Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-09-2024
02:04 AM
Hi Some comments even this is a old post. DMC/MC (if you have configured forwarders there) shows all nodes which have sent any _internal log events to indexers were MC will look those periodically ...
See more...
Hi Some comments even this is a old post. DMC/MC (if you have configured forwarders there) shows all nodes which have sent any _internal log events to indexers were MC will look those periodically and create a lookup file for them. Basically this means that until those events are in _internal log you will see those in MC forwarder dashboard. I think that DS's forwarder management use REST request from clients (DC) to keep book what DCs are active. Actually this means that until DC make a poll DS didn't know it. This same will happen always after you 1) reboot splunk and/or you reload deploy-config after changes. The "missing time" will depends on how often your clients are polling DS. Default is 1min phoneHomeIntervalInSecs = <decimal>
* How frequently, in seconds, this deployment client should
check for new content.
* Fractional seconds are allowed.
* Default: 60. Depending on your environment you could/should increase this to e.g. 5min. Another thing. You should never use system/local to store any configuration (there are some exceptions). Especially for DC configurations should be under own app. That way you can manage those via DS instead of managing those locally. r. Ismo
02-09-2024
01:47 AM
If you see what every i am trying its getting two same values
02-09-2024
01:38 AM
Hello Splunk Community I am currenlty testing Splunk universal forwarder to replace Logstash which use a lot a memory. I installed the latest UF 9.2.0.1 (and tried several other version: 9.1.1, 8...
See more...
Hello Splunk Community I am currenlty testing Splunk universal forwarder to replace Logstash which use a lot a memory. I installed the latest UF 9.2.0.1 (and tried several other version: 9.1.1, 8.2.9) and everything is working fine, except that my container where splunk uf is running seems to memory leak: Even when I do not add any configuration to splunk uf the memory of the container is increasing. my docker image uses a FROM image that I use in many other other container without any leak so I have no doubt splunk uf is at fault here So I wonder if anyone using splunk uf is experiencing the same issue ? or if there is an ongoing ticket tracking this memory leak? The memory leak is not huge but my container is supposed to run 24/7 so I cannot afford any leak. Thanks for your feedback.
Labels
- Labels:
-
splunk-assist
-
using Splunk Enterprise
02-09-2024
01:25 AM
From this pannel i am going to remove the every lable under bars ex: "Mon Jar 15" to "Jar 15", i am not getting i checked in UI settings and Source code aswell, but nothing showingup. One thing ...
See more...
From this pannel i am going to remove the every lable under bars ex: "Mon Jar 15" to "Jar 15", i am not getting i checked in UI settings and Source code aswell, but nothing showingup. One thing is it possible to this requirment from dashboard
Labels
- Labels:
-
dashboard
02-09-2024
01:09 AM
| streamstats count
| where PageNo != count
02-09-2024
01:01 AM
Hi I want to create a search to find all the events for which last row exists but there is atleast 1 row missing. Example is attached below : Splunk Query : `macro_events_prod_gch_comms_esa` ...
See more...
Hi I want to create a search to find all the events for which last row exists but there is atleast 1 row missing. Example is attached below : Splunk Query : `macro_events_prod_gch_comms_esa` gch_messageType="Seev.047*" host="p*" gch_status="*" NOT"BCS" | table BO_PageNumber,BO_LastPage,gch_status |rename BO_PageNumber as PageNo , BO_LastPage as LastPage , gch_status as Status | sort by PageNo Requirement is find all the events for which LastPage as True exists and there is atleast 1 row missing with PageNo less than the PageNo of row with LastPage as True.
Labels
- Labels:
-
stats
02-09-2024
12:58 AM
Hello @inventsekar , Thanks for replying ! Here is the info : Splunk Enterprise Version : 8.2.4 Delay : around 10min Kind regards
02-09-2024
12:46 AM
1 Karma
Please share the source code of your dashboard in a code block </>
02-09-2024
12:45 AM
Please share some sample anonymised events in code blocks </> to prevent reformatting and the lose of important data.
02-09-2024
12:36 AM
Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you ...
See more...
Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you have also the history of your data. If you want a table that you can replace every day, you could save the results of your query in a lookup that you recreate every day. Ciao. Giuseppe
02-09-2024
12:33 AM
1 Karma
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are r...
See more...
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are read in near real time. The solution with a script is possible but it makes the same job of the monitor command, so why? Ciao. Giuseppe
02-09-2024
12:28 AM
Hi @bmanikya , check the regexes. if you share some samples of your logs we could help you. Ciao. Giuseppe
02-09-2024
12:27 AM
1 Karma
hi @LearningGuy , could you better describe your issue? eventually attaching some screenshot, because I don't understand this behavior. Ciao. Giuseppe
02-08-2024
11:50 PM
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings: forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full...
See more...
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings: forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full enterprise splunk But this seems to work on Universal Forwarder
02-08-2024
10:55 PM
Hi @scelikok it works, sorry for the delay. Today I checked it. Best regards AchimK
02-08-2024
10:36 PM
How can I create Investigations in Splunk ES using REST APIs and not using Splunk WEB UI.
Labels
- Labels:
-
development
02-08-2024
08:41 PM
What was the solution?
02-08-2024
08:17 PM
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If f...
See more...
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If found old post, but nobody answered. Please help. Thanks https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-Splunk-drilldown-setting-opening-two-tabs-instead-of-one/m-p/602444
Labels
- Labels:
-
Dashboard Studio
-
drilldown
02-08-2024
08:14 PM
Did you ever figure this out? I had the same issue. Thanks
02-08-2024
07:07 PM
@gcusello Results are empty for App1 and App2.
