All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Is the search slow to return just the last 60 minutes of data and does the performance degraded linearly as you increase the time interval. How many events do you get per 24h period? Are you just d... See more...
Is the search slow to return just the last 60 minutes of data and does the performance degraded linearly as you increase the time interval. How many events do you get per 24h period? Are you just doing a raw event search for 7 days to demonstrate the problem or is this part of your use case? Take a look at the job properties phase_0 property to see what your expanded search is. You can look at the monitoring console to see what the Splunk server metrics are looking like - perhaps there is a memory issue - take a look at the resource usage dashboards.  
According to this chart, I single indexer should be enough for the volume of data.  A lot depends on the number of searches being run, however, something Splunk's chart tries to capture in the "numbe... See more...
According to this chart, I single indexer should be enough for the volume of data.  A lot depends on the number of searches being run, however, something Splunk's chart tries to capture in the "number of users" figures. If you have fewer than 24 users, but still do a lot of searching then it may be worthwhile to add an indexer or two. Once the data is re-balanced among the indexers, each will perform a fraction of the work and the search should complete in a fraction of the current time. Also, consider adding a sourcetype specifier to the base search as that can help improve performance.
You can try sourcetype rename https://docs.splunk.com/Documentation/Splunk/latest/Data/Renamesourcetypes  
I've been using a free version of Splunk Cloud, creating dashboards over the past couple of days - it's been great. Last night when I tried to login using my password I got this message     For se... See more...
I've been using a free version of Splunk Cloud, creating dashboards over the past couple of days - it's been great. Last night when I tried to login using my password I got this message     For security reasons, your account has been locked out. Please try again later or contact your system administrator.     As far as I know, I am the administrator. I cannot find a way to change settings through the splunk.com account I used to login.
You could duplicate the field extractions (and more) applying to sourcetype xyz, then change them to apply to that new sourcetype of xyz:iis:prod.
Out of curiosity - why do you want to split those events into separate indexes? Different retention periods? Access differences?
DDSS is a form of storage for your Cloud instance. It's an equivalent of moving your frozen buckets to S3 storage. If you want to store your data for a longer period you might simply set up a separat... See more...
DDSS is a form of storage for your Cloud instance. It's an equivalent of moving your frozen buckets to S3 storage. If you want to store your data for a longer period you might simply set up a separate storage unit for frozen buckets and archive them away. Be aware though that such data needs to be thawed to be usable again.
Right. That was !=, not =. You're mostly interested in index=_internal component=AutoLoadBalancedConnectionStrategy host=<your_forwarder>
I have two weeks off, so I'll continue troubleshooting after that. In my opinion there are not any interesting stuff in _internal log. You can see it on the screenshot. I used cluster command to red... See more...
I have two weeks off, so I'll continue troubleshooting after that. In my opinion there are not any interesting stuff in _internal log. You can see it on the screenshot. I used cluster command to reduce log number. There is component != metric in SPL.    
Yes but keep in mind that this will not affect events that are currently in the one big index. New incoming events will be routed to other indexes if they match the corresponding transform regex. Ev... See more...
Yes but keep in mind that this will not affect events that are currently in the one big index. New incoming events will be routed to other indexes if they match the corresponding transform regex. Every transform in props.conf will be tried against the logs that match the stanza. This means that if a regex in a transform matches the event, then the index value of the event will be overwritten. If multiple regexes in the transforms match an event, then that event will be overwritten multiple times and will retain the value of the last transform whose regex matched. Therefore you should make the regexes strict so that logs that should go to newIndex do not accidentally go into newIndex1.
Hello I have one big index with lots of files which I want to reroute logs from there to different indexes The reroute will be by regex who is looking for the domain name in the logs For each doma... See more...
