Knowledge Management

Discussions

Thread Info

How do I maintain quality of the summary index?

You can you backfill to fill in missing pieces, but what happens when splunk or syslog run behind and events run part...

by Explorer in

GET Workflow Action - define different URI based on host value?

I am trying to configure a GET workflow action that decodes a session Id. The problem is that you have to pass the co...

by New Member in

Debugging summary indexes

Hi, I use summary indexing alot in my custom app. Recently I created a second app and added a summary index. The s...

by Path Finder in

Remove Old Summary Index

Hi - does anyone know how to remove old summary index data? I have a few summary indexes saved in the system that was...

by Path Finder in

Summary Index search problems

My scheduled search: [Summary Logins Per Second] action.summary_index = 1 action.summary_index._name = lgn-stats c...

by Influencer in

n00b question - splunk server is only host with indexing volume according to lic report

Why does the Splunk server show up as the only host indexing? We're running 3.x and our free lic is shot because it l...

by New Member in

How do I resolve a share library libpcre.so reference after an upgrade on Ubuntu Lucid 64bit

I recently update my Ubuntu 64bit system and splunk refuses to start. sudo apt-get dist-upgrade uname -a *Linux...

by Communicator in

Summary index results are limited

I’m building a report that finds the number of unique users in our activity log each day: sourcetype="accountTrans...

by Explorer in

errors while using unix tags in the search app

If i do a search within the unix app such as this: tag="access" i get plenty of results. If i perform the same search...

by Splunk Employee in

Tags not showing in this search....

Hi I have a search which is returning the tags in the display, the tags work as I report on these tags in all of our ...

by Path Finder in

Was the "edit_tags" capability removed?

Anyone know if edi_tags was removed? I'm seeing the following warning message in the logs: AuthorizationManag...

by Super Champion in

Why do my summary index events have maxtime="5m"?

Since upgrading to splunk 4.1, all of my summary indexing saved searches now include following term stuck on the end ...

by Super Champion in

Can I use n field values as field names for summary indexing?

I am running a script that, simply put, inserts a record into Splunk for each person that is using space on our stora...

by New Member in

limits on "action.summary.index" vs piping to "collect"

I've found that if I have a summarizing search using "stats" and I schedule it via the UI and use the "enable summary...

by Splunk Employee in

Single summary index match not visible with search_name?

I've got a summary index query which currently matches only one (1) event in my existing data. I've run the fill_summ...

by Path Finder in

Using summary index by default in app?

I'm writing an app that I know will index loads of data and then do some calculations on changes from day to day. To ...

by Splunk Employee in

Why are only 10,000 events making it into the summary index?

I'm having an issue with my summary index. I have a search which results in 48000+ events. I saved the search and ena...

by Splunk Employee in

Cannot automatically migrate pre 4.1 tags.conf: Clarification or Suggestion where to begin?

I just updated my indexer to 4.1 this morning and found the following in the migration log: Cannot automatica...

by SplunkTrust in

Tuning max searches on a summary indexing instance - how?

I have an instance that I've set up to only run summary searches. Essentially, its a search head but no users connect...

by Champion in

"The specified search is too large." Can somebody help me figure out what "too large" is?

A query to count tag=pci entries by eventtype (and happens to be part of the application): tag=pci | stats count b...

by Engager in

historical data on a new installation

I just installed splunk and indexed a log file with data that is from earlier this year, The summary dashboard shows ...

by Splunk Employee in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

How do I maintain quality of the summary index?

GET Workflow Action - define different URI based on host value?

Debugging summary indexes

Remove Old Summary Index

Summary Index search problems

n00b question - splunk server is only host with indexing volume according to lic report

How do I resolve a share library libpcre.so reference after an upgrade on Ubuntu Lucid 64bit

Summary index results are limited

errors while using unix tags in the search app

Tags not showing in this search....

Was the "edit_tags" capability removed?

Why do my summary index events have maxtime="5m"?

Can I use n field values as field names for summary indexing?

limits on "action.summary.index" vs piping to "collect"

Single summary index match not visible with search_name?

Using summary index by default in app?

Why are only 10,000 events making it into the summary index?

Cannot automatically migrate pre 4.1 tags.conf: Clarification or Suggestion where to begin?

Tuning max searches on a summary indexing instance - how?

"The specified search is too large." Can somebody help me figure out what "too large" is?

historical data on a new installation

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

New Splunk TcpOutput persistent queue

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...

Routing events on UF for sourcetypes with INDEXED_...

Knowledge Management

Are you a member of the Splunk Community?

Discussions