Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-13-2023
07:04 AM
That was one of our steps in the decommissioning process we were using. Removing the host from the cluster peers didn't remove them from whatever list the Health Reporter component is using on the se...
See more...
That was one of our steps in the decommissioning process we were using. Removing the host from the cluster peers didn't remove them from whatever list the Health Reporter component is using on the search heads. They were definitely removed - looking at Settings -> Distributed Search -> Search Peers clearly shows them not being present. Yet the Health Reporter alerts still complains about a lack of connectivity to the decommissioned Search Peer. It appears the only solution to reload whatever list the Health Reporter has internally is to restart the Splunk service on the Search Head. Or to disable the Health Reporter component for Search Peer connectivity entirely - there's no half measures or custom lists in the health.conf file.
10-13-2023
06:57 AM
Currently [default] repFactor = auto Search factor is from default. so it's 2 ESS is Splunk Enterprise Security (on it's own SH), no Other Premium Apps
10-13-2023
06:51 AM
Hi @jbanAtSplunk , storage on Indexer Cluster depends on Replication and Search Factor, what are they? What's ESS? have you Premium Apps? Ciao. Giuseppe
10-13-2023
06:47 AM
Will check reference. We already have 1 X SH, 1 X ESS, 2 x indexers in cluster, 1 x Deployment server. But license was 4 times smaller, now as we will expand license I am looking what we need to ...
See more...
Will check reference. We already have 1 X SH, 1 X ESS, 2 x indexers in cluster, 1 x Deployment server. But license was 4 times smaller, now as we will expand license I am looking what we need to expand (storage, cpu, ram) and how much. probably, will go to 4 indexers (from 2) and will expand 2.5TB per indexer to 7.5TB per indexer.
10-13-2023
06:44 AM
Actually, I have 2 separate events start event one unique ID and few other fields for exampled = "Job initiated" if the events contains "JOB initiated" , that means the evets is first event. and...
See more...
Actually, I have 2 separate events start event one unique ID and few other fields for exampled = "Job initiated" if the events contains "JOB initiated" , that means the evets is first event. and if the events contains "JOB Completed" that means the last event. so, I want to calculate how much total time taken for that particular Job ID to complete ?
10-13-2023
06:43 AM
Hi @jbanAtSplunk, this isn't a question for the Community but for a Splunk Architect. Anyway, there are many other parameters to answer to your question: is there an Indexer Cluster, if yes what...
See more...
Hi @jbanAtSplunk, this isn't a question for the Community but for a Splunk Architect. Anyway, there are many other parameters to answer to your question: is there an Indexer Cluster, if yes what's the Search Factor and The Replication Factor? is there a Search Head Cluster, are there Premium App as Enterprise Security or ITSI? how many concurrent users you foresee in the system? are there scheduled searches? Anyway, if you don't have ES or ITSI, you couls use around 3 Indexers. If you don't have a Search Head Cluster you can use one Search Head, if you have a Search Head Cluster you need at least three SHs and a Deployer, If you have an Indexer Cluster you need at least 3 Indexers and one Cluster Manager. If you have ES or ITSI the resources are completely different! For storage: if you don't have an Indexer Cluster you could consider: Storage = License*retention*0.5 = 500*30*0.5 = 7500 GB If you have an indexer Cluster the required storage depends on the above factors. About CPUs and RAMs: they depends on: presence of Premium App, number of concurrent users number of scheduled searches, so I cannot help you without these information, the only hint is to see at this url the reference hardware: https://docs.splunk.com/Documentation/Splunk/9.1.1/Capacity/Referencehardware Ciao. Giuseppe
10-13-2023
06:39 AM
Whenever I enable index clustering on what is to be my splunk manager, I go to restart it and it never comes back on. Disabling index clustering through the cli returns access to the gui and allows ...
See more...
Whenever I enable index clustering on what is to be my splunk manager, I go to restart it and it never comes back on. Disabling index clustering through the cli returns access to the gui and allows splunk to start like normal. Journalctl returns the following (after trying to start splunk with "systemctl start splunk")... > splunk[9423]: Waiting for web server at https://127.0.0.1:8000 to be available......... > splunk[9423]: WARNING: web interface does not seem to be available! > systemd[1]: splunk.service: control process exited, code=exited status=1 > systemd[1]: Failed to start Splunk Enterprise Trying to start splunk from the binary returns the following... > Checking http port [8000]: not available > ERROR: http port [8000] - no permision to use address/port combination. Splunk needs to use this port. I've reinstalled splunk and rebuilt the VM that splunk is sitting on and neither of these have worked.
Labels
- Labels:
-
Linux
10-13-2023
06:38 AM
1 Karma
The recommended hardware does not change as ingestion changes. Scale by adding instances rather than by adding resources. The number of search heads is a function of the number of searches to run a...
See more...
The recommended hardware does not change as ingestion changes. Scale by adding instances rather than by adding resources. The number of search heads is a function of the number of searches to run and the number of users to support. The number of indexers is related to the rate of ingestion, but also must consider the number of searches to run (remember that indexers save data and search it). Storage needs is not just the retention period times the amount ingested each day. Consider also replication of data among indexers, datamodel accelerations (which can consume a lot of space), and data compression. There is an app that can help. See https://splunkbase.splunk.com/app/5176 and engage your Splunk account team as they are experts at this.
