All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi As other already said, you can do it. BUT 1st you should think is this really needed or not? Or is there better way to do it? How much data you have on this old server? is it better to migrate t... See more...
Hi As other already said, you can do it. BUT 1st you should think is this really needed or not? Or is there better way to do it? How much data you have on this old server? is it better to migrate that data to a new indexer cluster node and then migrate that node into indexer cluster. Also are you really need SHC as you have only two node indexer cluster? Usually SHC creates more complexity than just use one bigger SH. Of course your use case could need it, but then it also needs more bigger indexer cluster and probably that should be multisite cluster instead of standard cluster. I propose that you contact to some local Splunk Partner or PS service and plan your environment based on your real use case and needs. r. Ismo
will the Searchbase App (https://splunkbase.splunk.com/app/7188) ever be made available for general download?
Here is Splunk's own Search Tutorial https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial which contains some example data sets. It's easiest to use it. Of cou... See more...
Here is Splunk's own Search Tutorial https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial which contains some example data sets. It's easiest to use it. Of course you could use your own datasets, but then you must understand how to get data into splunk https://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor. r. Ismo
Hello Everyone,  looking for a little guidance on our Splunk deployment for a system.  Currently, we have a few different sites that span across the US with Universal forwarders deployed to all of th... See more...
Hello Everyone,  looking for a little guidance on our Splunk deployment for a system.  Currently, we have a few different sites that span across the US with Universal forwarders deployed to all of the systems and reporting back to one main Splunk instance individually.   Id like to see about splitting the Splunk system up into two separate parts to improve integrity and reduce latency, but have never delt with deploying a heavy forwarder in an instance like this.  My thought is to have all of the western universal forwarders sending their events to a dedicated Western Heavy forwarder, and have all of the eastern universal forwards send their data to the eastern heavy forwarder, and have both of the heavy forwarders send their data to our main Splunk instance.  (crude visio below) Any guidance is greatly appreciated!   
You should create support/bug report to splunk support. Maybe they see this same way and add this to fix list?
Just some quick points: --fields are specific to the index they are apart of, they may not exist across indexes (though this is less problematic if your data is properly normalized.) --have you d... See more...
Just some quick points: --fields are specific to the index they are apart of, they may not exist across indexes (though this is less problematic if your data is properly normalized.) --have you done the queries to interrogate the data, as it exists, in your environment and identified which indexes and fields you want exist as needed (cf. PickleRick's comment about use case)? Some other, hopefully relevant, thoughts (and which, from my experience, are sometimes useful in providing food for thought and context--especially for greener admins like me.) To add to the other relevant responses, and more generally in working with Splunk, and this does depend on whether you are a user or an admin (and even here this may mean different things depending on your organization) and trying to craft queries about data in your environment, it matters how you are configuring the ingestion (including, depending, the related architecture, like if there is a syslog server, or some TA needed), setting up the indexes, configuring what counts as a source (a hint that there is a ton of customizability to Splunk), setting a schema for hostnames , either auto-extracted during ingestion or otherwise configured in a CONF or using a look-up. Because there is a fairly large degree of customizability and arbitrariness in configurations (which may simply more reflect your environment (and its architecture), what your business wants/needs, etc.), what is being ingested, how it is labeled (are you specifying this, setting a schema, or just letting a TA or Splunk figure it out), whether there are standards for anything (internal to your organization or company policy etc.), it can sometimes be hard to give specific advice outside of you spelling out all of the particulars. In your case, some better sense of what is indexed, tagged and what fields are available, per index, since the fields exist inside of the index, per source, rather than necessarily being standard (which is helped by following CIM normalization best practices), will help you enormously in taking care of tasks like this. The larger idea here is to be kind to your future self and to others who have to interact and admin your Splunk environment, follow best practices that make these tasks easier. REFs: https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCIMtonormalizedataatsearchtime https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Aboutindexedfieldextraction https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-use-splunk-to-create-a-CMDB-like-table-of-asset-info/m-p/657338 https://splunkbase.splunk.com/    
Have you check this https://docs.splunk.com/Documentation/Splunk/9.3.0/DashStudio/inputs ?
I am also looking for a solution that supports parquet format
It is an Outlook question if you can enable it to send email using your credentials from Splunk or any other external service. As far as I remember, you can't just use user/password to authenticate t... See more...
It is an Outlook question if you can enable it to send email using your credentials from Splunk or any other external service. As far as I remember, you can't just use user/password to authenticate to Outlook's SMTP and Splunk doesn't support (at least not using built-in sendemail.py) alternative modes of authentication.  
