

"ERROR ClusteringMgr - VerifyMultisiteConfig failed" when trying to join cluster

Why are my thawing frozen buckets not restoring as expected?

Issues with rolling restart (index cluster) & idea to add additional index peers

('Cannot connect to proxy.', error('Tunnel connection failed: 503 Service Unavailable',))

Multi-site cluster , wrong Restrictive retention caused data delete. Anyway to stop splunk from deleting rest of teh data.

Wrong retention caused buckets to freeze in cluster- Need to restore frozen data

Why are our logs being truncated to 10,000 characters?

Does replication happen on hot buckets?

Accessing the Cluster Master situated on a private network using a windows machine

I deleted the trusted.pem in /splunk/etc/auth/ directory. Is there a way i can recover it?

Is there an option to automate "restart Splunkd" on the Deployment server?

how to manually control app config reload of specific deployment client

File not indexing

How do i configure a Splunk cold data path for separate indexers(peers) in an indexer cluster?

SHC Deployer not showing up in the Monitoring Console overview

"Restart Splunk for your changes to take effect"

How do you reduce an index size that's taking a lot of space?

What is the effect of annotate_punct on indexing time?

Feature Request: register License Slave at License Master with token

Audit event generator: Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes

Over 50 buckets went from hot to warm. How do I manage when they roll?

What will happen to our index cluster if we add another 5 Index Servers to the existing cluster?

servicesNS/undefined when using a domain for search head

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Splunk Attack Range v4 Local Ubuntu

Active Directory Deployment Failure in Splunk Atta...

State of SIR in ServiceNow not capturing

Offline Logging and oberservability - on permises

v0.116.0 upgrade for EKS cluster gives webhook err...

Deployment Architecture

Are you a member of the Splunk Community?

Discussions