10-13-2023
06:38 AM
Hello all,
I could use some help here with creating a search. Ultimately I would like to know if a user is added to a specific set of security groups what security groups if any were removed from ...
See more...
Hello all,
I could use some help here with creating a search. Ultimately I would like to know if a user is added to a specific set of security groups what security groups if any were removed from that same user.
Here is a search for security group removal:
index=wineventlog EventCode=4729 EventCodeDescription="A member was removed from a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time
Here is a search for security group added:
index=wineventlog EventCode=4728 EventCodeDescription="A member was Added to a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time
additional search info:
EventCode=4728 Added EventCode=4729 Removed Group_Name - security group Subject_Account_Name - prov sentry member - user
security groups, I would like to monitor users being added to:
RDSUSers_GRSQCP01
RDSUSers_GROQCP01
RDSUSers_BRSQCP01
RDSUSers_BROQCP01
RDSUSers_VRSQCP01
RDSUSers_VROQCP01
Again I am looking to monitor if a user was added to any of the above 6 security groups were they within a few hours before and ahead of the event removed from any other groups. let me know if I can provide any additional info and as always thank you for the help.
Labels
- Labels:
-
chart
-
eval
-
transaction
10-13-2023
06:36 AM
@phanTom we are running version 6.0.0.114895 so basically we fit the scope of the Known issue you are referring to. It is good to know that this page exists, I had no idea so far. Thank you! It seem...
See more...
@phanTom we are running version 6.0.0.114895 so basically we fit the scope of the Known issue you are referring to. It is good to know that this page exists, I had no idea so far. Thank you! It seems that upgrading to the latest release 6.1.1 would do the trick and get us rid of this 30d rotation, don't you think?
10-13-2023
06:28 AM
1 Karma
@schimpanze what version are you on? IIRC there was a bug where automation tokens got auto rotated every 30 days, so you may have fell victim to this? It will be on the Known Issues page of the r...
See more...
@schimpanze what version are you on? IIRC there was a bug where automation tokens got auto rotated every 30 days, so you may have fell victim to this? It will be on the Known Issues page of the release version you have if you want to check.
- Tags:
- @sh
10-13-2023
06:12 AM
Hi, if we upgrade license to 500GB. What is best practice Hardware architecture (CPU +RAM) based and number of "N" Search Heads, "N" indexers. How much storage per indexer we need if let's say rete...
See more...
Hi, if we upgrade license to 500GB. What is best practice Hardware architecture (CPU +RAM) based and number of "N" Search Heads, "N" indexers. How much storage per indexer we need if let's say retention is 30 days and "N" installed indexers. or if at least you can share where is good .pdf for me to read with those answers. Thank you.
Labels
- Labels:
-
capacity planning
10-13-2023
05:56 AM
Excluding 2200-0700 is the same as including 0700-2159, which is what the cron schedule I offered does.
10-13-2023
05:54 AM
No, that doesn't work. I believe the reason it doesn't work is because it is just attempting to change the value of the equation (end - start) to a string, and that value appears to be empty for som...
See more...
No, that doesn't work. I believe the reason it doesn't work is because it is just attempting to change the value of the equation (end - start) to a string, and that value appears to be empty for some reason. I appreciate the try though.
10-13-2023
05:47 AM
Adding to my problem, if i add table command then it gives error in rename command and if remove rename command then it throws error for spath command.
10-13-2023
05:44 AM
Hi @Ryan.Paredez , yes, seems like the collector log was too long. If someone wants to have a look, here is the link to my logfile: https://github.com/open-telemetry/opentelemetry-collector/files/12...
See more...
Hi @Ryan.Paredez , yes, seems like the collector log was too long. If someone wants to have a look, here is the link to my logfile: https://github.com/open-telemetry/opentelemetry-collector/files/12803473/collector-log.txt
10-13-2023
05:35 AM
My data is coming for 0365 as JSON, I am using SPath to get the required fields after that i want to compare the data with a static list containig roles to be monitored but unforutnaly I am getting t...
See more...
My data is coming for 0365 as JSON, I am using SPath to get the required fields after that i want to compare the data with a static list containig roles to be monitored but unforutnaly I am getting the below error Error in 'table' command: Invalid argument: 'role="Authentication Administrator"' Its not working. PFA the releveant snap
Labels
- Labels:
-
lookup
10-13-2023
05:25 AM
There's an old answer to a similar question that might help. https://community.splunk.com/t5/Security/Does-Splunk-support-Microsoft-Azure-AD-B2C/m-p/377039
10-13-2023
05:24 AM
Hi @richgalloway My ask was Corn schedule: every 3 hours exclude from 10pm to 7 am We don't want to receive alert from 10 pm to 7 am
10-13-2023
05:22 AM
The lack of .spec files for app.conf should be unrelated to the problem you are having. It means btool can't check the syntax of app.conf, but Splunk still can process the contents of that file. Al...
See more...
The lack of .spec files for app.conf should be unrelated to the problem you are having. It means btool can't check the syntax of app.conf, but Splunk still can process the contents of that file. Also, the blacklist is in inputs.conf so that's another reason why this is an unrelated issue.
