All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @JJMonster , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all t... See more...
Hi @JJMonster , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @att35  No - Apps you create directly on the SHC will not be affected by deployment pushes from a SH deployer.  The effect of changing deployer_push_mode only applies to apps pushed by the deplo... See more...
Hi @att35  No - Apps you create directly on the SHC will not be affected by deployment pushes from a SH deployer.  The effect of changing deployer_push_mode only applies to apps pushed by the deployer, not apps created locally on the SHC. Although this doesnt mean that you should manage apps independently of the deployer   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
There is a number of things to consider here, such as maintaining a data dictionary of where certain types of data are stored, etc.  However - One of the first things I always try and do to optimise... See more...
There is a number of things to consider here, such as maintaining a data dictionary of where certain types of data are stored, etc.  However - One of the first things I always try and do to optimise a search is use TERM("value") in the SPL. See screenshots below of simple example across 30 days for an IP on a local instance. This returned the data in half the time when using TERM("some.ip.address") Before After: Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will    
Hi @JJMonster , if clicking on the Download button you're redirected to a website, it isn't possible a direct download! Ciao. Giuseppe
Try $result.my_sum$
I tested further and its not the modulus calculation, its how splunk handling high numbers. This search shows that if a number (only tested Integer) has 17 digits or more, odd numbers will turned ... See more...
I tested further and its not the modulus calculation, its how splunk handling high numbers. This search shows that if a number (only tested Integer) has 17 digits or more, odd numbers will turned even. The field odd_highest_correct_len_16 in the makeresults search is the highest correct odd i achieved whith working digit for digit from left to right. If the last digit of odd_highest_correct_len_16 is get set to 3, splunk will make a 2 out of that.   | makeresults | fields - _time | eval odd_correct_len_16=1000000000000001, odd_highest_correct_len_16=9007199254740991, odd_incorrect_len_17=10000000000000001    I'm going to file a support case for that.
Hi @Raja_Selvaraj , if you have more than 80 columns, how do you think that you can read 80 columns of values plus 80 columnd of differences from the previous values, it's anyway unreadable! Maybe ... See more...
Hi @Raja_Selvaraj , if you have more than 80 columns, how do you think that you can read 80 columns of values plus 80 columnd of differences from the previous values, it's anyway unreadable! Maybe you should think a different visualization! Anyway, you could use something like this: <your_search> | bin span=1d _time | stats count BY host _time | delta count AS previous_count | delta host AS previous_host | where host=previous_host | eval deltaA=previous_count-count Ciao. Giuseppe
Hi @bapun18 , yes you can, but you should create a documented procedure containing all the steps to do when adding the new node, in particolar: change hostname and IP address in the server, chang... See more...
Hi @bapun18 , yes you can, but you should create a documented procedure containing all the steps to do when adding the new node, in particolar: change hostname and IP address in the server, change hostname in server.conf and in inputs.conf, change encrypted passwords, change the pointings to the clusters members (for SH). Maybe it could be easier having a silent copy of the servers to start if there's a corruption. Even if I don't imagine which kind of corruption you are speaking of. Ciao. Giuseppe
Hi @LizAndy123 , It's always a best practice to name the operations, so use  sum(SizeGB) AS my_sum and then use my_sum in the token. Ciao. Giuseppe
Hi @shabamichae , this is a lab environment so it isn't mandatory to have different servers for the three roles. Also because you need a dedicated DS only if you need to manage more than 50 clients... See more...
Hi @shabamichae , this is a lab environment so it isn't mandatory to have different servers for the three roles. Also because you need a dedicated DS only if you need to manage more than 50 clients and in the lab you have few clients. In addition, in general only the DS requires a dedicated server, License Master and Monitoring Console can share the same machine. Anyway, in the lab, the exercise says to you which solution you have to use. and they are both useful (in the lab!). Ciao. Giuseppe
Hi @Ben , Googleing you can find many best practices for searches, e.g.: https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html https://lantern.splunk.com/Spl... See more...
Hi @Ben , Googleing you can find many best practices for searches, e.g.: https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html https://lantern.splunk.com/Splunk_Platform/Product_Tips/Searching_and_Reporting/Optimizing_search https://community.splunk.com/t5/Splunk-Search/How-to-achieve-Optimized-Search-time-in-Splunk/m-p/29201 https://conf.splunk.com/files/2016/slides/best-practices-and-better-practices-for-users.pdf https://docs.splunk.com/Documentation/Splunk/9.4.0/Search/Quicktipsforoptimization In general, the first rule is limiting the time used in your searches, avoid "All Time" or monts or days. If you need to understand which are the indexes to use, you could use a first search to understand the indexes to use and a search limited to only the interesting indexs. Then, use Fast Mode instead Verbose Mode. If you have to search using as filter only one the index time fields (index, source, sourcetype and host), you can also use | tstats that's faster then a normal search. Ciao. Giuseppe
Hello, As a SOC analyst, what are the best practices for writing SPL queries to quickly find specific data (such as an IP address, a string, or a keyword) across all logs and indexes? I understan... See more...
