Deployment Architecture

Thread Info

How to troubleshoot error "idx=... Throttling indexer, too many tsidx files in bucket=..." on my distributed management console?

Hi, I noticed this popping up on my Distributed Management Console the other day: throttled - idx=ngccc_app_log...

by Champion in

Load on indexers high, am I able to add more indexers to help?

hi all, I have 3 indexers with 26 CPU/ indexer they are crying out loud due to load. I may not be able to incr...

by Path Finder in

How to know what buckets are frozen due to size?

I got an alert that some of the indexes buckets have been frozen due to size. How to get the bucket details. I mean t...

by Builder in

What are the recommended steps to unsubscribe the forwarder at the management & deploymentserver?

Hi community,a few month ago I have overtaken our Splunk cluster from a colleague who quit his job.Now I have the sit...

by Explorer in

How to move frozen buckets back to warm?

We have changed how we do things, intending to move to smartcache shortly. We have a lot of frozen data we wo...

by Loves-to-Learn in

How do I integrate IBM Guardium with Splunk?

From an IP send logs to syslog server via tcp/udp 1503 and Universal forwarder install on this serverNeed to send lo...

by Explorer in

Why is my UF not connecting to HF and DS?

My UF configured with deployment server 8089 and with HF 9997 both are not connecting troubleshoot steps performed...

by Loves-to-Learn Everything in

If we add additional indexer to existing clustered indexers, how will we spread primary and replication buckets?

Hello guys, if we add new indexer to existing cluster of 3 indexers with RF=3 and SF=3, how will be spread primary...

by Motivator in

Help with error reload class

Hello colleaguesWhen running the command (/opt/splunk/bin/splunk reload deploy-server -class Class_Name -debug) Th...

by Communicator in

Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations?

Socket error communicating with splunkd (error=The read operation timed out), path = /services/deployment/server/conf...

by Communicator in

Unable to delete search results

We are using 8.2.3 with SHC and multisite indexer clustering. We have some mismatch on key business data and we nee...

by Splunk Employee in

How the red flag, "the percentage of small buckets", works?

Hello everyone I have been trying to understand how this alert works because for my point of view doesn't make sense....

by Path Finder in

Help with Windows dormant enable search

Hi All, I want to create a use case where the account is inactive for 60 days and it got enable after 60 days.. ...

by Path Finder in

How to upgrade a single Search Head to a Search Head Cluster?

Hello, please I would like to know if the best approach to "move" a single Search Head to a Search Head Cluster i...

by Path Finder in

Does it make sense to have a DR indexer be part of cluster?

I inherited a splunk mesh of search-heads, deployment server, index cluster, etc. I am trying to figure out all this ...

by Path Finder in

If I have a Splunk DS version 9.0.1, what is the oldest version of Splunk UF that I can control, please?

Dear All, I have about 100 Splunk UFs at 7.0.1, 7.3.5, 8.1.5, 8.2.5 and 9.0.0.1 and they are NOT being managed by a...

by Contributor in

Can we configure input.conf define port with multiple sourcetype?

Can we configure input.conf define port with multiple sourcetype? For ex. [tcp://6134]index = topsourcetype = m...

by New Member in

The search job terminated unexpectedly in dashboard

I am getting "The search job terminated unexpectedly" in the dashboard. In search, the index is working fine. ...

by Loves-to-Learn in

Why is the latest version of the Forwarder Compatibility document still v 8.2.5, when we are on 9.0.1?

Dear All/Splunk Documentation Team, I am trying to get to read the Compatibility between forwarders and Splunk Ente...

by Contributor in

How do I run diagnostic tools without root access?

Hello, I have splunk starting up with systemd, and running as user splunk. I went to run the performance tasks...

by Path Finder in

Add non-clustered indexer and standalone search head to existing cluster

Hello,we had standalone search head and indexer in a pre-production environment then I created new clustered environm...

by Motivator in

Why am I getting this error when Migrating from windows to linux?

So i am in the process of migrating a distributed setup with 1 search head, 1 deployment/license server and 1 index s...

by Communicator in

What I can do to get the config in a Windows recognizable format?

I have a distributed environment with a search head (with deployment server) and indexer. I SSH into the search he...

by Observer in

User profile web UI option "Restart background jobs when the Splunk software is restarted" what does it actually do?

This option exists under each users profile. This seems to imply that if a user submits a long running (ie. 2 ...

by Motivator in

How can I find out what the deployment errors are?

I see the following - How can I find out what the deployment errors are? The interface also warns about s...

by Ultra Champion in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Deployment Architecture

Discussions

How to troubleshoot error "idx=... Throttling indexer, too many tsidx files in bucket=..." on my distributed management console?

Load on indexers high, am I able to add more indexers to help?

How to know what buckets are frozen due to size?

What are the recommended steps to unsubscribe the forwarder at the management & deploymentserver?

How to move frozen buckets back to warm?

How do I integrate IBM Guardium with Splunk?

Why is my UF not connecting to HF and DS?

If we add additional indexer to existing clustered indexers, how will we spread primary and replication buckets?

Help with error reload class

Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations?

Unable to delete search results

How the red flag, "the percentage of small buckets", works?

Help with Windows dormant enable search

How to upgrade a single Search Head to a Search Head Cluster?

Does it make sense to have a DR indexer be part of cluster?

If I have a Splunk DS version 9.0.1, what is the oldest version of Splunk UF that I can control, please?

Can we configure input.conf define port with multiple sourcetype?

The search job terminated unexpectedly in dashboard

Why is the latest version of the Forwarder Compatibility document still v 8.2.5, when we are on 9.0.1?

How do I run diagnostic tools without root access?

Add non-clustered indexer and standalone search head to existing cluster

Why am I getting this error when Migrating from windows to linux?

What I can do to get the config in a Windows recognizable format?

User profile web UI option "Restart background jobs when the Splunk software is restarted" what does it actually do?

How can I find out what the deployment errors are?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

SC4S with Keepalived

Offline Logging and oberservability - on permises

v0.116.0 upgrade for EKS cluster gives webhook err...

Does a props/transforms.conf Visio stencil exist?

My servers class Agent allways in Pending status

Deployment Architecture

Are you a member of the Splunk Community?

Discussions