All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, i'm searching for a way to modify my app/dashboard to be able to modify the entries of a table (such as delete/duplicate/copy/multiselect rows). Any suggestions? Maybe i have to look at the scrip... See more...
Hi, i'm searching for a way to modify my app/dashboard to be able to modify the entries of a table (such as delete/duplicate/copy/multiselect rows). Any suggestions? Maybe i have to look at the scripts from the lookup editor app? I really don't know where to start. I know how to write in python but i haven't created a script already. Thanks Dashboard view
Hi all,   Thanks for the quick replies. They help with troubleshooting but the issue ended up being a firewall that isn't documented and i wasnt informed was part of the route whilst trying to orig... See more...
Hi all,   Thanks for the quick replies. They help with troubleshooting but the issue ended up being a firewall that isn't documented and i wasnt informed was part of the route whilst trying to originally diagnose the issue.
HI @TestUser  I think as @gcusello has stated here, there isnt such a tool or capability within Splunk currently that would allow this, but its possibly something that with enough information could ... See more...
HI @TestUser  I think as @gcusello has stated here, there isnt such a tool or capability within Splunk currently that would allow this, but its possibly something that with enough information could be built into an app.  It would rely on a couple of key bits of information though, such as what the usecases for the dashboard are (e.g. what is it you want to visualise, and for whom etc) and also if the data is in a predictable (or ideally CIM compliant) format. e.g. can you reference fields reliably knowing their content (type) and names etc. It might help if you could share a little more about what you are trying to achieve.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Thanks, I really do appreciate!
Thanks for feedback I really do appreciate!
Thanks, I appreciate it!
You have already case open and ongoing with splunk support, so what you expecting that we can offer to you especially you didn't told this to us?
When you say that its a problem at Splunk end, do you mean with Splunk's relay server or within your own cloud environment? SplunkCloud sends emails to a local relay before being sent out of Splunk's... See more...
When you say that its a problem at Splunk end, do you mean with Splunk's relay server or within your own cloud environment? SplunkCloud sends emails to a local relay before being sent out of Splunk's infrastructure.  Even if your alerts fired successfully, it may not show errors sending the emails in your Splunk _internal logs because the failure happens between Splunkd (your actual Splunk process) and an external dependency.  As I said, Splunk Support should be able to access their relay logs and validate where the issue is coming from, but either way - it is not possible for you to directly monitor for failures against the remote SMTP service, you might see some errors if your instance is unable to reach the local relay but also not guaranteed. I wasnt able to find any Splunk apps which monitor the local SMTP connection directly.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Raghavsri  Increasing memory on HF2 may provide temporary relief but does not address the root cause. Excessive pipeline queue size (2500MB) can cause splunkd to consume large amounts of memory,... See more...
Hi @Raghavsri  Increasing memory on HF2 may provide temporary relief but does not address the root cause. Excessive pipeline queue size (2500MB) can cause splunkd to consume large amounts of memory, especially if data flow is uneven or downstream components are slow. You also risk losing larger volumes of data if Splunk/system crashes because all the data in the queues will be lost.  Queues should really be used as a buffer, not to expand throughput. I would suggest: Reduce the pipeline queue size to a more conservative value (e.g., 512MB–1024MB) and monitor performance. Investigate and resolve downstream bottlenecks (indexer or HF2 output) to prevent the backpressure. Ensure that outputs.conf and syslog forwarding are optimized for throughput and reliability. Consider load balancing or adding additional HFs to distribute the load, this should spread the load on the output and allow the HF to send out the data without back pressure. As @gcusello mentioned, inefficient parsing could contribute to this issue - are you able to share more about what is happening with the parsing? Any examples of your props/transforms? Ultimately, a large pipeline queue can mask underlying issues and lead to memory exhaustion. Memory upgrades alone will not prevent future hangs if the pipeline is oversized or downstream issues persist.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @zksvc  I'm on 1.22.19 If you're on 2+ there might be a conflict with the pnp nodeLinker (which I think is default) - so if you're on 2.x you could try creating a .yarnrc.yml file in the project... See more...
