Knowledge Management

Ask a Question

Discussions

Thread Info

Permissions for accelerated datamodels?

Hi there. There is one thing that's not obvious for me. I understand that if I create a non-accelerated datamodel...

by SplunkTrust in

mmdb update

Can I get an assistance on the command to update mmdb in my environment for a particular state.

by New Member in

What is replicated across Search Heads without CLI?

I have recently created a field extraction on one search head that I have assigned all apps and users to read and wri...

by Path Finder in

Shared datamodels and CPU usage on indexers

Following https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries I set up sharing acce...

by SplunkTrust in

Editing macro is giving a 404 error

When I tried to edit a macro in Settings\all Settings it is giving a 404 It seems the generated URL usees ...

by Explorer in

Splunk Add on Builder - data input deletion

I created an input_type (data input type) to collect data from external REST API using Splunk Add-on Builder app. Ho...

by Path Finder in

Why use data models instead of just having reports ?

Could someone please explain what are the scenarios where having a data-model would be important rather than using Re...

by Explorer in

How to change the ACCELERATE Data Model saved searches out of quotas?

We installed splunk_app_aws with default setting. The next day ALL the savedsearches were on the Skipped Search repor...

by Explorer in

Error in 'lookup' command: Must specify one or more lookup fields.

I have a lookup table with CVE listed which I dont want to be in our report so we have made the lookup table and addi...

by Loves-to-Learn Lots in

Search-macro that takes variable number of arguments

(Keywords: varargs macros, dynamically built K=V fields, passing variable number of search-result’s fields’ values to...

by Explorer in

Splunk Extract Command to process single or double quotes

Hello Gurus! I am sure some people may have run in to this. I am using extract command to parse fields from multi...

by Splunk Employee in

Setting props.conf on the search head or cluster master

Hi, I want to know what is the difference between setting props.conf on the search head instead or on the cluster ...

by Builder in

Splunk Cloud - Impossible Travel Alerts

Hello there, In Cloud Splunk is there a way however an alert could be created for example: attacker logs in from Lo...

by New Member in

Summary indexing impact on license volume

Will using summary indexes impact my total indexing volume and my license?

by Splunk Employee in

TIME_FORMET in props.conf

My csv source data file contains below timestamp . how can we convert the timestamp into TIME_FORMET representation i...

by Path Finder in

What is the role of calculationID at datamodel json file?

Hi All, As the title says, what is the role of calculationID at datamodel json file? I had to create many datam...

by Path Finder in

Regex extraction with dashes

Hi folks, It's been a while since i posted here, but it looks like I'm stuck a bit (again!) I'm trying to exclud...

by Path Finder in

How to Take certification

I've got a question about the courses and certification. Is there a certification for each course from the Fund...

by Engager in

Why is the "Enable summary indexing" option no longer available in 6.6.0?

I currently have several scheduled jobs which generate summarized data which gets inserted into the summary index. Th...

by Splunk Employee in

Limiting power user role to have write access in production

Hi Team, I have a situation, where I want my team to have power user access in production (for creating ko) but wit...

by Engager in

Cisco ice parse fields problem

Hello!We have index with cisco events and now we need to parse some fields such as device_mac and device_name. But we...

by Explorer in

search lookup errors

Hello, when i search from index=alfa_cisco_ice and see the errors: AutoLookupDriver - Could not load lookup='LOOKUP...

by Explorer in

List index from a datamodel

Hi, can someone one help me with an SPL so that I can list the indexes of a datamodel. datamodel name - authe...

by Explorer in

Can you help me with the following KV Store error: "Detected unclean shutdown - /home/dbindex/kvstore/mongo/mongod.lock is not empty"

Hi, I have several errors related to KV Store as: -Failed to start KV Store process. See mongod.log and splunkd...

by Explorer in

How to delete a correlation search

Hi Splunkers. I'm looking for a way to delete a correlation search that has been created with the wrong name (as ES...

by Path Finder in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

Permissions for accelerated datamodels?

mmdb update

What is replicated across Search Heads without CLI?

Shared datamodels and CPU usage on indexers

Editing macro is giving a 404 error

Splunk Add on Builder - data input deletion

Why use data models instead of just having reports ?

How to change the ACCELERATE Data Model saved searches out of quotas?

Error in 'lookup' command: Must specify one or more lookup fields.

Search-macro that takes variable number of arguments

Splunk Extract Command to process single or double quotes

Setting props.conf on the search head or cluster master

Splunk Cloud - Impossible Travel Alerts

Summary indexing impact on license volume

TIME_FORMET in props.conf

What is the role of calculationID at datamodel json file?

Regex extraction with dashes

How to Take certification

Why is the "Enable summary indexing" option no longer available in 6.6.0?

Limiting power user role to have write access in production

Cisco ice parse fields problem

search lookup errors

List index from a datamodel

Can you help me with the following KV Store error: "Detected unclean shutdown - /home/dbindex/kvstore/mongo/mongod.lock is not empty"

How to delete a correlation search

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

New Splunk TcpOutput persistent queue

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...

Routing events on UF for sourcetypes with INDEXED_...

Knowledge Management

Are you a member of the Splunk Community?

Discussions