Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-17-2024
04:59 AM
msiexec /i "splunkforwarder-9.1.2-xxx-x64-release.msi" AGREETOLICENSE=Yes /quiet
add complete location of msi and deployementclient.conf in script.
01-17-2024
04:56 AM
[+\-0-9#$%^!._?@]
character class
01-17-2024
04:53 AM
Thank you @jkat54 for sharing your inputs. Strangely, its just that expression that leads to such issue. Like when I try to remove characters from the string one by one, the drilldown works.
01-17-2024
04:44 AM
there is no easy way of doing it but check the macros an app uses and then in that macro normally there is a search which points to an index. settings-->advanced search-->search macros and there you...
See more...
there is no easy way of doing it but check the macros an app uses and then in that macro normally there is a search which points to an index. settings-->advanced search-->search macros and there you can find the index being used by app.
01-17-2024
04:39 AM
1 Karma
There is no 100% reliable way. There are some common cases which can be covered but you can only detect some typical cases where the indexes are specified explicitly. I can think of so many ways of s...
See more...
There is no 100% reliable way. There are some common cases which can be covered but you can only detect some typical cases where the indexes are specified explicitly. I can think of so many ways of specifying indexes dynamically (even generating index names randomly) that you can't find it automaticaly. But the question is why do you even need that.
01-17-2024
04:35 AM
Are you sure you want _any_ special character? How do you even define a special character in this case? I'd rather go either for any non-space character and use \S or explicitly define set of acce...
See more...
Are you sure you want _any_ special character? How do you even define a special character in this case? I'd rather go either for any non-space character and use \S or explicitly define set of acceptable character using character class. Like [-0-9#$%^!.?@]
01-17-2024
04:30 AM
As @gcusello already noticed, you probably used a lot of values() in your stats. As you can see yourself, it results with a list of multivalued fields. The problem with that is that each of those mu...
See more...
As @gcusello already noticed, you probably used a lot of values() in your stats. As you can see yourself, it results with a list of multivalued fields. The problem with that is that each of those multivalued fields is a separate entity and there is no relationship between them. So you can reliably split those values into single rows unless you have a very very strong guarantee for some properties of your data. For example, for source data like field1 field2 field3 1 2 1 3 1 4 5 1 6 1 8 1 9 1 11 You'd get a result like this: values(field1) values(field2) values(field3) 1 2 4 6 8 3 5 9 11 If you tried "unpacking" it assuming that the values from the two latter colums match 1-1 you'd get completely ridiculous results.
01-17-2024
04:30 AM
I think it's obvious there is a bug in the trellis drilldown and while you've found another clue I don't think it really leads me to a fix yet. Even when I wrote jquery to "fix" it, I had all these ...
See more...
I think it's obvious there is a bug in the trellis drilldown and while you've found another clue I don't think it really leads me to a fix yet. Even when I wrote jquery to "fix" it, I had all these random behaviors like you're seeing.
01-17-2024
04:23 AM
C:\Windows\Temp\splunk>copy deploymentclient.conf "c:\Program Files\splunkuniversalforwarder\etc\system\default\" 0 file(s) copied. Well... that seems to indicate that either the source file doesn'...
See more...
C:\Windows\Temp\splunk>copy deploymentclient.conf "c:\Program Files\splunkuniversalforwarder\etc\system\default\" 0 file(s) copied. Well... that seems to indicate that either the source file doesn't exist or the source directory. It _might_ have something to do with your error.
01-17-2024
03:18 AM
Thanks @PickleRick @gcusello
01-17-2024
03:14 AM
1 Karma
Take care. Example above fails for key name like "my-key" since \w does not include - Also it fails for last KV, since you expect a \s and end of line, so \s? would be better. ([a-zA-Z0-9-_]+)=(?...
See more...
Take care. Example above fails for key name like "my-key" since \w does not include - Also it fails for last KV, since you expect a \s and end of line, so \s? would be better. ([a-zA-Z0-9-_]+)=(?:\'?)([^\']+)(?:\'?)\s?
01-17-2024
03:10 AM
Hello @ITWhisperer, I appended the values of trellis data with string ":windows_infrastructure_data:", and the drilldown stopped working for all trellis charts. If I replace it with ":windows_infras...
See more...
Hello @ITWhisperer, I appended the values of trellis data with string ":windows_infrastructure_data:", and the drilldown stopped working for all trellis charts. If I replace it with ":windows_infrastructure_data" or with "windows_infrastructure_data:", the drilldown works well. Thus, do you know if there is anything in the above expression I may have not observed yet but has the potential to cause blocking of drilldown? Thank you
01-17-2024
03:09 AM
Hi @hieuba -
I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that...
See more...
Hi @hieuba -
I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.
Thank you!
01-17-2024
03:01 AM
Please help us to fix the below installation issue. It seems the Splunk is trying to find some file in the system but unable to fetch/identify which is that file? We tried to uninstall the previous...
See more...
