Knowledge Management

Thread Info

what is the difference between "summary index" and alert action "Log Event"?

I think both of these function can output alert's result to index. Then, is the difference only these? 1. "summary...

by Builder in

extract date from filename in Splunk with customized datetime.xml?

hey All i want to extract date from filename the file name is as following : filename xxx9935_20190223.txt datetime....

by Explorer in

Return only some key from KvStore through API.

Hi Splunkers, In order to update, delete or create entries in KvStore only when it's necessary, i'm looking to get...

by New Member in

Do we need TTL in war room situations?

We reach situations in which Splunk is being used heavily in war rooms by many people and there all the quotas work a...

by Ultra Champion in

how to use rex function different different pattern of data

In my scenario data filename having different different of pattern : Sample filename data : File_Name | Client_nam...

by Engager in

Local KV store replication issues.

Hi, I am seeing some KV store replication errors on some of the search heads in the cluster. We wish to remove tha...

by Builder in

[Smartstore]After migration to smart store Splunk Index Cluster Issues - bucket fixup pending for more than 48 hours

During the Migration from to SmartStore following issues were faced. Issue 1: Many of the Bucket were stuck up in ...

by Splunk Employee in

Is it ok to convert the existing journals after changing the journalcompression setting?

I recently changed journalcompression from the default gzip to zstd. That is working fine. I'd like to go ahead and c...

by New Member in

Advice on using eventtype, macro, tags or something else for easy user reference

Hi, We have Apache logs in a variety of indexes from a variety of hosts which represent a variety of different env...

by Builder in

How to disable default data models?

Hey guys, Can someone please tell me how to disable default data models in splunk? Any help would be greatly appre...

by New Member in

Help to disable default Data Models

Hey Guys, Can someone please tell me how to disable default data models in splunk. Any help would be greatly appre...

by New Member in

Oldest 50 Tickest that are OPEN

I am having hard times to query the Splunk. The data in splunk is a list of tickets and their updates over time i.e: ...

by Explorer in

What is the best way to keep learning Splunk even if you are not working on it day in day out?

Recently my project has changed which is totally different than what i have been doing (Splunking). But since i love ...

by Contributor in

How come my macro data isn't refreshing in new searches?

I have a macro that I created and have since added additional data to it. However, when I search the new data does no...

by Explorer in

Where configure reciever port?

Hello splunker, we have a cluster with 1 master and 2 indexer My question is where configure reciever port for for...

by Path Finder in

How can we search the data which we moved in to summary index?

Hello Team, Recently i have created one report to send the data from _introspection index to summary index using c...

by Path Finder in

Can I convert an indexer cluster into a single indexer without losing any data?

current Splunk architecture: a standalone search head + an indexer cluster (contains three indexers)+ a cluster ma...

by Contributor in

Clustered Indexers not shown within the DMC despite adding the Master Node as search peer in DMC

As per the documentation for adding search peers in DMC which states Do not add clustered indexers, but be sure to ad...

by Motivator in

Column names with Oracle and DB Connect

I have a DB Connect input: SELECT EVENT_ID, EVENT_TYPE, ... FROM table WHERE EVENT_ID > ? ORDER BY EVENT_ID ASC. The...

by Explorer in

What is the default order for tag usage?

I am trying to understand the order for tag usage in a search. I have a user with a saved search in their user con...

by Engager in

How to extract events from multiline event using multikv ?

Hi, I am trying to extract events from a multiline event using multikv. I need to split each event Starting fr...

by New Member in

help required on lookup

Hi, I used the below to lookup for a query from a lookup file/table and execute it. Lookup file - search_queries.c...

by New Member in

Importing history for summary index

Hello, we migrated another app from our application suite to Splunk and I have built dashboard which is making mai...

by Explorer in

[SmartStore]Trigger that would cause a cluster to resync from remote storage

what are the triggers that would cause a cluster to resync from remote storage -> local disk? ie… if i have some dang...

by Splunk Employee in

Conditional SPL

How do you build a query that takes two different SPL paths based on a condition within the data? Example: Write the ...

by Splunk Employee in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Knowledge Management

Discussions

what is the difference between "summary index" and alert action "Log Event"?

extract date from filename in Splunk with customized datetime.xml?

Return only some key from KvStore through API.

Do we need TTL in war room situations?

how to use rex function different different pattern of data

Local KV store replication issues.

[Smartstore]After migration to smart store Splunk Index Cluster Issues - bucket fixup pending for more than 48 hours

Is it ok to convert the existing journals after changing the journalcompression setting?

Advice on using eventtype, macro, tags or something else for easy user reference

How to disable default data models?

Help to disable default Data Models

Oldest 50 Tickest that are OPEN

What is the best way to keep learning Splunk even if you are not working on it day in day out?

How come my macro data isn't refreshing in new searches?

Where configure reciever port?

How can we search the data which we moved in to summary index?

Can I convert an indexer cluster into a single indexer without losing any data?

Clustered Indexers not shown within the DMC despite adding the Master Node as search peer in DMC

Column names with Oracle and DB Connect

What is the default order for tag usage?

How to extract events from multiline event using multikv ?

help required on lookup

Importing history for summary index

[SmartStore]Trigger that would cause a cluster to resync from remote storage

Conditional SPL

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform

New Splunk TcpOutput persistent queue

Forwarders blocking / Splunk Cloud Dead Letter Qu...

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...