Monitoring Splunk

Thread Info

indexer cluster to SH cluster replication issue.

we have a SH cluster with 3 SH which is collecting data with indexer cluster having 3 indexers. Now the problem is da...

by Explorer in

How to run a script only on one search head in a SH cluster, preferably the captain?

i have a script that is currently executing on all search heads. Is there a way to execute on only the current capta...

by Explorer in

splunk

Hello Everyone this is how iam getting error massage , while forwarding data from universal forwarder to indexer , ...

by Loves-to-Learn in

No activity in Splunkd Threads on indexer

Hi, Looking at the activity of the Splunkd threads on the indexers, I've seen in the monitoring console that someti...

by Explorer in

Search Head GUI

Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone ...

by Explorer in

I recently installed the Universal forwarder in the local Machine, but I cannot see the windows logs sent to the indexes

01-09-2025 17:01:37.725 -0500 WARN TcpOutputProc [4940 parsing] - The TCP output processor has paused the data flow....

by Loves-to-Learn in

How can I fix the issue related to More than 70% of forwarding destinations have failed

01-09-2025 17:30:30.169 -0500 INFO PeriodicHealthReporter - feature="TCPOutAutoLB-0" color=red indicator="s2s_connec...

by Loves-to-Learn in

Distributed Search Configuration - sendRcvTimeout

Hi all, Do any of you all run into issues where the bundle replication keeps timing out and splunkd.log references ...

by Communicator in

Discarding Certain Events

Hello All! I am trying to discard a certain event before the Indexers Ingest it using keyword envoy. Below is an ...

by Observer in

Trying to understand compression - given % compression of X volume data, how much on disk is required?

I'm trying to understand the compression numbers provided by Splunk. Given a compression of, say, 40%, on a volume of...

by Champion in

Is timestamp extraction of milliseconds wrong?

FYI, it's possible if you have HF => third party s2s => indexer.

by Splunk Employee in

Cisco equipement in Splunk

Hello Splunkers  Have any of you worked with log files of Cisco equipment: - AP 9130 - WiFi Controller...

by Explorer in

The current production environment has encountered incomplete data returned by using the query map function.

1.Problem description The current production environment has encountered incomplete data returned by using the quer...

by Path Finder in

Use of persistent queue in UF

In which situation the persistent queue would be used in UF, only if indexer is slow in writing or is down for a lon...

by Communicator in

Detect sourcetype no reporting correct

Splunkersi thought i had an search to detect and alert when a sourcetype don't sent logs, but i found out that i may ...

by Path Finder in

Remove duplicate URLs from search result

Trying to get success and failure status count using below query but its not filtering out the duplicate URLs, Can so...

by Explorer in

warning msg with the msg "See search.log for more details." (should be searches.log)

Dear Splunk Dev team, One more simple typo issue: Splunk fresh install 9.4.0 (last week's version 9.3.2 also ha...

by SplunkTrust in

Alert

Hello, I just wanted to know more detailed information so I opened the case. About Alert settings. I set Thres...

by New Member in

How do we detect fluctuations in data ingestion?

We fail again and again these days when we have major spikes in ingestion, primarily with HEC. What would be a good a...

by Motivator in

During updating Splunk OTEL we are getting an error

Hello, We attempted to upgrade Splunk OTEL on the cluster using the helm3 upgrade command, but encountered the foll...

by Engager in

broken links on splunk web pages

Dear Splunkers... As i was checking about the fishbuckets at the splexicon https://docs.splunk.com/Splexicon:Fis...

by SplunkTrust in

Info from index=_internal does not match CMC ingest volume

Hello, dear Splunk Community. I am trying to extract the ingest volume from our client's search head, but I noticed...

by Engager in

Indexer saturation

[UPDATE] Hello everyone, and thanks in advance for your help. I'm very new to this subject so if anything is unclea...

by Path Finder in

Can I give commands to the agent?

hi index=idx_myindex source="/var/log/mylog.log" host="myhost-*" "memoryError" I know that if I give the conditio...

by Engager in

How splunk calls coldToFrozen.py script automatically

How splunk calls coldToFrozen.py script automatically once the script is setup in /opt/splunk/bin and indexes.conf fi...

by Engager in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Monitoring Splunk

Discussions

indexer cluster to SH cluster replication issue.

How to run a script only on one search head in a SH cluster, preferably the captain?

splunk

No activity in Splunkd Threads on indexer

Search Head GUI

I recently installed the Universal forwarder in the local Machine, but I cannot see the windows logs sent to the indexes

How can I fix the issue related to More than 70% of forwarding destinations have failed

Distributed Search Configuration - sendRcvTimeout

Discarding Certain Events

Trying to understand compression - given % compression of X volume data, how much on disk is required?

Is timestamp extraction of milliseconds wrong?

Cisco equipement in Splunk

The current production environment has encountered incomplete data returned by using the query map function.

Use of persistent queue in UF

Detect sourcetype no reporting correct

Remove duplicate URLs from search result

warning msg with the msg "See search.log for more details." (should be searches.log)

Alert

How do we detect fluctuations in data ingestion?

During updating Splunk OTEL we are getting an error

broken links on splunk web pages

Info from index=_internal does not match CMC ingest volume

Indexer saturation

Can I give commands to the agent?

How splunk calls coldToFrozen.py script automatically

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

MSSP reporting

Splunk UBA

Talos Cisco IoCs Splunk ES

Problems with SA-Hydra

How to pause and resume the Splunk RUM agent

Monitoring Splunk

Are you a member of the Splunk Community?

Discussions