All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for your answer, I will try this in a test environment
If your two new SHC have the same content then you can theoretically use one deployer to manage those both, but I think that you want to keep content of those SHCs differently? I haven’t try this, b... See more...
If your two new SHC have the same content then you can theoretically use one deployer to manage those both, but I think that you want to keep content of those SHCs differently? I haven’t try this, but maybe this works if you can separate those node physically in network level? Do this with your own risk! I’m expecting that this is not an supported way to do it! Split those members into two groups and keep deployer in bigger group where is majority of nodes. This group should automatically recover the lost of other members. If not do normal stuff for removing members, sync SHC &kvstore.  For second group you must replicate current deployer to it. In docs there is instructions how to replace/recover deployer. Then you probably need to do manually captain election to get another SHC up and running. I’m not sure if you can change those deployers to new names or not. If not then you will probably get some issues later on! I think that better way is just create additional SHC and deployer and then migrate needed apps and users from old to this new. This is official and supported way. Anyhow you must do an offline backup from kvstore and nodes before start migration and definitely you should try it in test environment first!
@kiran_panchavat  thanks for your answer, we want to split a big shcluster. not a mutisite cluster.
@liangliang  Migration from a standalone searchhead to a SHC Here is the document that discusses how to migration from a standalone to a Search Head Cluster: https://docs.splunk.com/Documentation/... See more...
@liangliang  Migration from a standalone searchhead to a SHC Here is the document that discusses how to migration from a standalone to a Search Head Cluster: https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Migratefromstandalonesearchheads 
@mpk_24You're welcome. If this resolves your issue, please consider accepting the solution, as it may be helpful for others as well.
@kiran_panchavat Thank you so much for your insights and the assistance extended. 
@PickleRick Thank you so much for your valuable insights. 
@liangliang  You can deploy search head cluster members across multiple physical sites. You can also integrate cluster members into a multisite indexer cluster. However, search head clusters do not ... See more...
@liangliang  You can deploy search head cluster members across multiple physical sites. You can also integrate cluster members into a multisite indexer cluster. However, search head clusters do not have site awareness. https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/DeploymultisiteSHC  https://community.splunk.com/t5/Deployment-Architecture/How-multisite-SH-clusters-work/m-p/594465 
@liangliang thank you so much for your respond. This works. Appreciate very much.  
you can try this   (?P<number>\d+)$   the $ will match the end of this line
Now we have a big shcluster for many department users, for some reason, we must spilt a department for independent use. We considered creating a new cluster directly, but we have too many things to m... See more...
Now we have a big shcluster for many department users, for some reason, we must spilt a department for independent use. We considered creating a new cluster directly, but we have too many things to migrat We plan to network isolate the existing cluster nodes, and then configure the isolated part to another cloned one, and finally delete the unnecessary apps on both clusters. Is this feasible?
Hey @Splunkers, Looking for valuable insights for this use case.   I wanted to extract the numbers at the end of the log (highlighted in bold). Pls help. Sample log: 74.133.120.000 - LASTHOP:142... See more...
Hey @Splunkers, Looking for valuable insights for this use case.   I wanted to extract the numbers at the end of the log (highlighted in bold). Pls help. Sample log: 74.133.120.000 - LASTHOP:142.136.168.1 - [19/May/2025:23:30:12 +0000] "GET /content/*/residential.existingCustomerProfileLoader.json HTTP/1.1" 200 143 "/cp/activate-apps?cmp=dotcom_sms_selectapps_111324" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Mobile Safari/537.36" 384622
If you search for only that first single event in that time index=abc,source=xxx.trc GetDbfRecordFromCache do nothing else, but then look at the _raw event in the display, are the characters encode... See more...
If you search for only that first single event in that time index=abc,source=xxx.trc GetDbfRecordFromCache do nothing else, but then look at the _raw event in the display, are the characters encoded in the data or are then <>? If you then open the event with the little arrow and select Show Source   what does the raw event data look like - is it encoded or not?  
@lcguilfoil  Your event search does not have a time range associated with it, so it will be running an all time search and so when you click the drilldown the search is still running and will not re... See more...
@lcguilfoil  Your event search does not have a time range associated with it, so it will be running an all time search and so when you click the drilldown the search is still running and will not respond to the drilldown <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest>  Add the time range to your event search.
9 years later, same problem, you saved me--thanks.  /var/log/secure and /var/log/messages both being monitored, both had the same log line at the beginning.
