Knowledge Management

Discussions

Thread Info

What is the best practice for installing and managing apps in a distributed environment?

We have Splunk installation in a distributed environment with search head clustering and indexer clustering enabled a...

by Contributor in

Question about fixing data in a summary search

We have a summary search that runs every hour. I have read about the fill_summary_index.py What i want to know is...

by SplunkTrust in

In order to retain a small subset of events for a longer retention period, is it possible to have events copied to two indexes at index time?

I have a need to retain a small subset of events in an index for a longer retention period. I have all the Windows Ev...

by New Member in

Exceptions count different when compared to creating event types

Hi I am a new to splunk and need help with a query: index=abc exception | rex ".?(?(?:\w+.)+\w*?Exception)."| stat...

by New Member in

How do I recover the data from the backed up kvstore folders/files and append it to the already accumulating data in my several KV Stores?

I was able to use the following "Answers" post to get my three member SHC KV Store up and running again: https://a...

by Path Finder in

Is Splunk good for storing audit logs?

We have SAAS solution and we want to store system's audit logs to Splunk, an example is we provide WebHooks to our cu...

by New Member in

Clarification on indexer retention

The documentation on this topic is not clear, so I am hoping someone can answer this for me. I need to keep data for ...

by Contributor in

Possible to create search macro using Arguments for a user list?

I have a search that references 80 users in username field: index=abc EventID=4625 (username=abc OR username=def O...

by Influencer in

I have a saved search scheduled to write to a summary index. How do I clear the summary index each time before the saved search is run again?

I have a saved search cron-scheduled to run every hour. This will write to a summary index each time. I want to clear...

by Path Finder in

Confused with the usage of si-commands

I'm trying to dig deeper into summary indexing, but at this point I feel a bit confused. What I did so far is: - crea...

by Communicator in

What is the use for these bundle directories?

Hello, I am working with a full distributed architecture: Deployement server, multi-site index cluster, search hea...

by Contributor in

How can i filter columns based on other column value

Hi, I have a created a table with columns A and B, we are using KV store to get the threshold config data and KV S...

by Path Finder in

Difference between eventgen and SA-eventgen?

I am familier with the eventgen but does eventgen app and sa-eventgen are same or does they different? I'm just curio...

by Builder in

Calculated field not showing up

I created a calculated field in one sourcetype and cloned it to another sourcetype. However the other one is not show...

by Explorer in

SPLUNK doesn't pick same content with different file name.

Hello, I want to monitor multiple files which contain same content but different file name. For example: count...

by Builder in

Splunk Calculated fields

Hi, I may be looking in the wrong place, but I am not able to find out information on how to use a few calculated ...

by Path Finder in

How to write to kvstore with java sdk?

We are trying to inject JSON directly into our KV Store instance while using a defined _key inside the JSON object. ...

by Explorer in

Splunk Cumulative Raw Data Size vs Index Disk Usage

Hi, Can someone clarify the difference between the cumulative raw data size found in the cluster settings on a spl...

by Engager in

Spunk forwarder scalability

I'm considering usage of splunk-forwarder to integrate a system that generates many small files that contain log mess...

by Engager in

How do I close 'My Investigations' after I am done with notable events?

I can see where we can create 'New Investigations', track or manage current investigations, delete or edit or remove ...

by Explorer in

Why can't you use a wildcard when searching for tags (tag=*)?

I've always known that you can't search tag=* but I never knew why. Maybe the old-time splunkers can elighten me?

by Splunk Employee in

Double backslash in a field value becomes single backslash in accelerated data model. How to retain the original field data with two backslashes?

One of our fields stores the name of a Windows UNC path, e.g.: \\server\share (two backslashes followed by ser...

by Builder in

Why indexing removes carriage return characters (0x0d)?

Example data in a file which should become a multi line event: 111111 222222 Both lines end with CR+LF (0x0d+0x0a)...

by Explorer in

How can I use the result table's value of the timechart

My search: |timechart span=1s sum(bit) by dst Result table: _time,1.1.1.1,2.2.2.2,3.3.3.3 090000,300,300,300...

by New Member in

How to update events with new key/value pairs on a per event basis?

Hi Splunkers, I was wondering if someone could shed some insight on whether this is even possible with Splunk, if ...

by Path Finder in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

What is the best practice for installing and managing apps in a distributed environment?

Question about fixing data in a summary search

In order to retain a small subset of events for a longer retention period, is it possible to have events copied to two indexes at index time?

Exceptions count different when compared to creating event types

How do I recover the data from the backed up kvstore folders/files and append it to the already accumulating data in my several KV Stores?

Is Splunk good for storing audit logs?

Clarification on indexer retention

Possible to create search macro using Arguments for a user list?

I have a saved search scheduled to write to a summary index. How do I clear the summary index each time before the saved search is run again?

Confused with the usage of si-commands

What is the use for these bundle directories?

How can i filter columns based on other column value

Difference between eventgen and SA-eventgen?

Calculated field not showing up

SPLUNK doesn't pick same content with different file name.

Splunk Calculated fields

How to write to kvstore with java sdk?

Splunk Cumulative Raw Data Size vs Index Disk Usage

Spunk forwarder scalability

How do I close 'My Investigations' after I am done with notable events?

Why can't you use a wildcard when searching for tags (tag=*)?

Double backslash in a field value becomes single backslash in accelerated data model. How to retain the original field data with two backslashes?

Why indexing removes carriage return characters (0x0d)?

How can I use the result table's value of the timechart

How to update events with new key/value pairs on a per event basis?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

New Splunk TcpOutput persistent queue

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...

Routing events on UF for sourcetypes with INDEXED_...

Knowledge Management

Are you a member of the Splunk Community?

Discussions