All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Splunkers, Just an update on the original post, if you are finding this thread. So after back and forth with support, a few things was fixed:  First in 9.1.1 they fixed that the owner was for... See more...
Hi Splunkers, Just an update on the original post, if you are finding this thread. So after back and forth with support, a few things was fixed:  First in 9.1.1 they fixed that the owner was forcefully changed to "splunkfwd" from "splunk" during an upgrade. But that version gave 1000+ warnings about the user splunk being absent. Then in 9.1.2 the warnings  was  fixed on a fresh install, but they came back when upgrading. Everything should now be fixed in 9.2.0 and later  On top of that, they have implemented that if the user "splunk" exist upon installation, "splunk" will be the owner and not "splunkfwd". So that said, your automation scripts needs to ensure that the "splunk" user exist prior to installation and then everything should be as it use to be. So it is still a change to all the automation out there, but a small one i believe. Now tell me again why this stunt was necessary, since the "splunk" user will be present if Splunk Enterprise is already installed.... EDIT: A few packages have been released since this post was created. I want to correct some of my misunderstandings. I still believe this is a huge mistake, but now the warnings are gone and what will happen during installation and upgrade is bit more clear: RPM Installation: The forwarder will use splunkfwd as the owner, no matter what. You can chown the installation folder and change splunk-launch.conf to revert to splunk as the owner. But you have to do it in your script after the rpm installation. RPM Update:  The forwarder will retain splunk as the owner if the previous forwarder installation was owned by splunk.
Hi, Can you help?
Hi Rick, My apologize for that. I am not aware of this. We are actually rushing on this issue bcz its on priority in our PROD environment. I dnt know how to tag people earlier i have posted withou... See more...
Hi Rick, My apologize for that. I am not aware of this. We are actually rushing on this issue bcz its on priority in our PROD environment. I dnt know how to tag people earlier i have posted without tagging. I won't repeat this again. Regards, Siva
Not every bug get's added there as each release will have hundreds of issues. I will get this added to  https://docs.splunk.com/Documentation/Splunk/9.1.3/ReleaseNotes/Fixedissues You can reach ou... See more...
Not every bug get's added there as each release will have hundreds of issues. I will get this added to  https://docs.splunk.com/Documentation/Splunk/9.1.3/ReleaseNotes/Fixedissues You can reach out to support and get official confirmation about fixed version. 
Thanks, but I looked at both links below and see no mention of it...should I be looking somewhere else? https://docs.splunk.com/Documentation/Splunk/9.2.0/ReleaseNotes/Knownissues https://docs.spl... See more...
Thanks, but I looked at both links below and see no mention of it...should I be looking somewhere else? https://docs.splunk.com/Documentation/Splunk/9.2.0/ReleaseNotes/Knownissues https://docs.splunk.com/Documentation/Splunk/9.1.3/ReleaseNotes/KnownIssues 
@PickleRick I restarted the Splunk standalone server where I put the files.
1. You posted the same question twice already. 2. Calling out specific people to help you is simply rude. 3. It's a case for support.
We got the email alert notifications running in Splunk and the configuration the same across all of the alerts but only some of them actually send an email. We have a separate page where we can see a... See more...
We got the email alert notifications running in Splunk and the configuration the same across all of the alerts but only some of them actually send an email. We have a separate page where we can see all of the alerts but we don't see all of them come across our emails. All of the alerts are configured the same way as seen below:  I'm not understanding why the email notifications only work for certain alerts when we can see all of the alerts on our dashboard and they're all configured the same. 
OK. 1. I assume you restarted the UF after doing all those config changes. 2. Do you get any other data from this forwarder?
Trying to uninstalling old version of splunk forwarder, but the msi isn't on the machine. When attempting to unistall, it asks to be pointed to the msi and then fails due to it not being present. I ... See more...
Trying to uninstalling old version of splunk forwarder, but the msi isn't on the machine. When attempting to unistall, it asks to be pointed to the msi and then fails due to it not being present. I looked at the older versions on the website and it only goes to 7.   Any ideas as to what I can do?  
My cluster has one issue with data durability, everything else seems fine. All Indexers are online and running, even the healthchecks return a somewhat good result. What I noticed is one peer has 920... See more...
My cluster has one issue with data durability, everything else seems fine. All Indexers are online and running, even the healthchecks return a somewhat good result. What I noticed is one peer has 920 buckets and the other has 919 buckets, is that the issue? What should I do?
Here is a  run anywhere example. One of the columns is defined as _hidden so that it wont be displayed in the table. _fields are considered to be internal fields and there is an option to hide them.... See more...
Here is a  run anywhere example. One of the columns is defined as _hidden so that it wont be displayed in the table. _fields are considered to be internal fields and there is an option to hide them. The second panel displays the value of the taken while clicking on each row { "visualizations": { "viz_oIMuXymL": { "type": "splunk.table", "dataSources": { "primary": "ds_yjf97sDt" }, "options": { "showInternalFields": false }, "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "HiddenValue", "key": "row._hidden.value" } ] } } ], "title": "" }, "viz_gyqHTdIv": { "type": "splunk.markdown", "options": { "markdown": "**Value of Clicked row : $HiddenValue$**", "backgroundColor": "#ffffff", "fontFamily": "Times New Roman", "fontSize": "extraLarge" } } }, "dataSources": { "ds_yjf97sDt": { "type": "ds.search", "options": { "query": "| makeresults count=5\n| streamstats count\n| eval value=\"Value\".count\n| eval _hidden=\"Hidden\".count\n| fields - count", "queryParameters": { "earliest": "-24h@h", "latest": "now" } }, "name": "Search_1" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": {}, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_oIMuXymL", "type": "block", "position": { "x": 0, "y": 0, "w": 1440, "h": 400 } }, { "item": "viz_gyqHTdIv", "type": "block", "position": { "x": 0, "y": 400, "w": 1440, "h": 400 } } ], "globalInputs": [] }, "description": "", "title": "drilldown_studio" }    
It's not added to release notes. But addressed by 9.1.3(released) and 9.21(not yet released)
I would recommend an in-place upgrade to version 9 and then copy Splunk to the new server. In general, one should not copy an entire built-in app (like search) between instances.  Transfer only the ... See more...
I would recommend an in-place upgrade to version 9 and then copy Splunk to the new server. In general, one should not copy an entire built-in app (like search) between instances.  Transfer only the local folder.
It's logged as a bug and fixed for 9.1.3/9.2.1 
  Hi Team, We are facing discrepancy with Splunk License total usage vs Index wise usage. Could you please help us on this?  Our Actual Splunk Stack is 50GB. 1. Index wise License Usage:   ... See more...
  Hi Team, We are facing discrepancy with Splunk License total usage vs Index wise usage. Could you please help us on this?  Our Actual Splunk Stack is 50GB. 1. Index wise License Usage:   for individual index for 1 index showing 65.46GB for the same day Total usage we are getting 55.42GB as shown in below screen shots. 2. Total License Usage: This is the Overall License usage for Feb 15.   Kindly assist us with License Usage query based on index wise and it should match with the total License Usage and indicate any changes that need to be made at the server or configuration level. @gcusello @isoutamo @PickleRick Regards, Siva.
It is true one cannot change the labels.  That means we have to choose between having week numbers in numerical rather than calendar order or having year-week numbers in calendar order.
I have been building KV Store lookups with the lookup editor and I have noticed that when I add a line in the UI, when I leave it and come back to it, it duplicates the line multiple times and I have... See more...
I have been building KV Store lookups with the lookup editor and I have noticed that when I add a line in the UI, when I leave it and come back to it, it duplicates the line multiple times and I have to go back and delete the duplicates.  This seems to happen whether I am copying and pasting or just simply adding a line by hand.  Has anyone else seen this issue or am I doing something wrong?  To add a line I right-click on the row and select add a new line above.  Once I finish the data input I leave the line to commit it.  I go to my dashboard that is displaying the store, refresh and note that there are multiple copies of the line I just added. This does not happen with CSV file lookups, just the KV Stores. Thoughts?  More info?
It would be great if this is logged as an actual bug, or at least a known issue. Some of us have several 1000 of UF's, spread across multiple environments, and updating the log-local.cfg just isn't ... See more...
It would be great if this is logged as an actual bug, or at least a known issue. Some of us have several 1000 of UF's, spread across multiple environments, and updating the log-local.cfg just isn't feasible.    
Hi guys, I am trying to set up a code in javascript which will refresh page after javascript run, because now my dashboards loads, but javascript run first and the visualizations depends on javascr... See more...
Hi guys, I am trying to set up a code in javascript which will refresh page after javascript run, because now my dashboards loads, but javascript run first and the visualizations depends on javascript and then coloring for example don't change. When I tried to put refresh under query to 5seconds, then it was reloaded and all visualizations were loaded, but I would like to do it better way and I am sure with javascript is possible, but I am very basic with javascript, so I was searching here, but nothing worked, because mainly it was set up, that after some button click the javascript will reload the page, but I would like to have it automatically. Thank you for any ideas. v.