Hello, As a SOC analyst, what are the best practices for writing SPL queries to quickly find specific data (such as an IP address, a string, or a keyword) across all logs and indexes? I understand that it's generally recommended to narrow down searches and avoid using `index=*`, but sometimes I don't know exactly where the data is indexed (i.e., which index, sourcetype, or field name). Any advice would be greatly appreciated. Thanks in advance!
@shabamichae  I think this is a small deployment, installing the LM and MN on the same instance will work.  This approach is practical for lab environments and smaller deployments, as it reduces res... See more...
@shabamichae  I think this is a small deployment, installing the LM and MN on the same instance will work.  This approach is practical for lab environments and smaller deployments, as it reduces resource overhead.
@att35 This was an expected behavior with the default configurations. To overcome this you have to modify the configurations referring to the below document: https://docs.splunk.com/Documentation/Sp... See more...
@att35 This was an expected behavior with the default configurations. To overcome this you have to modify the configurations referring to the below document: https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/PropagateSHCconfigurationchanges#Choose_a_deployer_push_mode
@att35  Yes, you need to adjust the deployer_push_mode to one of the other parameters, based on your requirements. In general, there are four modes of deployer_push_mode: - full - merge_to_... See more...
@att35  Yes, you need to adjust the deployer_push_mode to one of the other parameters, based on your requirements. In general, there are four modes of deployer_push_mode: - full - merge_to_default - local_only - default_only By default merge_to_default setting is enabled due to you are observing the behavior that you have mentioned. - If set to "full": Bundles all of the app's contents located in default/, local/, users/<app>/, and other app subdirs. It then pushes the bundle to the members. When applying the bundle on a member, the non-local and non-user configurations from the deployer's app folder are copied to the member's app folder, overwriting existing contents. Local and user configurations are merged with the corresponding folders on the member, such that member configuration takes precedence. This option should not be used for built-in apps, as overwriting the member's built-in apps can result in adverse behavior. - If set to "merge_to_default": Merges the local and default folders into the default folder and pushes the merged app to the members. When applying the bundle on a member, the default configuration on the member is overwritten. User configurations are copied and merged with the user folder on the member, such that the existing configuration on the member takes precedence. - * If set to "local_only": This option bundles the app's local directory (and its metadata) and pushes it to the cluster. When applying the bundle to a member, the local configuration from the deployer is merged with the local configuration on the member, such that the member's existing configuration takes precedence. Use this option to push the local configuration of built-in apps, such as search. If used to push an app that relies on non-local content (such as default/ or bin/), these contents must already exist on the member. - If set to "local_only": This option bundles the app's local directory (and its metadata) and pushes it to the cluster. When applying the bundle to a member, the local configuration from the deployer is merged with the local configuration on the member, such that the member's existing configuration takes precedence. Use this option to push the local configuration of built-in apps, such as search. If used to push an app that relies on non-local content (such as default/ or bin/), these contents must already exist on the member. Based on your requirement you can change the deployer_push_mode. It is highly advisable to review the document below to gain a clear understanding of the behavior before implementing any changes. https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/PropagateSHCconfigurationchanges#Choose_a_deployer_push_mode
I am a Splunk Enterprise Certified Admin who has an opportunity to advance to Splunk Architect. Im planning on taking the Splunk Lab. I am preparing for my Splunk architect practical Lab. Please i wa... See more...
I am a Splunk Enterprise Certified Admin who has an opportunity to advance to Splunk Architect. Im planning on taking the Splunk Lab. I am preparing for my Splunk architect practical Lab. Please i want to ask , In the  practical Lab exam, is it acceptable to have only one instance run as The Deployment Server, License Master and the Monitoring Console on the same port  on  the management system  Or I am  expected to run different Three Splunk instances working on different ports (Deployment server, License Master and on the monitoring console) on the Management System   
Yes, you can contact Professional Services Team to use Caesar tool to achieve the goal.
We have a 4 node SHC connected to a deployer.  For a usecase, I created a simple custom app that is just putting handful of dashboards together. Due to ease of use, I create this directly on SHC and... See more...
We have a 4 node SHC connected to a deployer.  For a usecase, I created a simple custom app that is just putting handful of dashboards together. Due to ease of use, I create this directly on SHC and all knowledge objects replicated among the members. During the next bundle push, will deployer delete this app from SHC as it has no knowledge of it? Should I move this app under shcluster/apps folder on the Deployer as well to be safe? Thanks, ~Abhi 
hi, i don't know if it is the same issue but could you check this requirements. For example, is your cpu supported avx / avx2 instructions, if yes, is it enabled ? https://docs.splunk.com/Documenta... See more...
hi, i don't know if it is the same issue but could you check this requirements. For example, is your cpu supported avx / avx2 instructions, if yes, is it enabled ? https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/MigrateKVstore https://www.mongodb.com/docs/manual/administration/production-notes/ i hope this help
hi, i don't know if it is the same issue but could you check this requirements. For example, is your cpu supported avx / avx2 instructions, if yes, is it enabled ? https://docs.splunk.com/Documenta... See more...
hi, i don't know if it is the same issue but could you check this requirements. For example, is your cpu supported avx / avx2 instructions, if yes, is it enabled ? https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/MigrateKVstore https://www.mongodb.com/docs/manual/administration/production-notes/ i hope this help