All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello PickleRick, The architecture is simple: I have UniversalForwarders on around 30 servers with /opt/splunkforwarder/etc/apps/druid_forwarder/default/inputs.conf (contents is in the first post) a... See more...
Hello PickleRick, The architecture is simple: I have UniversalForwarders on around 30 servers with /opt/splunkforwarder/etc/apps/druid_forwarder/default/inputs.conf (contents is in the first post) and then I have 1 indexer with /opt/splunk/etc/apps/druid_utils/default/props.conf (contents is in the first post). The inputs.conf is only on the universal forwarder(s) while the props.conf is only on the indexer.
I’m working on a project that requires integrating Jira with Splunk to collect ticket data (such as status, priority, and SLA information) and visualize it in real-time dashboards. What are the best ... See more...
I’m working on a project that requires integrating Jira with Splunk to collect ticket data (such as status, priority, and SLA information) and visualize it in real-time dashboards. What are the best practices or tools for doing this efficiently, especially across multiple Jira projects?
i think the problem itself in indexer node, but still cant find out why it can query splunk internal log
first i have 3 different server (HF, SH, and IDX) and the distributed search is going to IDX. there an incident that idx server is shutting down and after i started and run the splunk services, i can... See more...
first i have 3 different server (HF, SH, and IDX) and the distributed search is going to IDX. there an incident that idx server is shutting down and after i started and run the splunk services, i can't query any data. i try to query index = * and has no result.
Doesn't Powerconnect need a paid SAP addon? cause he said in the post how to monitor for free.
already done this, since splunk has to run using user splunk sir so when i want to start the service i already change the permissions
Hi It's like @livehybrid said. You cannot / shouldn't try this that way. Basically there are two options to do this depending how your data is collected and where it's created. In SCP side you can... See more...
Hi It's like @livehybrid said. You cannot / shouldn't try this that way. Basically there are two options to do this depending how your data is collected and where it's created. In SCP side you can set Federated Search in your SCP and use it to access data from another SCP stack. See more https://docs.splunk.com/Documentation/SplunkCloud/9.3.2411/FederatedSearch/fsoptions. The second option is replicate data before you send it into SCP stack. E.g. you could set your own HFs where you can set this. r. Ismo
Can you tell more about what and how you have done this installation and what kind of distributed environment you have? Are the problematic node indexer, search head or something other node?
@arsidiq  Verify permissions for Splunk directories. If they've changed to root after a reboot, correct them with: chown -R splunk:splunk /opt/splunk Are you able to see the data for other indexes... See more...
@arsidiq  Verify permissions for Splunk directories. If they've changed to root after a reboot, correct them with: chown -R splunk:splunk /opt/splunk Are you able to see the data for other indexes? 
@arsidiq  Refer this  Solved: Why is no data being written to the _internal inde... - Splunk Community Solved: Why is _internal index is disabled? - Splunk Community  
@arsidiq    Verify that the search head can communicate with the indexer. If it fails, check firewall rules or network issues. Ensure the indexer is listed in the search head’s distributed sea... See more...
@arsidiq    Verify that the search head can communicate with the indexer. If it fails, check firewall rules or network issues. Ensure the indexer is listed in the search head’s distributed search configuration:   Splunk Web: Settings > Distributed Search > Search Peers. Or check $SPLUNK_HOME/etc/system/local/distsearch.conf. Check this on the indexer:-  tail -n 100 /opt/splunk/var/log/splunk/splunkd.log
yups the indexer is running, and still cant quey any data after the server has been reboot
My url is "http://127.0.0.1:8000" in log4j2 and localhost(splunk) is running on same port. Whereas the listener is 8081 port. Earlier the url was  "http://127.0.0.1:8088" in log4j2 localhost(splunk)... See more...
My url is "http://127.0.0.1:8000" in log4j2 and localhost(splunk) is running on same port. Whereas the listener is 8081 port. Earlier the url was  "http://127.0.0.1:8088" in log4j2 localhost(splunk) is running on  port 8000.Whereas the listener is 8081 port.
is anyone know how to disable this input?
@arsidiq  Ensure the indexer is running. Log into the indexer server and check Splunk's status: /opt/splunk/bin/splunk status If Splunk is not running, start it: /opt/splunk/bin/splunk start C... See more...
