That's true as you are sending over pure TCP which is not s2s. Those fields are part of s2s' metadata information. If you want send also those you must add those into your data stream's payload part....
See more...
That's true as you are sending over pure TCP which is not s2s. Those fields are part of s2s' metadata information. If you want send also those you must add those into your data stream's payload part. You can use props.conf and transforms.conf to modify that as needed. But what you are actually trying to do and why and where you try to send that data? Maybe there are some other way to get events there? I see some OTEL name here....
One comment. If I remember correctly, you must 1st remove/move your SPLUNK_HOME/etc/passwd file into another name. It if exists then that user-seed.conf didn't work.
I have explain this and also searchable buckets in this post https://community.splunk.com/t5/Deployment-Architecture/SF-and-RF-How-much-count-should-we-keep/m-p/580574/highlight/true#M25165. You did...
See more...
I have explain this and also searchable buckets in this post https://community.splunk.com/t5/Deployment-Architecture/SF-and-RF-How-much-count-should-we-keep/m-p/580574/highlight/true#M25165. You didn't say if you have normal cluster in one site or multisite cluster have you a smart store in use If You have smart store then you must use SF=RF, otherwise it's possible that spunk try to upload your new bucket from replicate bucket which is not searchable and then it didn't work with S2. If you have multisite cluster then you will have also site replication factor and site search factor which manages those copies over your sites. As @PickleRick already said your installation arise questions as you said that you have 9 indexers and 7 search head. I need to say that it's quite weird combination especially if those SHs are individual and not in SHC.
Thank you for all the input here. I was really getting caught up in the capture group without realizing that wasn't what I was even trying to figure out.
Yeah, I've been looking into data models and figuring out how to set my eventtypes to set up CIM, that's kinda how I fell down this particular rabbit hole.
Good afternoon @ljvc. Could you provide some direction on how you're accessing the mc_notes collection from within the Mission Control app? Struggling to find this.
So if your indexers have separate storage filesystem for indexes consider pre upgrade creating the links ln -s /mypath-to/mongo /opt/splunk/var/lib/splunk/kvstore/mongo for a headach free kvstore upd...
See more...
So if your indexers have separate storage filesystem for indexes consider pre upgrade creating the links ln -s /mypath-to/mongo /opt/splunk/var/lib/splunk/kvstore/mongo for a headach free kvstore update
Hello! I realize this is bumping an extremely old thread, but it was still relevant. I went to use this and it looks like it completely ignores the "Domain Users" group. If a user is a member of two...
See more...
Hello! I realize this is bumping an extremely old thread, but it was still relevant. I went to use this and it looks like it completely ignores the "Domain Users" group. If a user is a member of two or more groups it doesn't create row for it in the memberOf row. If the account is ONLY a member of the "Domain Users" group it doesn't even show the memberOf column. This seems to be the only group it happens with, any standard "Built-In" group from AD shows up except for Domain Users. Initially I thought it had to do with spaces but groups with spaces show up fine so not sure what is happening here.
I also hit an upgrade bug with 9.4.1 on a clients indexers , the upgrade migration mongo 4-7 failed to run due to the scripts not using SPLUNK_DB but hardcoding /opt/splunk/var/lib.... The indexers h...
See more...
I also hit an upgrade bug with 9.4.1 on a clients indexers , the upgrade migration mongo 4-7 failed to run due to the scripts not using SPLUNK_DB but hardcoding /opt/splunk/var/lib.... The indexers had a separate filesystem /data01/,,,, I was able to create a link from the mongo under /opt/splunk/var/lib/splunk/kvstore... to the "real" one in /data01 and restart triggering the upgrade process to complete properly ....
Just be aware - it is not an official download link (Splunk doesn't support and officially share such old products). It might stop working at any time.
As @richgalloway already said there are many different products not only one which you are talking about. I suppose that your best option is to contact your local Splunk sales engineer or splunk part...
See more...