Please help us to fix the below installation issue. It seems the Splunk is trying to find some file in the system but unable to fetch/identify which is that file? We tried to uninstall the previous setup, removed all reg_key as-well but still we are facing the same error. We tried to run the previous version (v_7.x), getting the same error (the system cannot find the path specified) C:\Windows\Temp\splunk>Splunkinstall.bat C:\Windows\Temp\splunk>msiexec /i "splunkforwarder-9.1.2-xxx-x64-release.msi" AGREETOLICENSE=Yes /quiet C:\Windows\Temp\splunk>net stop SplunkForwarder The SplunkForwarder Service service is not started. More help is available by typing NET HELPMSG 3521. C:\Windows\Temp\splunk>copy deploymentclient.conf "c:\Program Files\splunkuniversalforwarder\etc\system\default\" 0 file(s) copied. C:\Windows\Temp\splunk>net start SplunkForwarder System error 3 has occurred. The system cannot find the path specified.
Labels
- Labels:
-
universal forwarder
-
Windows
01-17-2024
02:34 AM
Hi based on last picture your second search peer (indexer) is not up and running. Please look from it's internal logs why it's not working and fix it. After it's again up and running this issue shou...
See more...
Hi based on last picture your second search peer (indexer) is not up and running. Please look from it's internal logs why it's not working and fix it. After it's again up and running this issue should fixed automatically. r. Ismo
01-17-2024
02:27 AM
1 Karma
Hi @KulvinderSingh , as @PickleRick said, please don't call out specific people with your question because we have limited time for answering to your question and you limit your possibility to rece...
See more...
Hi @KulvinderSingh , as @PickleRick said, please don't call out specific people with your question because we have limited time for answering to your question and you limit your possibility to receive an answer from other people. Anyway, here is documented how to migrate from a single site to a multisite cluster https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Migratetomultisite About the other question: no you don't loose any data and, as @PickleRick said, using Warm or Cold storage is a different configuration with no relation with the multisite cluster, it's a configuration of each single index of your infrastructure, infact you have to do this in indexes.conf files instead of server.conf file. Ciao. Giuseppe
01-17-2024
02:18 AM
2 Karma
1. Please don't call out specific people with your question. I don't want to sound rude but people are giving their own spare time providing help here, it's not a Splunk support service. Doing so ca...
See more...
1. Please don't call out specific people with your question. I don't want to sound rude but people are giving their own spare time providing help here, it's not a Splunk support service. Doing so can even lower the chance of you getting help from people you mention. 2. There is no such thing as "all hot storage". You may not have separate storage units for hot/warm and cold storages but that doesn't mean that your buckets are not in those states. Honsetly, this whole project seems a bit complicated and will require some decent planing. There are several different approaches you could take with this - adding another site, replicating data, then resizing indexers and removing old ones. Or spinning up a new environment and copying over the data (that can be tricky to identify all buckets). It is definitely a project you should get either PS involved or your friendly local Splunk partner with experienced team because there are several things that can go wrong (and if you don't prepare properly, most probably will).
01-17-2024
02:12 AM
1 Karma
Hi it's just like @gcusello said, you will need a role for that department users. For additional I propose that you will create an app for them also. In that way they can create own dashboards, repo...
See more...
Hi it's just like @gcusello said, you will need a role for that department users. For additional I propose that you will create an app for them also. In that way they can create own dashboards, reports etc. under that app and restrict access to those only for that app. Here is one .conf presentation about how roles should/could defined for enterprises. https://conf.splunk.com/files/2023/slides/PLA1169B.pdf r. Ismo
01-17-2024
02:10 AM
Hi AlI, I have a very specific migration. I am migrating from 5 indexer single site cluster to a 4 indexer multisite cluster 2 indexers each site. I have couple of questions around it? first thing...
See more...
Hi AlI, I have a very specific migration. I am migrating from 5 indexer single site cluster to a 4 indexer multisite cluster 2 indexers each site. I have couple of questions around it? first thing is current indexers are all hot storage - want to change this in new hardware to hot and cold and as Splunk appsizing is no more available need help with some calculations? secondly how to make sure that data from 5 indexers is not missed while migrating to 2? regards, Kulvinder Singh @richgalloway @PickleRick @gcusello
Labels
- Labels:
-
administration
01-17-2024
02:06 AM
1 Karma
Hi unfortunately there haven't (at least i didn't know) any way to get this list for 100%. There are so many way how used index can be defined for queries. @ITWhisperer already list some of those, b...
See more...
Hi unfortunately there haven't (at least i didn't know) any way to get this list for 100%. There are so many way how used index can be defined for queries. @ITWhisperer already list some of those, but if there is used index=xy* or index=* or if the index is not mentioned on SPL query or macro or event types then splunk will use what has defined for user's role (or combined roles) as default search index. Basically you could get some list for used indexes, but don't trust that it contains all, unless it contains all indexes what you have defined on your system r. Ismo
