Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you ...
See more...
Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you have also the history of your data. If you want a table that you can replace every day, you could save the results of your query in a lookup that you recreate every day. Ciao. Giuseppe
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are r...
See more...
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are read in near real time. The solution with a script is possible but it makes the same job of the monitor command, so why? Ciao. Giuseppe
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings: forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full...
See more...
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings: forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full enterprise splunk But this seems to work on Universal Forwarder
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If f...
See more...
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If found old post, but nobody answered. Please help. Thanks https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-Splunk-drilldown-setting-opening-two-tabs-instead-of-one/m-p/602444
@ITWhisperer @gcusello In Hadoop ResourceManager, Once after "Operation=Submit Application Request" resourcemanager will "Allocate New ApplicationID". I would like to see how much time difference be...
See more...
@ITWhisperer @gcusello In Hadoop ResourceManager, Once after "Operation=Submit Application Request" resourcemanager will "Allocate New ApplicationID". I would like to see how much time difference between 2 sub searches in the splunk query.
Hello @jamesbanday , The message "is not a known identity" is related to the Identities that are configured in the Splunk Enterprise Security, probably this user is not configured in the Identities ...
See more...
Hello @jamesbanday , The message "is not a known identity" is related to the Identities that are configured in the Splunk Enterprise Security, probably this user is not configured in the Identities lookup. To configure Assets & Identities in Splunk Enterprise Security, use the following doc: https://docs.splunk.com/Documentation/ES/7.3.0/Admin/Addassetandidentitydata. Also, you could check in Splunk if this identity exists using the identities macro: | `identities`
| search identity=<NAME_IDENTITY> Thanks.
on that same link, they have given a good search explanation. may i know if you read it.. may i know what confusion you have after reading that, thanks.
Hello @MattH665 , I believe that you are looking for the setting: hostname = <your_hostname> in alert_actions.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf#GLOB...
See more...
Hello @MattH665 , I believe that you are looking for the setting: hostname = <your_hostname> in alert_actions.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf#GLOBAL_SETTINGS examples: http://splunkserver:8000, https://splunkserver.example.com:443 Remember to restart your instance after the changes. Thanks.
Hello @WumboJumbo675 , 1 - Confirm in Splunk Cloud if the internal logs from Heavy Forwarder are being indexed (I believe yes, since you said some logs are correct). If yes, the issue is between U...
See more...
Hello @WumboJumbo675 , 1 - Confirm in Splunk Cloud if the internal logs from Heavy Forwarder are being indexed (I believe yes, since you said some logs are correct). If yes, the issue is between UFs > HFs communication. index=_internal host=<host_name_heavy_forwarder> 2 - Confirm if the communication between UFs and HFs is working correctly. Look for ERROR messages or tcpout error messages in the UFs: $SPLUNK_HOME/var/log/splunk/splunkd.log 3 - Execute a btool check to confirm if there are no syntax errors on the .conf files on UFs: splunk btool check 4 - Check the precedence of the inputs.conf files using btool to confirm that the inputs are being read: splunk btool inputs list --debug 5 - Confirm if there is a "wineventlog" index created in Splunk Cloud. Let me know if this helps. Thanks.