Hello I have one big index with lots of files which I want to reroute logs from there to different indexes The reroute will be by regex who is looking for the domain name in the logs For each domain i will create separate stanza in transforms.conf  for example : [setIdx-index1] REGEX = ^(?!.*{ "workflow_id": .*, "workflow_type": .*, "workflow_name": .*, "jira_ticket": .*, "actor": .*, "deployment_status": .*, "start_time": .*, "end_time": .*, ("app_name"|"additional_data"): .* }).*$ FORMAT = new_index DEST_KEY = _MetaData:Index LOOKAHEAD = 40000 my question is about props.conf how should i configure it if i have more than 1 index ? [index1] TRANSFORMS-setIdx = setIdx-index1 TRANSFORMS-setIdx2 = newIndex TRANSFORMS-setIdx3 = newIndex1 TRANSFORMS-setIdx4 = newIndex2 should it work ?
That means that your installation has not completed successfully. If you try to run the installer again does it start a clean installation or does it offer to repair/uninstall? Do you have a service ... See more...
That means that your installation has not completed successfully. If you try to run the installer again does it start a clean installation or does it offer to repair/uninstall? Do you have a service which should be starting the Splunk process in your system? Do your eventlogs say anything reasonable about the installation process? There might also be a log file from the installation in the %temp% directory (it should be called MSIsomething.log). You can also try to install Splunk again this time explicitly requesting to create a installation log. https://learn.microsoft.com/en-gb/windows/win32/msi/command-line-options?redirectedfrom=MSDN https://docs.splunk.com/Documentation/Splunk/9.2.2/Installation/InstallonWindowsviathecommandline
Hello Splunk Community, For compliance reasons, I need to figure out an efficient way to archive notable events that is generated from the correlation searches in enterprise security. My first thoug... See more...
Hello Splunk Community, For compliance reasons, I need to figure out an efficient way to archive notable events that is generated from the correlation searches in enterprise security. My first thought is to create an index for these notable events and configure dynamic data self storage. Is this a good solution and feasable in splunk enterprise ? I would appreciate any support here and thank you in advance !
Hello All, I have tried installing .net agent 24x version on my windows machine and used the .net agent configuration wizard to create tier for the default web site under the IIS pool and restarted... See more...
Hello All, I have tried installing .net agent 24x version on my windows machine and used the .net agent configuration wizard to create tier for the default web site under the IIS pool and restarted the IIS/Co-ordinator service I could see that in the SaaS controller only the machine agent is reporting but I don’t find the app agent in up status and the tier is not visible Note : Tried re-installing and restarting the services multiple times but it did not make any difference and enabled debug as well but in logs I don’t find any error only the messages of metric registration which is successful Any suggestions would be helpful Thanks in advance
No I do not. I have a folder under my user tab named .splunk and it was downloaded around the same time I initially installed the trial Splunk Enterprise. In this .splunk folder there is nothing as w... See more...
No I do not. I have a folder under my user tab named .splunk and it was downloaded around the same time I initially installed the trial Splunk Enterprise. In this .splunk folder there is nothing as well.
1. And you have the add-on installed on the HF? 2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be pe... See more...
1. And you have the add-on installed on the HF? 2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be performed on the F5's side)
You can write your own scripted or modular input calling the REST API and returning the downloaded results. Or write a script calling the API by curl or similar way and write results to a file. Then ... See more...
You can write your own scripted or modular input calling the REST API and returning the downloaded results. Or write a script calling the API by curl or similar way and write results to a file. Then you'd ingest the file contents.
There is indeed no link to docs on any kind provided with the app on Splunkbase. Judging by the description though (haven't downloaded the app myself) it's meant to run a scheduled search which will... See more...
There is indeed no link to docs on any kind provided with the app on Splunkbase. Judging by the description though (haven't downloaded the app myself) it's meant to run a scheduled search which will get the CIM-compliant data from one or more datamodels and then upload it to Trend Micro's environment for further processing.
If you installed the windows version of Splunk with the default settings it should have installed itself into C:\Program Files\Splunk directory. Do you have this directory?
I apologize. Yes the system I'm talking about is windows. I installed the trial version of Splunk Enterprise software onto my laptop. When the installation wizard popped up I left everything as defau... See more...
I apologize. Yes the system I'm talking about is windows. I installed the trial version of Splunk Enterprise software onto my laptop. When the installation wizard popped up I left everything as default settings and let the installation complete. What I was trying to do is open the bin, etc, and lib folders to follow along with a udemy class I was taking to see the /default and /local folders.