@arsidiq  Ensure the indexer is running. Log into the indexer server and check Splunk's status: /opt/splunk/bin/splunk status If Splunk is not running, start it: /opt/splunk/bin/splunk start Confirm that the search head and other components can communicate with the indexer. Test connectivity using: ping <indexer_ip> Verify that the Splunk management port (default: 8089) is open: telnet <indexer_ip> 8089 Check the Splunk logs on the indexer for errors: /opt/splunk/var/log/splunk/splunkd.log Look for issues related to indexing, disk space, or corrupted buckets. Common issues include: Disk full errors or Corrupted index buckets due to improper shutdown.  
Hi @PickleRick , Just an update to you. We have identified and resolved an issue related to a time discrepancy in our system, which was caused by the Oracle server's timezone configuration. The... See more...
Hi @PickleRick , Just an update to you. We have identified and resolved an issue related to a time discrepancy in our system, which was caused by the Oracle server's timezone configuration. The server was set to local time instead of UTC, resulting in a 10-hour time difference that affected [specific process, application, or data]. To address this, we have reconfigured the Oracle server to use UTC as the standard timezone, ensuring consistency and alignment with our operational requirements. This change has eliminated the time discrepancy, and all affected processes are now functioning as expected.
i installed splunk in distributed management environment. furthermore, my indexer server got reboot and i can't query my data even though at index = _internal. whereas previously it was fine.
ok so i have a drilldown so in this table there is a field solved which have default value 0 which means this particular severity is not solved . Now i want a button instead of 0 .like this ... See more...
ok so i have a drilldown so in this table there is a field solved which have default value 0 which means this particular severity is not solved . Now i want a button instead of 0 .like this now whenever a severity is being solved then when we click on this button it should change like this and this specific result  its value (solve field ) should be changed to 1. this is JS i am using but it is not working. plus ye script thi jo mai use kar raha hun   require([     'splunkjs/mvc/tableview',     'splunkjs/mvc/searchmanager',     'splunkjs/mvc',     'underscore',     'splunkjs/mvc/simplexml/ready!' ], function(     TableView,     SearchManager,     mvc,     _ ) {     var CustomLinkRenderer = TableView.BaseCellRenderer.extend({         canRender: function(cell) {             return cell.field === 'solved';         },           render: function($td, cell) {             var solved = cell.value;             var rowKey = cell.data.row.rowKey;               var icon = $('<a>')                 .attr("href", "#")                 .attr("title", "Mark as Solved")                 .css({                     "cursor": "pointer",                     "text-align": "center",                     "display": "inline-block",                     "width": "100%"                 });               icon.html('<i class="icon ' + (solved === "1" ? 'icon-check-circle' : 'icon-minus-circle') + '"></i>');               icon.on("click", function(e) {                 e.preventDefault();                   var $icon = $(this).find('i');                   // Only run update if not already solved                 if (solved === "1") {                     return; // Already marked as solved                 }                   $icon.removeClass("icon-minus-circle").addClass("icon-gear");                   var updateSearch = `                     | inputlookup sbc_major.csv                     | eval rowKey=tostring(rowKey)                     | eval match=if(rowKey="${rowKey}", "1", "0")                     | eval solved=if(match="1", "1", solved)                     | fields - match                     | outputlookup sbc_major.csv                 `;                   var updateManager = new SearchManager({                     id: "update-solved-" + _.uniqueId(),                     preview: false,                     cache: false,                     search: updateSearch                 });                   updateManager.on("search:done", function() {                     $icon.removeClass("icon-gear").addClass("icon-check-circle");                 });             });               $td.empty().append(icon);         }     });       var tableElement = mvc.Components.getInstance("sbc_alarm_table");     tableElement.getVisualization(function(tableView) {         tableView.table.addCellRenderer(new CustomLinkRenderer());         tableView.table.render();     }); });        
My url is "http://127.0.0.1:8000" in log4j2 and localhost is running on same port. Whereas the listener is 8081 port. Do all of these have to be same? Am i missing out anywhere?
Hi @daisy_st  The ITEW/ITSI comes with an internal license which is used for the itsi_* sourcetypes, this means it wont count towards any other license you have. To unlock ITEW into ITSI you do nee... See more...
Hi @daisy_st  The ITEW/ITSI comes with an internal license which is used for the itsi_* sourcetypes, this means it wont count towards any other license you have. To unlock ITEW into ITSI you do need a separate license key, however it sounds like this isnt an issue for you. Relating to the 500 error(s) - Is there anything else you can see around this?  * In the browser developer tools window, under Network, can you see the status=500 pages? Is there any response content for those api calls? * In the _internal index have a search for log_level=error "itsi"  and/or look around in the $SPLUNK_HOME/var/log/splunk/*itsi* files to see if that gives any clues - feel free to post any specific error logs here to help us diagnose.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing