All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers.  1. Remove 12 indexers from outputs.conf on all instances.  Ideally, you... See more...
Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers.  1. Remove 12 indexers from outputs.conf on all instances.  Ideally, you have this in an app so you can make the change once an push it to where it is needed (SHs, forwarders, DS, MC, CM, LM).  If you've implemented Indexer Discover then you can skip this step. 2. Put the 12 indexers into manual detention.  This will keep them from accepting new data or replicated buckets. splunk edit cluster-config -auth <username>:<password> -manual_detention on 3. Run this command on each indexer being removed. splunk offline --enforce-counts Wait for the indexer to stop before proceeding to the next.
Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.
Yes, that is what I am trying to do, and I obviously have the host, is there a way to extract this out of the event to add to the alert?   Jan 4 13:07:57 HOST 1 2024-01-04T13:07:57.085-05:00 somenu... See more...
Yes, that is what I am trying to do, and I obviously have the host, is there a way to extract this out of the event to add to the alert?   Jan 4 13:07:57 HOST 1 2024-01-04T13:07:57.085-05:00 somenumber-somename-ks-srx rpd 2188 JTASK_SIGNAL_INFO [junos@2636.1.1.1.2.133 message-name="INFO Signal Info: Signal Number = " signal-number="1" name=" Consumed Count = " data-1="3"] Thanks for all the help
Yes, it can handle.. Data volume reduced, so there is no point of keeping 24 indexers. 
this seems like working, can you please explain how did it work? @ITWhisperer 
Why do you want to reduce the number of indexers?  What problem are you trying to solve?  Can 12 indexers handle the workload currently done by 24 indexers?
Hi Team, I need to decrease the number of indexers used to half, in my current configurations we have site replication factor is 5 in total with origin:3 and site searchfactor is defined as 3 in tot... See more...
Hi Team, I need to decrease the number of indexers used to half, in my current configurations we have site replication factor is 5 in total with origin:3 and site searchfactor is defined as 3 in total and origin:2. My total number of indexers is 24 and I want to decrease the count of indexers to 12. I want to have the complete process of reducing the indexer cluster size so that the buckets which have site information will not be impacted.  
I tried below syntax but it's matching entire line but I want only "ID" value /(?<ID>\w+)_ETC_RFG
Yes. But. 1. As this is a metadata search for hosts only, you'd have to search across all your indexes - you have no indication of which index that event is in. 2. It'd be a very ugly and resource ... See more...
Yes. But. 1. As this is a metadata search for hosts only, you'd have to search across all your indexes - you have no indication of which index that event is in. 2. It'd be a very ugly and resource intensive search spawning possibly huge number of subsearches. It's a good way to overstress your Splunk environment. That's why the map command is considered a risky command and not enabled for ordinary users by default. But in general I think you're trying to solve a completely different problem here. The issue of finding hosts which stopped reporting was tackled many times already and there are even specific apps for this - like TrackMe - https://splunkbase.splunk.com/app/4621
OK. How old is your DBConnect app version (what version is it)?
Would there be a way to to search for the first host not reporting and see the most recent event and create an alert on that, and do it for the second and the third and so forth?
https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TypesofSplunklicenses#Other_types_of_licenses [...] Free license The Free license allows a completely free Splunk Enterprise instance with ... See more...
https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TypesofSplunklicenses#Other_types_of_licenses [...] Free license The Free license allows a completely free Splunk Enterprise instance with limited functionality and license usage. The following important points apply to the Free license: The Free license gives access to a limited set of Splunk Enterprise features. The Free license is for a standalone, single-instance installation of Splunk Enterprise only. The Free license cannot be stacked with other licenses. The Free license does not expire. The Free license allows you to index 500 MB of data per day. If you exceed that you will receive a license warning. The Free license prevents searching if there are a number of license warnings. To learn about license warnings and violation, see What happens during a license violation? For a list of features that are disabled in Splunk Free, see About Splunk Free. [...] So while it doesn't impose any limits on commercial vs. non-commercial use, the features that are disabled make it very challenging for production use of any kind. While in some scenarios you could probably get away without scheduled searches, the lack of ability to create users would probably disqualify the free license in all my use cases.
Not in this search. Remember that at each pipe you get only the results from subsequent commands. So if the metadata command gives you just some, well, metadata, you're not having any events. You'd... See more...
Not in this search. Remember that at each pipe you get only the results from subsequent commands. So if the metadata command gives you just some, well, metadata, you're not having any events. You'd need to either run a very wide search and do stats latest(_raw) by host, which is not a very good idea or either use this one as part of a subsearch to generate time limiting conditions or pass this through map command. Both solutions aren't very pretty.  
Same problem here! Have you found a solution to fix this problem? 
regex101.com is a good site for testing regex
How to extract alphanumeric and numeric values from aline,  both are dynamic values <Alphanumeric>_ETC_RFG: play this message: announcement/<numeric>
I created an alert from the search below, and it emails a pdf - is there a way to add the most recent event from each of the hosts in this search and add it to the email?   metadata type=hosts | wh... See more...
I created an alert from the search below, and it emails a pdf - is there a way to add the most recent event from each of the hosts in this search and add it to the email?   metadata type=hosts | where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen
SC4S was running in a docker container through Podman. Mystery solved! Splunk Setup - Splunk Connect for Syslog
IANAL, but the word "can" conveys ability rather than requirement.  IOW, you have the option to convert to a perpetual free license, but it is not mandatory. When you download Splunk, it will includ... See more...
IANAL, but the word "can" conveys ability rather than requirement.  IOW, you have the option to convert to a perpetual free license, but it is not mandatory. When you download Splunk, it will include the full license agreement, which by my reading, has no restrictions on production use (provided "production" does not include reselling or other prohibited use as listed in the license). I should also mention that the free license does not permit access to Splunk Support.  Also, after the trial period the free license allows for standalone instances only - no separate search heads and indexers, for instance.
Hi @LearningGuy  folllwing XML worked for me <dashboard version="1.1" theme="light"> <label>Test</label> <row> <panel id="DisplayPanel"> <single id="datestyle"> <search> <query>| makeresults... See more...
Hi @LearningGuy  folllwing XML worked for me <dashboard version="1.1" theme="light"> <label>Test</label> <row> <panel id="DisplayPanel"> <single id="datestyle"> <search> <query>| makeresults | addinfo | eval text = "How to align this text to left?" | table text </query> </search> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> </single> </panel> <panel depends="$alwaysHideCSS$"> <title>Single value</title> <html> <style> #DisplayPanel { width: 40% !important; font-size: 16px !important; text-align: left !important; float: left; } </style> </html> </panel> </row> </dashboard>