Hi, We have two indexes wich are stuck in fixeup task. Our environment exist off some indexing peers wich are atached to smartstore. This mornig there is a warning no sf and rf is met. Two ind...
See more...
Hi, We have two indexes wich are stuck in fixeup task. Our environment exist off some indexing peers wich are atached to smartstore. This mornig there is a warning no sf and rf is met. Two indexes are in this degraded state. Checking the bucket status there are two buckets from two different indexes whish doesn't get fixed. Those buckets are mentioned in the search factor fix, replication factor fix and generation. The last has the notice "No possible primaries". Searching on the indexer which is mentioned in the bucket info it says: DatabaseDirectoryManager [838121 TcpChannelThread] - unable to check if cache_id="bid|aaaaaa~183~839799B0-6EAF-436C-B12A-2CDC010C1319|" is stable with CacheManager as it is not present in CacheManager and ERROR ClusterSlaveBucketHandler [838121 TcpChannelThread] - Failed to trigger replication (err='Cannot replicate remote storage enabled warm bucket, bid=aaaaaa~183~839799B0-6EAF-436C-B12A-2CDC010C1319 until it's uploaded' what can be wrong, and what to do about it? Thanks in advance Splunk enterprise v9.0.5, on premisse smartstore.
I have a lookup file like below, the query should send mails to each person with that respective row information. and if mail1 column is empty, then query should consider mail2 column value to send m...
See more...
I have a lookup file like below, the query should send mails to each person with that respective row information. and if mail1 column is empty, then query should consider mail2 column value to send mails. and if mail2 column is empty, the query should consider mail3 column value to send mail. and if mail1, mail2 are empty then query should consider mail3 column value to send mail. Emp occupation location firstmail secondarymail thirdmail abc aaa hhh aa@mail.com gg@mail.com def ghjk gggg bb@mail.com ff@mail.com ghi lmo iiii hh@mail.com jkl pre jjj dd@mail.com mno swq kkk aa@mail.com ii@mail.com example, aa@mail.com..should receive mail like below in tabluar format Emp occupation location firstmail secondarymail thirdmail abc aaa hhh aa@mail.com gg@mail.com mno swq kkk aa@mail.com ii@mail.com so likewise query should read complete table and send mails to persons individually....containing that specific row information in tabluar format. Please help me with the query and let me know incase of any clarification on the requirement.
Hello fellow Splunkthusiasts! TL;DR: Is there any way to connect one indexer cluster to two distinct license servers? Our company has two different licenses: one acquired directly by the compa...
See more...
Hello fellow Splunkthusiasts! TL;DR: Is there any way to connect one indexer cluster to two distinct license servers? Our company has two different licenses: one acquired directly by the company (we posses the license file) the other was acquired by a corporate group to which our company belongs, it is provided to us through group's license server (it is actually some larger license split to several pools, one of them being available to us). The obvious solution is to have one IDXC for each license with SHs searching both clusters. However, both licenses together are approximately 100GB/day, therefore building two independent indexer clusters feels like a waste of resources. What is the best way to approach this?
Hi,
After migrating to version 9.1.2 we have to rewrite some classic dashboards in dashboard studio. Is there a way to send the colored lines to the back or send the circles to the front? It simply...
See more...
Hi,
After migrating to version 9.1.2 we have to rewrite some classic dashboards in dashboard studio. Is there a way to send the colored lines to the back or send the circles to the front? It simply won't work to put any figure on top of lines, the lines will always be on top. I tried to insert some html customization but still nothing
(<row>
<panel>
<html>
<style>
div[data-id*="_CIRCLE"]{
z-index: 100;
}
</style>
</html>
</panel>
</row>)
Any help would be much appreciated.
You don't need to specify field=_raw as this is the default field. Anyway, you just need to follow your extraction with a space. | rex "status is\s(?<status>[^\s]+)\s"
Hi everyone, i need an alternative for the transaction command, bcoz its taking to much time to load the dashboard, this is my actual data Botid count 1528 1 122...
