What exactly do you want to do? The command you provided will "empty" the index without touching its definition. Also, I haven't tried this in a cluster (I assume that's what you mean by 3 indexers ...
See more...
What exactly do you want to do? The command you provided will "empty" the index without touching its definition. Also, I haven't tried this in a cluster (I assume that's what you mean by 3 indexers and "a management node") but I'd expect the cluster to start fixups as soon as you do the operation on the first node unless you enable maintenance mode. Anyway, if you want to leave the index definition but only remove the indexed events, that's one of the possibilities. Another one is to set very short retention period and let Splunk roll the buckets normally. If you want to remove the index along with its definition, you have to remove it from indexes.conf on the CM, push the config bundle (this will trigger rolling restart of indexers) and then manually remove index directories from each indexer.
Upgrading Splunk Enterprise using rpm -Uvh <<splunk-installer>>.rpm on RHEL seem to have caused this "Network daemons not managed by the package system" to be flagged out by Nessus (https://www.tenab...
See more...
Upgrading Splunk Enterprise using rpm -Uvh <<splunk-installer>>.rpm on RHEL seem to have caused this "Network daemons not managed by the package system" to be flagged out by Nessus (https://www.tenable.com/plugins/nessus/33851) Notice that for some Splunk Enterprise Instances after upgrade, there are 2 tar.gz files created in /opt/splunk/opt/packages that cause the below 2 processes to be started by Splunk (pkg-run) agentmanager-1.0.1+XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.tar.gz identity-0.0.1-xxxxxx.tar.gz The 2 processes are started by Splunk user and it will re-spawn if process is killed using kill command /opt/splunk/var/run/supervisor/pkg-run/pkg-agent-manager2203322202/agent-manager /opt/splunk/var/run/supervisor/pkg-run/pkg-identity1066404666/identity How come upgrade of Splunk Enterprise will cause these 2 files to be created or is normal?
Hi, After setting up a test index and ingesting a test record, I’m now planning to remove the index from the distributed setup. Could anyone confirm the correct procedure for removing an index in a...
See more...
Hi, After setting up a test index and ingesting a test record, I’m now planning to remove the index from the distributed setup. Could anyone confirm the correct procedure for removing an index in a distributed environment with 3 indexers and a management node? I normally run the following command at an all in one setup. /opt/splunk/bin/splunk clean eventdata -index index_name
@marycordova Thank you for the valuable suggestion. The approach you've shared is indeed effective. However, in our current environment, implementing a user-based license model may not be feasible ...
See more...
@marycordova Thank you for the valuable suggestion. The approach you've shared is indeed effective. However, in our current environment, implementing a user-based license model may not be feasible due to internal policy and stakeholder alignment constraints. We are exploring alternatives that align with our existing licensing agreements.
Hi @AJH2000 It sounds like your HEC connection is working as expected, and you have confirmed that the data is being ingested, so I think your HEC configuration is all good. You havent mentioned y...
See more...
Hi @AJH2000 It sounds like your HEC connection is working as expected, and you have confirmed that the data is being ingested, so I think your HEC configuration is all good. You havent mentioned your deployment architecture however I suspect you are using a SH/SHC connecting to an indexer cluster. When you configured the index, did you also create the index on the SH/SHC ? If you didnt then it would explain why the index is not visible in the Edit Role screen. Please make sure the index definition exists on the SH and then check again. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi community, I'm running into a permissions/visibility issue (I don't know) with an index created for receiving data via HTTP Event Collector (HEC) in Splunk Cloud. Context: I have a custom ind...
See more...
Hi community, I'm running into a permissions/visibility issue (I don't know) with an index created for receiving data via HTTP Event Collector (HEC) in Splunk Cloud. Context: I have a custom index: rapid7 Data is being successfully ingested via a Python script using the /services/collector/event endpoint The script defines index: rapid7 and sourcetype: rapid7:assets I can search the data using: index=rapid7 and get results. I can also confirm the sourcetype: index=rapid7
| stats count by sourcetype Problem: I am trying to add rapid7 to my role’s default search indexes, but when I go to: Settings → Roles → admin → Edit → Indexes searched by default The index rapid7 appear blank, I don't know that this is the all problem. What I’ve verified: The index exists and receives data The data is visible in Search & Reporting if I explicitly specify index=rapid7 I am an admin user I confirmed the index is created (visible under Settings → Indexes) My Questions: What could cause an index to not appear in the "Indexes searched by default" list under role settings? Could this be related to the app context of the index (e.g., if created under http_event_collector)? Is there a way in Splunk Cloud to globally share an index created via HEC so it appears in role configuration menus? I want to be able to search sourcetype="rapid7:assets" without explicitly specifying my index=rapid7, by including it in my role's default search indexes. Any advice, experience or support links would be appreciated! Thanks!