Hi @zksvc  I'm on 1.22.19 If you're on 2+ there might be a conflict with the pnp nodeLinker (which I think is default) - so if you're on 2.x you could try creating a .yarnrc.yml file in the project root with: nodeLinker: node-modules Out of interest, does this work? yarn lerna run build  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Sorry i was typo, but it still don't work  
Hi @livehybrid  Thanks for your reply, when i try to type "yarn run setup" i got error like this.  What yarn version you use btw ? 
anyone can reply plz
Hi @TestUser , Jokingly, I would say with a magic wand! In reality, at the moment there is no tool that allows this, even if, with the help of some Artificial Intelligence tools, we are getting clo... See more...
Hi @TestUser , Jokingly, I would say with a magic wand! In reality, at the moment there is no tool that allows this, even if, with the help of some Artificial Intelligence tools, we are getting closer. In any case, at the moment, to my knowledge, there are no tools of this type. Also because the new data must be identified and parsed; then you have to identify the filtering requirements and what you want to get as output, so I would say that at the moment it is not possible. A help could come from the Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435) that provides a tool for identifying data flows and presents them with some dashboards, but in any case there is always a manual component of identifying and implementing the requirements. Ciao. Giuseppe
Hi @zksvc  I believe you were meant to run "yarn run setup" (missing the "run") at this point.  You might need to run "yarn install" first. This page is a great first-run tutorial on using @splunk... See more...
Hi @zksvc  I believe you were meant to run "yarn run setup" (missing the "run") at this point.  You might need to run "yarn install" first. This page is a great first-run tutorial on using @splunk/create too https://splunkui.splunk.com/Toolkits/SUIT/ComponentTutorial  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Shakeer_Spl , as I said, there isn't a version of Splunk Full Stack, there are two versions of Splunk on premise: Splunk Enterprise Splunk Universal Forwarder. The full Stack is only Splunk... See more...
Hi @Shakeer_Spl , as I said, there isn't a version of Splunk Full Stack, there are two versions of Splunk on premise: Splunk Enterprise Splunk Universal Forwarder. The full Stack is only Splunk Enterprise. For both the products there are many version (the last released is 9.4.3) and you can find it at https://www.splunk.com/en_us/download/splunk-enterprise.html . let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors  
Hi @Raghavsri , i had a similar issue in a past project. Check the parsing rules, maybe there are some not optimized regexes that requires too much memory, especially regexes that starts with ".*" ... See more...
Hi @Raghavsri , i had a similar issue in a past project. Check the parsing rules, maybe there are some not optimized regexes that requires too much memory, especially regexes that starts with ".*" Ciao. Giuseppe
Hello I know for sure that its Splunk end because Splunk told us that they had issue with sending emails Im getting the logs after running your example 
9.2.2 is the current version.    so the queue fillup and memory consumption in HF2, may be due to outgoing traffic ? it wont cause due to incoming large data , routing from HF1.. yes, we plan to... See more...
9.2.2 is the current version.    so the queue fillup and memory consumption in HF2, may be due to outgoing traffic ? it wont cause due to incoming large data , routing from HF1.. yes, we plan to configure add one more HF in HF2 layer as LB but it take some time. but we need to fix current ongoing issue. 
@Raghavsri  Whats the version of splunk you are running? Also to start with, check few options. Review logs: Look for errors, warnings, or abnormal behavior in splunkd.log Check destination hea... See more...
@Raghavsri  Whats the version of splunk you are running? Also to start with, check few options. Review logs: Look for errors, warnings, or abnormal behavior in splunkd.log Check destination health: Ensure that SyslogNG and the second indexer cluster are healthy and accepting data efficiently Also If HF2 is not able to forward data fast enough (due to network, destination, or performance issues), the queue fills up, consuming memory Memory upgrade: Increasing memory on HF2 may help if the issue is due to legitimate high data volume and not a leak or misconfiguration. However, if the problem is a memory leak/bandwidth issue, increasing memory will only delay the inevitable crash Load Balancing: Consider load balancing across multiple HFs if possible, to distribute the data load Monitor memory usage: Set up alerts for high memory usage to detect issues early. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!