Are you sure that splunk is running on your host? You could just check it by "splunk status" command in command line.
Hi all! I would like to create a no_msg_wait_time column here. This is my existing splunk search query:   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | rex field=_raw "^(?<da... See more...
Hi all! I would like to create a no_msg_wait_time column here. This is my existing splunk search query:   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | rex field=_raw "^(?<date>\d{4}-\d{2}-\d{2})\s+(?<timestamp>\d{2}:\d{2}:\d{2},\d{3})" | rex field=_raw "Done Bulk saving messages, Count=(?<count>\d+), used (?<db_bulk_write_time>\d+) ms" | where isnotnull(count) | eval event_time=strptime(date . " " . timestamp, "%Y-%m-%d %H:%M:%S,%3N") | sort 0 event_time | streamstats current=f last(event_time) as prev_event_time | eval processing_time=if(isnull(prev_event_time), 0, event_time - prev_event_time) | fields date, timestamp, processing_time, count, db_bulk_write_time | eval processing_time = processing_time * 1000 | table date, timestamp, processing_time, count, db_bulk_write_time, _raw   This is an example of the log lines  I would like to create a no_msg_wait_time column with the following results: It would count how many No message to handle (noMessageHandleCounter=*), retry in 1000 ms there are between each "Done bulk saving messages"  So if there are like 4 in between then no_msg_wait_time will be 4000ms, if there are none or zero of those in between than no_msg_wait_time will be 0ms. So using my current example here: 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=7), retry in 1000 ms 2024-08-07 21:13:11,007 [15] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4504 2024-08-07 21:13:11,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:11,257 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:11,382 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:11,507 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:11,632 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:11,757 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:11,882 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms 2024-08-07 21:13:12,007 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:12,054 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:12,179 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:12,257 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,398 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,528 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,778 [33] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4668 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms 2024-08-07 21:13:12,841 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,934 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:12,966 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:13,059 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:13,059 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,184 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:13,200 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,325 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:13,341 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:13,591 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:13,716 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:13,841 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:13,966 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:15,731 [20] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:7648 2024-08-07 21:13:15,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:15,981 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:16,106 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:16,231 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:16,356 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:16,481 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:16,606 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms 2024-08-07 21:13:16,637 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:16,731 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:16,762 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:16,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:16,856 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:16,997 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,137 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:19,544 [28] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:13568 2024-08-07 21:13:19,669 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:19,794 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:19,919 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:20,044 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:20,169 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:20,294 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:20,419 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms And my current results are as follow (i manually added expected no_msg_wait_time) date timestamp processing_time count db_bulk_write_time no_msg_wait_time _raw 2024-08-07 21:13:07,070 0.00 ms 1 13.00 ms this one should be zero as i dont have one log line before to calculate (assume this is the start of log line) 2024-08-07 21:13:07,070 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 13 ms   21:13:12,007 4,937.00 ms 1 113.00 ms 4000ms (as there are 4 no message to handle, ... 1000ms) 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms   21:13:12,825 818.00 ms 1 24.00 ms 3000ms 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms   21:13:16,622 3,797.00 ms 1 11.00 ms 10,000ms 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms   21:13:20,434 3,812.00 ms 1 12.00 ms and so on so forth 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms
Did it a Splunk's support or some other? @richgalloway is correct, you shouldn't never uninstall previous version (unless there is some compatibility issue or something else) before update. Time by ... See more...
Did it a Splunk's support or some other? @richgalloway is correct, you shouldn't never uninstall previous version (unless there is some compatibility issue or something else) before update. Time by time you should go through several UF version and not install directly over many versions. There could be some stuff e.g. for fishbucket etc. which UF must do to convert those from old version to new one. If/when you uninstall previous version it also means that you will reindex all events from that host as it haven't anymore information what it has previously indexed! With big nodes this could be even terabytes of duplicate events! r. Ismo 
I am encountering an issue with sending emails from Splunk. After some investigation, I discovered that my Outlook email address is not authorized to send emails as splunk@splunkubuntu. Details: I... See more...
I am encountering an issue with sending emails from Splunk. After some investigation, I discovered that my Outlook email address is not authorized to send emails as splunk@splunkubuntu. Details: I have configured Splunk to use my Outlook email address for sending alert notifications. The SMTP server settings in Splunk are correctly configured to use my Outlook credentials. However, when an alert is triggered, the emails are not sent. The error message indicates that my Outlook email address is not authorized to send emails as splunk@splunkubuntu. Steps Taken: Verified the SMTP server settings in Splunk (Settings -> Server settings -> Email settings). Tested sending emails directly from Outlook, which works fine. Checked the Splunk logs (splunkd.log) for any related errors and found the authorization issue. Questions: How can I configure my Outlook email address to be authorized to send emails from Splunk? Are there specific settings or permissions needed within Outlook or Splunk to resolve this issue? Has anyone faced a similar issue and found a solution ? Thank you in advance for your assistance!