@Nawab Reconfiguring Splunk Enterprise Security is what I would advise you to do, however if the problem persists, open a support ticket. https://docs.splunk.com/Documentation/ES/8.0.40/Install/In...
See more...
@Nawab Reconfiguring Splunk Enterprise Security is what I would advise you to do, however if the problem persists, open a support ticket. https://docs.splunk.com/Documentation/ES/8.0.40/Install/InstallSplunkESinSHC#Installing_Splunk_Enterprise_Security_in_a_search_head_cluster_environment
Hello, I have an air-gapped Splunk AppDynamics (25.1) HA on-premises instance deployed, fleet management service enabled, and smart agents installed on the VMs to manage the app server agents. I wa...
See more...
Hello, I have an air-gapped Splunk AppDynamics (25.1) HA on-premises instance deployed, fleet management service enabled, and smart agents installed on the VMs to manage the app server agents. I want to be able to download the agents directly from AppDynamics Downloads from the controller UI instead of downloading manually (i.e. Using AppDynamics Portal), but I don't know which URLs should be whitelisted on the firewall. Can anyone help me with this? Thanks, Osama
I tried it again, usign the same method you suggested, deployed and configured the app on deployer and pushed the config bundle, but its still the same
Wait. As far as I remember (it's been some time since I did it last time) you don't manually copy anything. When you run the installer in deployer mode it takes care of preparing the shcluster bundle...
See more...
Wait. As far as I remember (it's been some time since I did it last time) you don't manually copy anything. When you run the installer in deployer mode it takes care of preparing the shcluster bundle. That's why you run it exactly as described - upload the app to the deployer, run the installer on the deployer, apply shcluster-bundle. No manual copying stuff anywhere.
I followed these steps, installed ES on deployer, configured it. Mission control is not working on deployer, then I copied ES to shcluster/apps and pushed the configuration. now all DA-ESS and SA app...
See more...
I followed these steps, installed ES on deployer, configured it. Mission control is not working on deployer, then I copied ES to shcluster/apps and pushed the configuration. now all DA-ESS and SA apps are present in apps of each SHC member, but still when I click ES app or mission control app on cluster member it says continue to setup page. not sure why
@Nawab Installing ES on a Search Head Cluster Deployer: 1. On the Splunk toolbar, select Apps > Manage Apps and click Install app from file 2. Click Choose File and select the Splunk Enterprise ...
See more...
@Nawab Installing ES on a Search Head Cluster Deployer: 1. On the Splunk toolbar, select Apps > Manage Apps and click Install app from file 2. Click Choose File and select the Splunk Enterprise Security file 3. Click Upload to begin the installation 4. Click Continue to app setup page 5. Click Start Configuration Process, and wait for it to complete 6. Use the Deployer to deploy ES to the cluster members. From the Deployer run: /opt/splunk/bin/splunk apply shcluster-bundle
@Nawab - Please make sure that you followed all pre-requisites for SHC and ES on SHC. https://docs.splunk.com/Documentation/ES/8.0.2/Install/InstallSplunkESinSHC
I have installed ES on deployer as suggested by splunk docs, then transfered this app to /opt/splunk/etc/shcluster/apps and pushed the apps to my cluster. but still when I open ES on any search head...
See more...
I have installed ES on deployer as suggested by splunk docs, then transfered this app to /opt/splunk/etc/shcluster/apps and pushed the apps to my cluster. but still when I open ES on any search head it still says Post instal configurations and when I click configure it says you can not do it on SHC member
Hi @RebeccaKeller No, as of version 3.18.2, Splunk DB Connect does not officially support DB2 on z/OS (mainframe). The documentation only states that "IBM DB2 is supported when the database is run...
See more...
Hi @RebeccaKeller No, as of version 3.18.2, Splunk DB Connect does not officially support DB2 on z/OS (mainframe). The documentation only states that "IBM DB2 is supported when the database is running on Linux. Splunk doesn't test or support DB2 on AS/400 or Windows." However technically, DB2 offers a universal JDBC driver that can (in theory) communicate with DB2 on z/OS. Some tools can connect this way if the correct configuration and drivers are used—but official vendor support is another matter. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing