Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-09-2024
01:35 PM
Hi team, I am working with Splunk Cloud "Classic" experience, and I installed one official app with different configurations. In my case, my focus is with props.conf in the stanza "sourcetype" wh...
See more...
Hi team, I am working with Splunk Cloud "Classic" experience, and I installed one official app with different configurations. In my case, my focus is with props.conf in the stanza "sourcetype" where this props.conf creates a field called "action". I need to change this field "action" without modifying the official app, so, I created a new custom app with new props and stanza sourcetype with field "action" adding other characteristics. After that, splunk cloud continues applying the old configuration from the official app and it didn't take the new attributes. Note: I am using default folder in each apps for locate the props file because Splunk Cloud doesn't allow using local folder Someone know, how can I do that? priority precedence fields by sourcetype
- Tags:
- cloud
Labels
- Labels:
-
using Splunk Cloud
02-09-2024
01:25 PM
Internally, both the introspection generator and the tools used by the add-ons may use the same operating system interfaces to collect performance metrics; however, two observers running concurrently...
See more...
Internally, both the introspection generator and the tools used by the add-ons may use the same operating system interfaces to collect performance metrics; however, two observers running concurrently on the same host will return different values for the same metric. This is the nature of statistical sampling.
02-09-2024
01:17 PM
1 Karma
Hi @inventsekar, Note that I use \\ to escape backslashes in Splunk strings, but Splunk isn't strict about escape characters in regular expressions. You may see examples with and without C-style esc...
See more...
Hi @inventsekar, Note that I use \\ to escape backslashes in Splunk strings, but Splunk isn't strict about escape characters in regular expressions. You may see examples with and without C-style escape sequence. The actual expression is: (?<char>(?=\S)\X) (?=...) is a positive lookahead group, and \S matches any non-whitespace character. The expression (?=\S) means "match the next character if it isn't a whitespace character." The expression (?=\S)\X matches any Unicode character, \X, that isn't a whitespace character. You may prefer this expression to match any Unicode character that is also a word character, \w, which would exclude European-style punctuation: (?<char>(?=\w)\X) Splunk supports Perl-compatible Regular Expressions (PCRE). Note that Splunk uses the PCR2 library internally but does not support PCRE2 functionality.
02-09-2024
12:54 PM
Still working in 2024, thanks so much!!
02-09-2024
12:48 PM
Hello @phanikumarcs , For a Classic Dashboard, click on "Edit > Source" and add the following after the </search> tag and inside <chart> tag: <option name="charting.axisLabelsX.majorLabelVisibil...
See more...
Hello @phanikumarcs , For a Classic Dashboard, click on "Edit > Source" and add the following after the </search> tag and inside <chart> tag: <option name="charting.axisLabelsX.majorLabelVisibility">hide</option> This configuration will hide the labels from the X axis. Thanks.
02-09-2024
12:39 PM
Hello @Alan_Chan , Could you please share the configuration of the inputs.conf file for the WinHostMon://Service input? Please make sure that the disabled=0 is configured for this input and also th...
See more...
Hello @Alan_Chan , Could you please share the configuration of the inputs.conf file for the WinHostMon://Service input? Please make sure that the disabled=0 is configured for this input and also that a restart in the splunk service was done after the changes on the inputs.conf file. Also, it is recommended to execute a btool command to make sure that this configuration is with the correct precedence: splunk btool inputs list --debug Thanks.
02-09-2024
12:10 PM
Hi @tscroggins may i know how this works please. (?<char>(?=\\S)\\X) the \\X, google told me, it will match for a unicode character. nice. but may i know if you are aware of this from Perl or P...
See more...
Hi @tscroggins may i know how this works please. (?<char>(?=\\S)\\X) the \\X, google told me, it will match for a unicode character. nice. but may i know if you are aware of this from Perl or Python rex or somewhere else and may i know what the "?=\\S" does please.
02-09-2024
11:53 AM
Hello @WumboJumbo675 , If there are no errors in the connection between UFs > HFs > Splunk Cloud, there are no syntax errors, the index is created and the precedente of the inputs is correct I belie...
See more...
Hello @WumboJumbo675 , If there are no errors in the connection between UFs > HFs > Splunk Cloud, there are no syntax errors, the index is created and the precedente of the inputs is correct I believe that a reboot is a good option. Thanks.
02-09-2024
11:49 AM
Hello @kenbaugher , The ulimit -d configuration will only present the current ulimit configuration. Please use the following Splunk doc to apply the ulimits configuration: https://docs.splunk.com...
See more...
Hello @kenbaugher , The ulimit -d configuration will only present the current ulimit configuration. Please use the following Splunk doc to apply the ulimits configuration: https://docs.splunk.com/Documentation/Splunk/9.2.0/Troubleshooting/ulimitErrors#Set_limits_using_.2Fetc.2Fsecurity.2Flimits.conf Thanks.
02-09-2024
11:38 AM
We just installed the forwarder on one of our VIOS systems to ensure we could get this working, however each time we try to start it up we see the below in our splunkd.log 02-09-2024 13:28:54.797...
See more...
We just installed the forwarder on one of our VIOS systems to ensure we could get this working, however each time we try to start it up we see the below in our splunkd.log 02-09-2024 13:28:54.797 -0600 WARN ulimit [80544161 MainThread] - A system resource limit on this machine is below the minimum recommended value: system_resource = Data segment size (ulimit -d); current_limit = 134217728; recommended_minimum_value = 536870912. Change the operating system resource limits to meet the minimum recommended values for Splunk Enterprise. 02-09-2024 13:28:54.797 -0600 INFO ulimit [80544161 MainThread] - Limit: data file size: unlimited 02-09-2024 13:28:55.258 -0600 WARN Thread [86376799 HTTPDispatch] - HTTPDispatch: about to throw a ThreadException: pthread_create: Not enough space; 43 threads active. Trying to create batchreader0 We issued the ulimit -d command to update this to unlimited, however still seeing the issue.
Labels
- Labels:
-
Linux
-
universal forwarder
02-09-2024
10:58 AM
Thanks for the response! When I search logs for the heavy forwarder, I see the below TCP error message - WARN AutoLoadBalancedConnectionStrategy [7892 TcpOutEloop] - Current dest host connection 44...
See more...
Thanks for the response! When I search logs for the heavy forwarder, I see the below TCP error message - WARN AutoLoadBalancedConnectionStrategy [7892 TcpOutEloop] - Current dest host connection 44.218.224.52:9997 There are no connection errors within the slunkd.logs on the DCs Confirmed no syntax errors and the inputs lists output is correct Confirmed there is an index for 'wineventlog' as that is where the application/system/DNS logs are flowing. Now that I think about it, I made the permission changes for the Splunk service account to be able to access logs on the DCs, but never rebooted them. I am wondering if a reboot is required to apply the changes... To bad I cannot reboot any of the DCs until there scheduled reboot date.
02-09-2024
10:48 AM
1 Karma
The answer is depending on your SC environment, how much data, which kind of it is etc. I think that you should found some local company / person which can help you.
02-09-2024
10:45 AM
Hi You need to remember that changes in HF will effect only to new events and it also need restart of HF before those take effect. Is this HF 1st full splunk instance on path to SC? Have you try to ...
See more...
Hi You need to remember that changes in HF will effect only to new events and it also need restart of HF before those take effect. Is this HF 1st full splunk instance on path to SC? Have you try to set KV_MODE to none on SC to check if it helps with those old events. r. Ismo
02-09-2024
10:33 AM
Thank you Isoutamo for your feedback can you please expand on your answer
02-09-2024
10:11 AM
After you have change password on GUI have you changed it also into docker config / force it from env when you are starting docker?
02-09-2024
10:00 AM
Hi you could look my old post https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596865. You need to do small modifications to it. Select corr...
See more...
Hi you could look my old post https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596865. You need to do small modifications to it. Select correct format into 1st replace part to get year to hour part from source. Replace tostring part with take your minutes to sub second from _raw e.g. substring/replace modify format string to match your combined year to sub second format You could test this like I have done on above post. If needed, don’t hesitate to ask more help. Remember that INGEST_EVAL must be an one command only. r. Ismo
02-09-2024
09:42 AM
1 Karma
Hi I don’t think that there are any official instructions for this. I believe that you could easily setup a distributed splunk environment in on prem and switch your log collections towards it. Al...
See more...
Hi I don’t think that there are any official instructions for this. I believe that you could easily setup a distributed splunk environment in on prem and switch your log collections towards it. Also if you have created your KOs into git or other version control system then just install those into new environment. To getting old data from SC will be tricky. Probably it’s best situation if you could leave it there and set e.g. federated search to use it? If not then there is no official way to get those buckets/data back into on prem. r. Ismo
02-09-2024
09:35 AM
@ITWhisperer for this 3) edit your dashboard panel and change the x-axis title to none I have found the solution to this issue. I applied the following SPL code to the existing SPL, and the visual...
See more...
@ITWhisperer for this 3) edit your dashboard panel and change the x-axis title to none I have found the solution to this issue. I applied the following SPL code to the existing SPL, and the visualization updated automatically to reflect the changes. |timechart span=1d count |eval Date=strftime(_time, "%m/%d") |table Date, count @ITWhisperer thanks for your time...
02-09-2024
09:32 AM
Hi I am planning to migrate Splunk Cloud to On-Premises Platform. Looking for road map and potential challenges . Any one?