Bringing this back to life (maybe). Splunk UBA comes with an instance of Splunk.  We install UF on all our nix machines to monitor them (performance and security).  Well this install conflict with... See more...
Bringing this back to life (maybe). Splunk UBA comes with an instance of Splunk.  We install UF on all our nix machines to monitor them (performance and security).  Well this install conflict with what UBA installs when setting up UBA (8089). SO how do we overcome this OR how do we use the UBA Installed Splunk instance to connect to the deployment server and have the configuration we push to all the other servers go on this as well?
Please install that above app into your sh and then add this script part into your dashboard’s first line! After that you don’t need to guess what you have in which token. It just shows all defined to... See more...
Please install that above app into your sh and then add this script part into your dashboard’s first line! After that you don’t need to guess what you have in which token. It just shows all defined tokens with vale’s to you! Currently I always use it when I have some other token than time picker and one or two other. It really helps you!
Hi, I apologize for the confusion -- I updated the code to be complete. Thank you!
This doesn't appear in your "full dashboard code" you post in a previous response. Please clarify which code is in which dashboard?
Hello! Here it is:   <form version="1.1" theme="dark"> <label>Hayabusa Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global_time" searchWhenChang... See more...
Hello! Here it is:   <form version="1.1" theme="dark"> <label>Hayabusa Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global_time" searchWhenChanged="true"> <label>Global Time Range</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <prefix>index=case_</prefix> <suffix>*</suffix> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=case_* by index | rex field=index "\_(?&lt;case&gt;.*?)\_" | dedup case | table case</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="multiselect" token="host_token" searchWhenChanged="true"> <label>Host</label> <choice value="*">All Hosts</choice> <fieldForLabel>Host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by host | table host</query> <earliest>0</earliest> <latest></latest> </search> <initialValue>*</initialValue> <delimiter>, </delimiter> <prefix>host IN (</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <default>*</default> </input> </fieldset> <row> <panel> <table> <title>Top Informational Alerts</title> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa $host_token$ Level=info by RuleTitle | sort -count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="drilldown">cell</option> <format type="color" field="count"> <colorPalette type="list">[#65778A,#65778A,#65778A,#65778A,#65778A]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> <drilldown> <set token="form.rule_token">$click.value$</set> </drilldown> </table> </panel> <panel> <table> <title>Top Hosts By Hits</title> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by host | sort -count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="drilldown">cell</option> <format type="color" field="count"> <colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <drilldown> <set token="form.host_token">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Hayabusa Hits Overview</title> <input type="multiselect" token="level_token" searchWhenChanged="true"> <label>Level</label> <choice value="*">All Levels</choice> <choice value="info">Info</choice> <choice value="low">Low</choice> <choice value="med">Medium</choice> <choice value="high">High</choice> <choice value="crit">Critical</choice> <default>*</default> <initialValue>*</initialValue> <prefix>Level IN (</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> </input> <input type="multiselect" token="rule_token" searchWhenChanged="true"> <label>Rule</label> <choice value="*">All Rules</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>RuleTitle</fieldForLabel> <fieldForValue>RuleTitle</fieldForValue> <search> <query>| tstats count where $case_token$ $host_token$ sourcetype=hayabusa $level_token$ by RuleTitle | table RuleTitle</query> <earliest>0</earliest> <latest></latest> </search> <prefix>RuleTitle IN (</prefix> <suffix>)</suffix> <delimiter>,</delimiter> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="text" token="search_token" searchWhenChanged="true"> <label>Search</label> <default>*</default> <initialValue>*</initialValue> </input> <input type="text" token="exclude_token" searchWhenChanged="true"> <label>Search (to Exclude)</label> <default>Default Value to Exclude</default> <initialValue>Default Value to Exclude</initialValue> </input> <input type="multiselect" token="channel_token" searchWhenChanged="true"> <label>Channel</label> <fieldForLabel>Channel</fieldForLabel> <fieldForValue>Channel</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by Channel</query> <earliest>0</earliest> <latest></latest> </search> <delimiter> </delimiter> <choice value="*">All Channels</choice> <default>*</default> <initialValue>*</initialValue> </input> <html> <p>For <strong>Search</strong> and <strong>Search to Exclude</strong>, delimit with a comma. For example: <strong>term,search phrase</strong> </p> </html> <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <set token="form.channel_token">$click.value$</set> </drilldown> </event> </panel> </row> </form>