See more...
Hi everyone, i need an alternative for the transaction command, bcoz its taking to much time to load the dashboard, this is my actual data Botid count 1528 1 1228 1 1015 1 1558 1 12 1 1698 1 1589.15 1 1589 1 am looking for an output like below BotId count 1528,1228,1015,1558 1 12,1698,1589.2,1589 2 thanks in advance
Some like this: ,\s(\d\d\.\d\d\.\d\d\s\w+\s\d+\w+\d\d)\s Or do you like to do it props.conf to set the _time field? TIME_FORMAT = %z, %T %a %d%b%y Try it out here: https://strftime.net/
So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions: 1) the last word before space 2) exclude those with a period "...
See more...
So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions: 1) the last word before space 2) exclude those with a period "." right after the last word sample events: the current status is START system goes on … the current status is STOP please do ….. the current status is PENDING. And my rex will extract the words from “status is “ and the word right after, but if that word has a period right after, I don’t want to extract. I only been able to retrieve everything using the following, but not able to exclude those with a period right after. rex field=_raw "status is\s(?<status>[^\s]+)"
Hello Team, I need help in extracting the following date and time from the log, sample log: -0900, 04.25.01 THU 22FEB24 nDD62320I I need the 04.25.01 THU 22FEB24 part, could someone please help in...
See more...
Hello Team, I need help in extracting the following date and time from the log, sample log: -0900, 04.25.01 THU 22FEB24 nDD62320I I need the 04.25.01 THU 22FEB24 part, could someone please help in extracting this using rex Any help is much appreciated
Currently, I am switching to a higher version of the Lookup Editor app, but I am having "issues" as described below. Ver 3.3.3 Ver 4.0.2 Cells have values (low, medium, high, ..) that do n...
See more...
Currently, I am switching to a higher version of the Lookup Editor app, but I am having "issues" as described below. Ver 3.3.3 Ver 4.0.2 Cells have values (low, medium, high, ..) that do not change the background color or text. I checked the console.log output (Ver 4.0.2) and got some logs. Can anyone give me some advice? Thank you.
May I know is there any search query using which I can find "Indexers in license violations" or is there any information I can get regarding this directly from splunk?
Hi @rbakeredfi , the first thing is to manage all the Forwarders (Universal and Heavy) using a Deployment Server, so you're sure to have the correct configurations on all machines. Then I prefer to...
See more...
Hi @rbakeredfi , the first thing is to manage all the Forwarders (Universal and Heavy) using a Deployment Server, so you're sure to have the correct configurations on all machines. Then I prefer to directly send UFs logs to the Indexers. It's also possible to use HFs as concentrators if you want to reduce the connections between networs. For syslogs, I hint to use two UFs or two HF as receivers, using a Load Balancer to balance traffic and manage fail over. On these servers use rsyslog or syslog-ng to receive syslogs and then read these logs from the files. About the logs from the HFs, you can install on these machines the appropriate add-ons and use them to monitor these machines. Ciao. Giuseppe
No. I'm not suggesting to use the free license. It has too many limitations for most production uses. I'm just pointing out that even Free license is relatively "big" compared to the "sublicenses" t...
See more...
No. I'm not suggesting to use the free license. It has too many limitations for most production uses. I'm just pointing out that even Free license is relatively "big" compared to the "sublicenses" the OP wants. Of course simple attaching of multiple environments to a single license master will work but without splitting the license into separate licensing stacks will result in a "shared license" which means that if one node for some reason should exhaust the license, it would violate the license for all nodes.
Hi @jovnice , I hint to add index=wineventlog because gives you better performnces that the following solution! anyway, if you don't want this olution, you could add the wineventlog index to the de...
See more...
Hi @jovnice , I hint to add index=wineventlog because gives you better performnces that the following solution! anyway, if you don't want this olution, you could add the wineventlog index to the default search path (in [Settings > Roles> <your_role> > Indexes]. Ciao. Giuseppe