Knowledge Management

Discussions

Thread Info

Definitive way to determine whether or not a machine is communicating with Splunk whether Windows or Unix?

Does anyone know how to generally quantify within a report or otherwise whether or not a system with an OS of any typ...

by Path Finder in

Scaling kv store performance

I am encountering an issue with the kvstore (6.4.1/6.4.2) where i am hitting a relative performance limit with update...

by Motivator in

props.conf field extraction

Hi, i try to extract a field in props.conf on search head/indexer. Data comes from UF. props.conf [mysyslog] EXTRA...

by Path Finder in

How to collect Slack logs

Hi, I created an app with an inputs.conf file to collect syslog data (udp 514) from a particular host and send it to...

by Engager in

What is your best practice for search slicing by host environment/role?

Hey there! I did not find an optimal solution for myself yet. But I guess many of you have similar use cases, so m...

by Explorer in

Is it possible to connect directly to MongoDB?

I want to maintain a lot of data in my KV Store, but in order to do so I have to keep it clean; but aging out old dat...

by Path Finder in

Disable kvstore replication to indexers

According to this post kvstores get replicated to indexers. Is there a way to disable or specifically control this...

by Motivator in

Unable to save summary search because summary index is missing

Our summary index is not recognized in UI when attempt to save a scheduled search to write to it. These indexes are j...

by Champion in

Can someone help me better understand a few things about kvstore?

As a Splunk beginner, I want to understand few things about kvstore. Could anyone explain me in brief? Is kvstore ...

by Communicator in

How to disable or hide an old field name when selecting "Add Auto-Extracted Field" for a data model?

Hi All, We have created a data model with root object. In our data, we have the fields in our CSV which have "spac...

by Builder in

How does creating a data model affect storage and memory?

I am asking this question as I dig thru the documentation. Currently I don't have a lot of reserve disk storage or...

by Contributor in

Can anyone help me distinguish the fields user and src_user in CIM model Account Management (Change Analysis)?

As stated in the title, I'm looking for someone tell the differences between the field user and src_user in the CIM M...

by Engager in

How long is data stored and refreshed in Splunk Cloud?

I am working on a project in Splunk Cloud and one of the questions I wanted to iron out was how data is stored and re...

by New Member in

What causes this scheduler failure? "Error in 'summaryindex' command: Permission denied to index 'summary'."?

06-08-2016 21:11:02.773 -0400 ERROR SavedSplunker - savedsearch_id="UserX;search;ss_index_delay_times", message="Erro...

by Influencer in

After creating a workflow action, why don't I see any options for workflow once I search for some logs?

Team, Work flow action is not working in Splunk. I have created a workflow based on the documentation, but I didn'...

by New Member in

How do I get an existing index to freshly re-index the same data input directory

Hi, I accidentally truncated my index by dropping the index limit by 3 orders of magnitude. Instead of years of da...

by Engager in

Summary indexing not working

Hi, I have a job set up to create a summary index off the license data for longer term storage. The job ran, but m...

by Champion in

Can the scrub command be used to scrub only the driver license field from results?

I need to pass log data to another applications, but because of security concerns, I need to scrub only the driver li...

by Path Finder in

Backfill automated bash script timeout: Is there a best practice on how much data can be backfilled per thread/search?

I have created a bash script to assist with automation of backfilling missing data and to avoid overloading the serve...

by Explorer in

Issue with writing to an index

I have this convoluted dbquery for sccm and I've boiled it down to a time and a value in a table. The end of the s...

by Builder in

Eventtypes' numbers limits

Good Morning all, Anybody knows if exists a limit regarding the amount of eventtype I could set into splunk? I alr...

by Path Finder in

Summary Index Backfiller fill_summary_index.py broken? "No scheduled times for your time range"

Hi Fellow Splunkers, After having upgraded to 6.4.1 yesterday, I had a go with fill_summary_index.py again, and no...

by Path Finder in

Is it possible to modify an indexed event?

Is it possible to modify an indexed event? My company is using Splunk for detecting suspicious activities. One of the...

by New Member in

/apps/splunk/var/lib/splunk/kvstore/mongo - Why is this used?

Hi, I have came across this path /apps/splunk/var/lib/splunk/kvstore/mongo. I tried to understand why this is used...

by Path Finder in

Is it possible to use one field alias for multiple fields?

Hi, is it possible to use one field alias for multiple fields? For example I want to use field aliases to renam...

by Motivator in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

Definitive way to determine whether or not a machine is communicating with Splunk whether Windows or Unix?

Scaling kv store performance

props.conf field extraction

How to collect Slack logs

What is your best practice for search slicing by host environment/role?

Is it possible to connect directly to MongoDB?

Disable kvstore replication to indexers

Unable to save summary search because summary index is missing

Can someone help me better understand a few things about kvstore?

How to disable or hide an old field name when selecting "Add Auto-Extracted Field" for a data model?

How does creating a data model affect storage and memory?

Can anyone help me distinguish the fields user and src_user in CIM model Account Management (Change Analysis)?

How long is data stored and refreshed in Splunk Cloud?

What causes this scheduler failure? "Error in 'summaryindex' command: Permission denied to index 'summary'."?

After creating a workflow action, why don't I see any options for workflow once I search for some logs?

How do I get an existing index to freshly re-index the same data input directory

Summary indexing not working

Can the scrub command be used to scrub only the driver license field from results?

Backfill automated bash script timeout: Is there a best practice on how much data can be backfilled per thread/search?

Issue with writing to an index

Eventtypes' numbers limits

Summary Index Backfiller fill_summary_index.py broken? "No scheduled times for your time range"

Is it possible to modify an indexed event?

/apps/splunk/var/lib/splunk/kvstore/mongo - Why is this used?

Is it possible to use one field alias for multiple fields?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

New Splunk TcpOutput persistent queue

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...

Routing events on UF for sourcetypes with INDEXED_...

Knowledge Management

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!