@Lien The 500 MB/day indexing limit in the Splunk Enterprise Trial license is a fixed constraint and cannot be removed or reset through reinstallation. Trial License Limitations The 500 MB/day l...
See more...
@Lien The 500 MB/day indexing limit in the Splunk Enterprise Trial license is a fixed constraint and cannot be removed or reset through reinstallation. Trial License Limitations The 500 MB/day limit is strictly enforced. If you exceed the limit for more than 5 days in a 30-day period, Splunk will disable search functionality until the license is reset or upgraded More About Free License: https://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree? Dev/Test Splunk customers can now acquire personalized Dev/Test Licenses for internal, non-production use. Each license is limited to 50 GB/day and a six-month term. The program enables individual users within your organization to experiment with new data sources, as well as encourage others in the organization to try the Splunk platform in a frictionless manner. https://community.splunk.com/t5/Installation/How-can-I-get-a-Splunk-Dev-Test-license/m-p/207898 https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html?locale=en_us https://community.splunk.com/t5/Installation/Why-doesn-t-the-new-50gb-Dev-License-support-being-a-remote/m-p/208917 Production For large-scale testing needs, you can reach out to Splunk Sales to request a customized trial license with higher indexing limits or extended duration. This is particularly useful for evaluating Splunk in scenarios that mirror your production environment. https://docs.splunk.com/Documentation/Splunk/latest/Admin/TypesofSplunklicenses NOTE: Developer License: Splunk offers a Developer License that allows indexing up to 10 GB per day. This license is intended for app development and testing purposes. You can request this license through the Splunk Developer Program.
Doing a performance/stress test using Enterprise Trial license. I wonder if there is a way to get rid of 500MB/day limit. If no, what would be a good practice to do the test with larger limitation?...
See more...
Doing a performance/stress test using Enterprise Trial license. I wonder if there is a way to get rid of 500MB/day limit. If no, what would be a good practice to do the test with larger limitation? Does a new installation of Splunk can reset the limit?
Hello AppDynamics Support, We are experiencing a persistent issue integrating the PHP Agent on a Red Hat 9.5 server running PHP 8.3. Below are the technical details and steps we've already taken. ...
See more...
Hello AppDynamics Support, We are experiencing a persistent issue integrating the PHP Agent on a Red Hat 9.5 server running PHP 8.3. Below are the technical details and steps we've already taken. Technical Information PHP Agent version: 24.11.0.1340 PHP version: 8.3 OS: Red Hat Enterprise Linux 9.5 Apache MPM: event Controller:xxx:443 HTTP Proxy: xxx:3128 Problem Description The agent initializes properly and correctly detects all necessary settings (controller host, account name, node, etc.). However, the following error is always present in the logs: [config.ConfigChannel] could not send config request This prevents the agent from registering or communicating with the controller. Troubleshooting Steps Already Taken controller-info.xml file is valid and in place DNS resolution of the controller is working HTTPS connection via proxy tested and successful SSL certificate is valid Ports (443) are open and reachable via proxy Apache/PHP-FPM restarted cleanly
+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and ...
See more...
+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and really the only reliable way to dynamically construct and run a search is the map command. Creating the whole search with a subsearch (especially if you wanted to return a multi-staged SPL or a search starting with a command other than search) generally doesn't work.
I am confused. You say that you only want to suppress alert when count is 1. If count is greater than 1 or if count is 0, you want to send alert. In your screenshot, you get count 0 - so the alert...
See more...
I am confused. You say that you only want to suppress alert when count is 1. If count is greater than 1 or if count is 0, you want to send alert. In your screenshot, you get count 0 - so the alert is valid. No?
Upon further investigation It seems the _time field needs to be present for Splunk to show the results. A code like this works: def stream(self, events):
yield {"myfield": "fff", "_time": "1748...
See more...
Upon further investigation It seems the _time field needs to be present for Splunk to show the results. A code like this works: def stream(self, events):
yield {"myfield": "fff", "_time": "1748073052.114"}
You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses t...
See more...
You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query.
Interestingly I did consider this as I posted it and decided not to do := based on the examples of setting _time from Rich’s examples at https://github.com/silkyrich/ingest_eval_examples/blob/master/...
See more...
Interestingly I did consider this as I posted it and decided not to do := based on the examples of setting _time from Rich’s examples at https://github.com/silkyrich/ingest_eval_examples/blob/master/default/transforms.conf which only use = (but oddly only on _time fields), I wonder why this is the case? I might check but I thought it wasn’t possible to set a multi value field for _time (and _raw) using ingest eval?
Usually process is that start to look from right to left and find first blocked / queue which is full. Then look the next processor of right hand side. Usually issue is there.
@gcusello tried this is it suppose to return the lookup table? and it Still Alerted Only for discussing: what do you want to check? So the Goal here is to check if there...
See more...
@gcusello tried this is it suppose to return the lookup table? and it Still Alerted Only for discussing: what do you want to check? So the Goal here is to check if there is More than 1 Event Alert if there is 0 Event Alert Issue currently facing Currently the Search is look at 0 event so on default it will always alert because there is 0 event What I am trying to test is the Mute in effect. on the Lookuptable Ive added Today's date to see if it will take in effect and looks like I am still being Alerted. Looking for answers to fix the Alert to MUTE on the Dates ive included in the lookuptable
Hi, I'm trying to rewrite a given query and then execute it. I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch t...
See more...
Hi, I'm trying to rewrite a given query and then execute it. I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it. The issue I'm having is how to execute the new query? I've tried with the SDK but the run time is much higher + the results return to the statistics page. I've tried to inject the query into a field and then use map but it also wasn't successful. Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work. Thanks.