As @richgalloway already said there are many different products not only one which you are talking about. I suppose that your best option is to contact your local Splunk sales engineer or splunk partner and they could go through that offering to you. Then it's much easier to select correct options to your client.
Sourcetype is the "kind" of messages you get. It's not about what is contained within those events but how it's represented. If you want to have a nice and easy way of searching for similar "meaning...
See more...
Sourcetype is the "kind" of messages you get. It's not about what is contained within those events but how it's represented. If you want to have a nice and easy way of searching for similar "meaning" events you can use tags or eventtypes. And might want to dig into datamodels.
The name of splunk slack channel has changed, but you can access it with URL given by @ITWhisperer's. I suppose that you could was reactivation for your current account by http://splk.it/slack. There...
See more...
The name of splunk slack channel has changed, but you can access it with URL given by @ITWhisperer's. I suppose that you could was reactivation for your current account by http://splk.it/slack. There haven't been many people to manage those requests, so you must prepare to wait some time.
The link above is out of date. The current link is: https://download.splunk.com/products/universalforwarder/releases/6.4.6/windows/splunkforwarder-6.4.6-6635aa31e851-x86-release.msi
I think perhaps there's some mix-up in terminology that is making it harder to communicate the goal. Splunk Enterprise is Splunk's core data platform product for on-premises installation. It can be...
See more...
I think perhaps there's some mix-up in terminology that is making it harder to communicate the goal. Splunk Enterprise is Splunk's core data platform product for on-premises installation. It can be used to collect observability (o11y) data. Splunk Cloud (AKA Splunk Cloud Platform) essentially is Splunk Enterprise on a public cloud provider (AWS, GCP, or Azure). Splunk Observability Cloud is Splunk's o11y product offering and is distinct from both Splunk Enterprise and Splunk Cloud. This product is available only in a cloud offering. Splunk Real User Monitoring (RUM) and Splunk Synthetic Monitoring are other separate Splunk products. That said, can you please re-state the goal?
We are currently using Splunk Enterprise on-premises, and the client has expressed plans to migrate to Splunk Cloud. In addition, they have clearly stated the need to work, specifically focusing on S...
See more...
We are currently using Splunk Enterprise on-premises, and the client has expressed plans to migrate to Splunk Cloud. In addition, they have clearly stated the need to work, specifically focusing on Synthetic Monitoring and Real User Monitoring (RUM). While it appears they intend to adopt Splunk Cloud as the primary observability platform, I would like to confirm whether their strategy involves solely utilizing Splunk Cloud or if they intend to integrate with AWS or Azure cloud platforms as part of the observability or hosting architecture. Could you please provide guidance or clarity on whether the migration includes leveraging Splunk Cloud hosted on a public cloud provider (e.g., AWS or Azure), or if there is a broader hybrid/cloud-native observability strategy in play?
We are doing a dry run of a spunk 9.0.2 upgrade to 9.2.4 and when running the splunk show kvstore-status just get status starting How do we get this started? Note in mind that we will be runnin...
See more...
We are doing a dry run of a spunk 9.0.2 upgrade to 9.2.4 and when running the splunk show kvstore-status just get status starting How do we get this started? Note in mind that we will be running this in prod in the near future /opt/splunk/bin/splunk show kvstore-status WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. This member: backupRestoreStatus : Ready disabled : 0 guid : 9AEF8531-6F71-46C8-AC9F-F4EEE7FFE8DB port : 7511 standalone : 0 status : starting storageEngine : wiredTiger
/opt/splunk/bin/splunk show kvstore-status
WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
Your session is invalid. P...
See more...
/opt/splunk/bin/splunk show kvstore-status
WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
Your session is invalid. Please login.
Splunk username: admin
Password:
This member:
backupRestoreStatus : Ready
disabled : 0
guid : 9AEF8531-6F71-46C8-AC9F-F4EEE7FFE8DB
port : 7511
standalone : 0
status : starting
storageEngine : wiredTiger