All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We want to migrate cluster indexers data from default location that is from (opt/splunk/var/lib/splunk) to customize location as warm/hot and cold.  Example : /opt/warm_hot  and opt/cold. How c... See more...
We want to migrate cluster indexers data from default location that is from (opt/splunk/var/lib/splunk) to customize location as warm/hot and cold.  Example : /opt/warm_hot  and opt/cold. How can achieve this goal Thank you
There is always a chance of missing the event in some circumstances. For example if there is a huge lag due to some network outage or something similar and you get your events indexed with several ho... See more...
There is always a chance of missing the event in some circumstances. For example if there is a huge lag due to some network outage or something similar and you get your events indexed with several hours delay you won't find them when you're searching for recent events. But you can minimise the risk. The typical approach is to search every - let's say 15 minutes - over a "slightly delayed" window. For example - you search from 16 minutes ago to 1 minute ago. Or 17-2, depending on your typical ingestion latency.
If I understand you correctly, you are exporting the results of a search, then importing it in another Splunk instance as new data? This would definitely alter the fields. The exporting of search res... See more...
If I understand you correctly, you are exporting the results of a search, then importing it in another Splunk instance as new data? This would definitely alter the fields. The exporting of search results is not intended as a method to move data unchanged from one Splunk instance to another. Are you trying to import BOTS data or to package indexed data in a manner similar to the BOTS data?
anything in that line of thoughts be helpful to achieve this https://community.splunk.com/t5/Splunk-Search/How-to-convert-rows-to-columns/m-p/398009 
@gcusello   @PickleRick Thank you for the reply. We are sending data from application console to splunk through syslog and they define to send only error logs from their console. So If I schedule... See more...
@gcusello   @PickleRick Thank you for the reply. We are sending data from application console to splunk through syslog and they define to send only error logs from their console. So If I schedule to run at 15 mins frequency and 15 time range. Will there be any chance of missing events to be triggered. Our intention to get alert when ever there is new event and shouldn't repeat the same event in the alert.     
I have one Splunk instance where I ran a search and exported the data in a csv file, xml file, and a raw file. The data contained is mostly Windows event logs, "process command line", "creator proces... See more...
I have one Splunk instance where I ran a search and exported the data in a csv file, xml file, and a raw file. The data contained is mostly Windows event logs, "process command line", "creator process", ect. I am trying to import this data into another Splunk instance. When the data is imported, I noticed some fields are missing, like "process command line". I tried each file type and had no success. I also reviewed the data in the fields and all of the fields and values are present.    Essentially, I am trying to import data similar to Splunk BOTS  GitHub - splunk/botsv3: Splunk Boss of the SOC version 3 dataset.
Personal project
Why emulate ARM when Splunk doesn't support it?
@richgalloway I am running Lima VM with Rosetta. Is there a way to emulate amd64? Maybe there is a certain flag I can use?
Splunk Enterprise is not available for ARM processors.  FWIW, I run the standard Linux version of Splunk on my M2 Mac.
Hello @splunky_diamond, As stated by 2 folks, resource consumption depends on multiple factors. If you are planning to enable ~15 use cases in ES for learning purpose with all-in-one test environment... See more...
Hello @splunky_diamond, As stated by 2 folks, resource consumption depends on multiple factors. If you are planning to enable ~15 use cases in ES for learning purpose with all-in-one test environment, 32 GB RAM, 32 vCPU, and 200 GB hard disk should be enough. Base configuration for ES is as below -  https://docs.splunk.com/Documentation/ES/7.3.1/Install/DeploymentPlanning
Better to raise Splunk Support case for better troubleshooting
Hello @dc18, have you checked https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatch and searched for EC2 on the page?
Hi,  I am trying to run Splunk using kubernetes on my M3 mac. When executing the command: (as described here https://github.com/splunk/splunk-operator/blob/main/docs/README.md#installing-the-splunk-... See more...
Hi,  I am trying to run Splunk using kubernetes on my M3 mac. When executing the command: (as described here https://github.com/splunk/splunk-operator/blob/main/docs/README.md#installing-the-splunk-operator) cat <<EOF | kubectl apply -n splunk-operator -f - apiVersion: enterprise.splunk.com/v4 kind: Standalone metadata: name: s1 finalizers: - enterprise.splunk.com/delete-pvc EOF I am getting the error:  Failed to pull image "splunk/splunk:9.1.3": no matching manifest for linux/arm64/v8 in the manifest list entries   What do I need to do?
I have some configurations in local app.conf and I would like to read them pragmatically. before streaming events How to do it using python? Thanks!
i forgot is what i'm using apps... so sorry... i tried to universial forwarder apps and try to figure out it  thanks to advice
I'd simply say don't go down this path. sendemail.py is quite well written but a bit confusing for a non-experienced pythoneer. So you'll put a lot of effort for just one use-case. Additionally you'... See more...
I'd simply say don't go down this path. sendemail.py is quite well written but a bit confusing for a non-experienced pythoneer. So you'll put a lot of effort for just one use-case. Additionally you'll get stuck with something you'll have to maintain yourself (what if there are updates to the main sendemail.py? What if there are security fixes? Will you backport those?).  
Splunk on its own is "just" a data analytics platform. But if you want to analyze data you first gotta have it. Splunk can ingest data from a plethora of different sources (and has some own add-ons t... See more...
Splunk on its own is "just" a data analytics platform. But if you want to analyze data you first gotta have it. Splunk can ingest data from a plethora of different sources (and has some own add-ons that can capture metrics from the servers) but we have no way of knowing what kind of data you have in your installation. And BTW it's not a good practice to send events to the main index. If this is your first ever lab Splunk installation it can be understandable but in production it definitely shouldn't happen. You would want your indexes configured so that you can manage your data reasonably.
We cannot tell what data is being stored in your "main" index. You'd have to describe what type of data it is, before asking the meaning of the field values. It would be helpful to have names of apps... See more...
We cannot tell what data is being stored in your "main" index. You'd have to describe what type of data it is, before asking the meaning of the field values. It would be helpful to have names of apps and reporting services, and then hopefully someone in the community will have experience with it.
hi guys i want ask some of the value in "main" Tables,  actually i'm tried to figure out for a some CPU Memory form a one Servers so i tried to like below the SPL   index="main" host="MyServer" ... See more...
hi guys i want ask some of the value in "main" Tables,  actually i'm tried to figure out for a some CPU Memory form a one Servers so i tried to like below the SPL   index="main" host="MyServer" |field _time,host,source,sourcetype,cllection,counter,instance,linecount, object,Value    -- here is the question    so in this case, where's from the value's  low data in server? i try to matched my servers cpu memory form the process exploroer  but i'm not sure.... cause the wave is so fastly shaking can you give me other advice what ever i can solve this question    thanks