Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-12-2024
12:15 PM
Hi there! How are you doing? Our FIM tool is detecting modifications to the /etc/passwd file by the splunkfwd user found on some of our critical Linux servers for our operation with Splunk Universa...
See more...
Hi there! How are you doing? Our FIM tool is detecting modifications to the /etc/passwd file by the splunkfwd user found on some of our critical Linux servers for our operation with Splunk Universal Forwarder installed. Do you know if this behavior is correct? Shouldn't it be modifying /opt/splunkforwarder/etc/passwd? Thank you very much! Regards, Juanma PS: when echoing $SPLUNK_HOME it appears to be blank in other users, but the tools is sending logs correctly to SplunkCloud
Labels
- Labels:
-
Linux
-
universal forwarder
02-12-2024
12:11 PM
1 Karma
thank you - this would work as well: we are now going the old data fall out of dashboard and be updated with data from the new DUO site. You can have data ingested from multiple DUO APIs in the da...
See more...
thank you - this would work as well: we are now going the old data fall out of dashboard and be updated with data from the new DUO site. You can have data ingested from multiple DUO APIs in the dashboard concurrently, so we have visibility from both sites on the same dashboard, but consolidated. Appreciated!
02-12-2024
11:46 AM
Great solution - I like how it also takes out need for subsearch Thank you!!
02-12-2024
11:31 AM
Great way to sanity check - didn't think of this til you mentioned it. Ty!!
02-12-2024
10:58 AM
hi @richgalloway ¿Do I have to change the name app or folder name or both?
02-12-2024
10:56 AM
1 Karma
Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers. 1. Remove 12 indexers from outputs.conf on all instances. Ideally, you...
See more...
Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers. 1. Remove 12 indexers from outputs.conf on all instances. Ideally, you have this in an app so you can make the change once an push it to where it is needed (SHs, forwarders, DS, MC, CM, LM). If you've implemented Indexer Discover then you can skip this step. 2. Put the 12 indexers into manual detention. This will keep them from accepting new data or replicated buckets. splunk edit cluster-config -auth <username>:<password> -manual_detention on 3. Run this command on each indexer being removed. splunk offline --enforce-counts Wait for the indexer to stop before proceeding to the next.
02-12-2024
10:44 AM
Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.
02-12-2024
10:42 AM
Yes, that is what I am trying to do, and I obviously have the host, is there a way to extract this out of the event to add to the alert? Jan 4 13:07:57 HOST 1 2024-01-04T13:07:57.085-05:00 somenu...
See more...
Yes, that is what I am trying to do, and I obviously have the host, is there a way to extract this out of the event to add to the alert? Jan 4 13:07:57 HOST 1 2024-01-04T13:07:57.085-05:00 somenumber-somename-ks-srx rpd 2188 JTASK_SIGNAL_INFO [junos@2636.1.1.1.2.133 message-name="INFO Signal Info: Signal Number = " signal-number="1" name=" Consumed Count = " data-1="3"] Thanks for all the help
02-12-2024
10:40 AM
Yes, it can handle.. Data volume reduced, so there is no point of keeping 24 indexers.
02-12-2024
10:38 AM
this seems like working, can you please explain how did it work? @ITWhisperer
02-12-2024
10:38 AM
Why do you want to reduce the number of indexers? What problem are you trying to solve? Can 12 indexers handle the workload currently done by 24 indexers?
02-12-2024
10:34 AM
Hi Team, I need to decrease the number of indexers used to half, in my current configurations we have site replication factor is 5 in total with origin:3 and site searchfactor is defined as 3 in tot...
See more...
Hi Team, I need to decrease the number of indexers used to half, in my current configurations we have site replication factor is 5 in total with origin:3 and site searchfactor is defined as 3 in total and origin:2. My total number of indexers is 24 and I want to decrease the count of indexers to 12. I want to have the complete process of reducing the indexer cluster size so that the buckets which have site information will not be impacted.
Labels
02-12-2024
10:31 AM
I tried below syntax but it's matching entire line but I want only "ID" value /(?<ID>\w+)_ETC_RFG
02-12-2024
10:10 AM
Yes. But. 1. As this is a metadata search for hosts only, you'd have to search across all your indexes - you have no indication of which index that event is in. 2. It'd be a very ugly and resource ...
See more...
Yes. But. 1. As this is a metadata search for hosts only, you'd have to search across all your indexes - you have no indication of which index that event is in. 2. It'd be a very ugly and resource intensive search spawning possibly huge number of subsearches. It's a good way to overstress your Splunk environment. That's why the map command is considered a risky command and not enabled for ordinary users by default. But in general I think you're trying to solve a completely different problem here. The issue of finding hosts which stopped reporting was tackled many times already and there are even specific apps for this - like TrackMe - https://splunkbase.splunk.com/app/4621
02-12-2024
10:04 AM
OK. How old is your DBConnect app version (what version is it)?
02-12-2024
10:02 AM
Would there be a way to to search for the first host not reporting and see the most recent event and create an alert on that, and do it for the second and the third and so forth?
02-12-2024
09:53 AM
1 Karma
https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TypesofSplunklicenses#Other_types_of_licenses [...] Free license The Free license allows a completely free Splunk Enterprise instance with ...
See more...
https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TypesofSplunklicenses#Other_types_of_licenses [...] Free license The Free license allows a completely free Splunk Enterprise instance with limited functionality and license usage. The following important points apply to the Free license: The Free license gives access to a limited set of Splunk Enterprise features. The Free license is for a standalone, single-instance installation of Splunk Enterprise only. The Free license cannot be stacked with other licenses. The Free license does not expire. The Free license allows you to index 500 MB of data per day. If you exceed that you will receive a license warning. The Free license prevents searching if there are a number of license warnings. To learn about license warnings and violation, see What happens during a license violation? For a list of features that are disabled in Splunk Free, see About Splunk Free. [...] So while it doesn't impose any limits on commercial vs. non-commercial use, the features that are disabled make it very challenging for production use of any kind. While in some scenarios you could probably get away without scheduled searches, the lack of ability to create users would probably disqualify the free license in all my use cases.
02-12-2024
09:48 AM
1 Karma
Not in this search. Remember that at each pipe you get only the results from subsequent commands. So if the metadata command gives you just some, well, metadata, you're not having any events. You'd...
See more...
Not in this search. Remember that at each pipe you get only the results from subsequent commands. So if the metadata command gives you just some, well, metadata, you're not having any events. You'd need to either run a very wide search and do stats latest(_raw) by host, which is not a very good idea or either use this one as part of a subsearch to generate time limiting conditions or pass this through map command. Both solutions aren't very pretty.
02-12-2024
09:27 AM
Same problem here! Have you found a solution to fix this problem?