There some limits how many fields and how many characters events can be to get automatic indexing extraction to work. I cannot recall the length, but those are not so big than someone can expect. Pro... See more...
There some limits how many fields and how many characters events can be to get automatic indexing extraction to work. I cannot recall the length, but those are not so big than someone can expect. Probably those was defined on limits.conf or some other conf file. If I recall right you can also find some discussions on answers about this issue? Also this conf presentation can help you with unindexed fields. https://conf.splunk.com/files/2023/slides/PLA1258C.pdf r. Ismo
Good morning! I am receiving the Error: Could not load lookup=LOOKUP-reply_code on multiple boxes.  Any similar situations?  Thanks in advance for any feedback.  
Hi it's depends are those fields defined on your raw data or not. If they are there then you could try how they have presented in this conf talk. There are some other presentations how to use TERM a... See more...
Hi it's depends are those fields defined on your raw data or not. If they are there then you could try how they have presented in this conf talk. There are some other presentations how to use TERM and PREFIX on your searches. https://conf.splunk.com/files/2023/slides/PLA1258C.pdf Another option is create Datamodel and use it. But is it reasonable solution or not depends your real use case. r. Ismo
I actually don't have the list of devices to create a lookup file. I am taking the reporting list of devices from splunk for compliance report
We pull change, incident and security incident tickets from servicenow into splunk using the addon app for servicenow. Since we have upgraded the service now add on app to 7.8.0, we are unable to pul... See more...
We pull change, incident and security incident tickets from servicenow into splunk using the addon app for servicenow. Since we have upgraded the service now add on app to 7.8.0, we are unable to pull security incidents. The other data set related to changes, incident etc is coming through. We see the below error:   2024-08-06 19:22:13,103 ERROR pid=663322 tid=MainThread _data:274 | Failure occurred while getting records for the input: securityincident from the table: sn_si_incident of the servicenow host: xxxx The reason for failure= {'message': 'Insufficient rights to query records', 'detail': 'Field(s) present in the query do not have permission to be read'}. Contact Splunk administrator for further information.     Anyone had this issue?
Hi you can use virtual server as a CM. Just allocate enough CPU + Mem for it. There are still some part of splunk CM code which are single thread restrictions. For that reason it's more important to... See more...
Hi you can use virtual server as a CM. Just allocate enough CPU + Mem for it. There are still some part of splunk CM code which are single thread restrictions. For that reason it's more important to have enough fast cpu and also enough memory to run it. Also you should keep care that you don't allocate two much resources for VM vs. what you have in your real virtualization host. Also over allocation mem or cpu is not good for splunk. Also all your indexers must (should) have identical, otherwise there will be some issues later or you will not use their all resources. When you take indexer cluster into use you can also take indexer discovery. This handling what are indexers where to send events from UFs. I propose that you look at least the next docs: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Aboutclusters https://lantern.splunk.com/Splunk_Success_Framework/Platform_Management/Indexing_and_search_architecture https://docs.splunk.com/Documentation/SVA/current/Architectures/About? Personally I prefer linux over Windows for splunk especially when you have more than one splunk server. Also if you have any doubt that you need scale this over two site then you could/should create multisite cluster into one site. This will be easier to expand another site if/when you need that kind of HA / disaster recovery capabilities. r. Ismo
Hi @haleyh44 , Yes, you can use a VM as Cluster Manager, you should give it the minimal CPU and RAM requirements and it's preferable if you could give them, if you haven't you could also try with le... See more...
Hi @haleyh44 , Yes, you can use a VM as Cluster Manager, you should give it the minimal CPU and RAM requirements and it's preferable if you could give them, if you haven't you could also try with less configuration (8CPUs and 8 GB RAM). old data cannot be replicated between Indexers, even if you have a cluster, only new data. If you want to have two copies of the old data, you must manually copy them in both the Indexers, in a different not replicated index. For new data, remember that you have to add to each stanza of your indexes.conf the option  repFactor = auto otherwise indexes aren't replicated You must update all your Forwarders to send data in autoLoadBalancing to all your Indexers, you also could configure indexers_discovery (https://docs.splunk.com/Documentation/Splunk/9.3.0/Indexer/indexerdiscovery) Ciao. Giuseppe