Deployment Architecture

Thread Info

Do I need to have autoLB on the search head?

I am getting the message Forwarding to indexer group default-autolb-group blocked for 100 seconds I am runn...

by Contributor in

How can I run a local search on my deployment server and make the results accessible for search?

Hello, I have a query that needs to run locally on the deployment server, but I want the results accessible on my ...

by Path Finder in

"Got Done key for an unknown bucket without getting any data"

I have a MultiSite indexing cluster, and a single Peer int site 2 is repeatedly reporting: ERROR TcpInputProc - ev...

by Ultra Champion in

Does a replication factor of three make sense?

Our eight indexers are under enormous stress and I wonder whether the replication factor of three makes any sense. Si...

by Ultra Champion in

How do I add a new node to a multisite indexer cluster?

Hello All i'm trying to find the way to to add new member to indexer cluster. do i need to follow same step that i...

by Path Finder in

Splunk TA Sharepoint error messages

This is a distributed deployment with a search head cluster and index cluster. The Splunk_TA_Microsoft_Sharepoint add...

by Path Finder in

Is there a REST API to create a deployment app on a deployment server?

Hi, Are there REST APIs to: 1. Create a deployment app on a deployment server 2. Create some conf files in that a...

by Path Finder in

Changing deployment server IP

Hi to all, I had a deployment server (server A), an indexer/search head (server B) and some monitored servers. I cop...

by Explorer in

Can the indexer cluster master itself decide to be a search head?

Hello Team, I am very curious to know the answer of this question. I have an index clustering setup consisting ...

by Explorer in

Audit - Tampering of Log Files by Unix Admin Possible?

I understand that 'Splunk Log Files/Index events' can be deleted (made non-searchable) with the 'can_delete' operator...

by New Member in

Linux logging on Splunk

I want to know industry standard for Linux system logging for security purpose. What files needs to be logged and how...

by New Member in

Splunk Apps that are installed on a deployment client running a universal forwarder (From Distributed SH)

As per somesoni2 answer in https://answers.splunk.com/answers/426786/is-there-a-way-to-get-a-list-of-splunk-apps-that...

by Super Champion in

Migrating ITSI from shared search head to dedicated search head?

I'm looking to migrate ITSI 2.4 (IT Service Intelligence), which is on a shared, clustered set of search heads (SH)'s...

by Splunk Employee in

How can I resolve this error I get from adding a new search head to my indexer clustering environment?

After I added a new search head to my indexer cluster environment, I started getting "Error = 'Couldn't deserialize, ...

by Splunk Employee in

Index Cluster Scaling

Is there a limit for the number of nodes in an indexer cluster, above wich we will see a performance degradation? Wit...

by Contributor in

How to block a server from pushing data to our Splunk server

We have a couple of unknown servers that push data to our Splunk serverI am not able to access these servers and not ...

by Path Finder in

How to dynamically change the span parameter in bucket without using drop down options.

I have a search like this: index=* source=*|....| bucket Time span=(1d/1h/5m)...| if I select last one month from...

by New Member in

Splunk log filtering via Splunk Heavy forwarder

Hello, I have the the logs coming from our IPS coming in below format: Connection logs: Aug 10 08:54:44 HOST SF...

by Explorer in

Scripted input not indexing fully

Hi Team, I have deployed a scripted input on the Cluster Master which will gives us the last accessed, modified ti...

by Path Finder in

Why does a peer in an indexer cluster not have the "cluster_label" label?

I have a clustered environment with many indexers, but for some reason one of the indexers are not playing nice with ...

by Engager in

How do I change the owner of a saved search or view in a search head cluster environment?

I need to change the owner of a search or dashboard view. Using the deployer merges changes from local.meta back to d...

by Splunk Employee in

How do I determine the appropriate timeout value for distributed search

I see timeouts with distributed search and currently have receiveTimeout set to 300. What metric(s) can I use to dete...

by Splunk Employee in

Bucket number exceeds maxHotBuckets value

Hi, In my splunk configurtation I have defined the maxHotBuckets to default value, so 3. When I monitor my indexer...

by New Member in

Adding users via REST API on search head cluster

Is it possible to add users via the Splunk REST API in a SH cluster? I thought that I had tested this but now when I ...

by Builder in

How can I get the shc status from the deployer

Hi, We have a SHC setup in our private cloud. So, picture servers going in/out/down/up... without the Splunk admin...

by Champion in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Deployment Architecture

Discussions

Do I need to have autoLB on the search head?

How can I run a local search on my deployment server and make the results accessible for search?

"Got Done key for an unknown bucket without getting any data"

Does a replication factor of three make sense?

How do I add a new node to a multisite indexer cluster?

Splunk TA Sharepoint error messages

Is there a REST API to create a deployment app on a deployment server?

Changing deployment server IP

Can the indexer cluster master itself decide to be a search head?

Audit - Tampering of Log Files by Unix Admin Possible?

Linux logging on Splunk

Splunk Apps that are installed on a deployment client running a universal forwarder (From Distributed SH)

Migrating ITSI from shared search head to dedicated search head?

How can I resolve this error I get from adding a new search head to my indexer clustering environment?

Index Cluster Scaling

How to block a server from pushing data to our Splunk server

How to dynamically change the span parameter in bucket without using drop down options.

Splunk log filtering via Splunk Heavy forwarder

Scripted input not indexing fully

Why does a peer in an indexer cluster not have the "cluster_label" label?

How do I change the owner of a saved search or view in a search head cluster environment?

How do I determine the appropriate timeout value for distributed search

Bucket number exceeds maxHotBuckets value

Adding users via REST API on search head cluster

How can I get the shc status from the deployer

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Offline Logging and oberservability - on permises

v0.116.0 upgrade for EKS cluster gives webhook err...

Does a props/transforms.conf Visio stencil exist?

My servers class Agent allways in Pending status

splunk_internal_telemetry:53 - Failed to send tele...