All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @siemsplunk  If you are running this on the previous captain? If so you do not need to specify the mgmt_uri argument. Check out https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/Adda... See more...
Hi @siemsplunk  If you are running this on the previous captain? If so you do not need to specify the mgmt_uri argument. Check out https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/Addaclustermember#:~:text=rejoining%20the%20cluster.-,Add%20the%20instance,-The%20final%20step which covers the commands to add a SH into the cluster. In short: When running the splunk add command on the new member itself, use this version of the command: splunk add shcluster-member -current_member_uri <URI>:<management_port> Note the following: current_member_uri is the management URI and port of any current member of the cluster that this node is joining. This parameter allows the new node to communicate with the cluster. When running the splunk add command from a current cluster member, use this version of the command: splunk add shcluster-member -new_member_uri <URI>:<management_port> Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
even given fields.conf in deployer and pushed to SHs but same.
@gcusello yes created on DS where props and transforms are present and deployed to CM and from CM pushed it to indexers. Still no luck.
I tried to run ./splunk remove shcluster-member -mgmt_uri https://<CAPTAIN_IP>:8089 on the non-captain search head, which was successful.  But on the re-election of the new captain with this comma... See more...
I tried to run ./splunk remove shcluster-member -mgmt_uri https://<CAPTAIN_IP>:8089 on the non-captain search head, which was successful.  But on the re-election of the new captain with this command, it gave me an error. I run the command.  ./splunk add shcluster-member -mgmt_uri https://<NEW_CAPTAIN>:8089 -current_member_uri https://<PREV_CAPTAIN>:8089 WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Argument "mgmt_uri" is not supported by this handler. But now, when I run the command ./splunk show shcluster-status --verbose on the new captain, I see the previous captain is no longer in the member section.  If anyone could help, I would appreciate it. 
Same issue here
May we able to download the apps directly from splunkbase instead of redirect back to Broadcom website as we do not have the access permission to Broadcom web site https://splunkbase.splunk.com/app/... See more...
May we able to download the apps directly from splunkbase instead of redirect back to Broadcom website as we do not have the access permission to Broadcom web site https://splunkbase.splunk.com/app/3454 https://splunkbase.splunk.com/app/3453 Thanks 
I am want to get the list of Index and sourcetype which is not used by anyone for more than 90 days.   
This is a JSON object (except you should add quotes to those bare XXXX).  Do not use regex on structured data.  See the other thread you started.  Your search is inefficient because you use wildcard ... See more...
This is a JSON object (except you should add quotes to those bare XXXX).  Do not use regex on structured data.  See the other thread you started.  Your search is inefficient because you use wildcard at the beginning of a term.  And there's a solution to that.
Your search is slower compared with what?  You don't need to run spath according to my analysis.  Because Splunk has already extracted it, running spath simply wastes CPU and memory.   But running a ... See more...
Your search is slower compared with what?  You don't need to run spath according to my analysis.  Because Splunk has already extracted it, running spath simply wastes CPU and memory.   But running a search with leading wildcard always slows things down considerably. (The way you try to use regex doesn't make things better.)  Why do you need wildcards, anyway?  Your search can be conducted in bare terms without considering the field.  Try index="sample_idx" $serialnumber$ log_level=info Unit state update from cook client target Here's an emulation for you to play with and compare with real data | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") | spath ``` the abovee emulates index="sample_idx" $serialnumber$ log_level=info ``` | search Unit state update from cook client target  
Are you sure those bare XXXX are not quoted, like this?   {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00... See more...
Are you sure those bare XXXX are not quoted, like this?   {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":"XXXX","longitude":"XXXX","state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}   If so, a "normal" Splunk instance should have given you message as a field with value "martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])". If, for whatever reason your instance doesn't, spath command suffices.  Try this example:   | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") ``` data emulation above ``` | spath | table message   Hint: output is message martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115]) Alternatively, use json_extract function if your Splunk is 8.1 or later.  Try this example:   | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") ``` data emulation above ``` | eval message = json_extract(_raw, "message")   If your instance is older, you can also use spath function.  Try this example   | makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = spath(_raw, "timestamp") ``` data emulation above ``` | eval message = spath(_raw, "message")    
Hello, I updated  Splunk App for Lookup File Editing from v3.6.0 to v4.0.5. After the update, when I check the Health > Logs or Health > Status it shows "Status (Old)".  I can see "Status (Old)" i... See more...
Hello, I updated  Splunk App for Lookup File Editing from v3.6.0 to v4.0.5. After the update, when I check the Health > Logs or Health > Status it shows "Status (Old)".  I can see "Status (Old)" in lookup_editor_status.xml file. But what does that mean? What is old? Please, advise
Archived data must be restored before it can be searched.
Although it was not documented but  9.3.x/9.2.x/9.1.x etc/system/default/server.conf you will find [prometheus] disabled = true It was added in server.conf to prevent unwanted memory growth caus... See more...
Although it was not documented but  9.3.x/9.2.x/9.1.x etc/system/default/server.conf you will find [prometheus] disabled = true It was added in server.conf to prevent unwanted memory growth caused by prometheus. Unintentionally stanza got removed from 9.4.0. So you restore it back.
A real-time search runs continuously so matching events are returned as soon as they reach the indexer (before writing to disk). Ad-hoc searches can be real-time, but they are not equivalent.  "ad-h... See more...
A real-time search runs continuously so matching events are returned as soon as they reach the indexer (before writing to disk). Ad-hoc searches can be real-time, but they are not equivalent.  "ad-hoc" refers to any non-scheduled search. Historical searches look back in time for matching events. Summarization searches aggregate results into a summary index for later processing. The screenshot shows the system to be nearly idle and must have been taken when the health indicator was green (or is about to turn green - it can take up to 24 hours for the health indicator to reset).
I noticed that https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Serverconf does not mention prometheus. Is this an undocumented feature that is getting disabled to prevent a memory leak issue?
Linear memory growth on any splunk instance configured to receive data on splunktcpin, tcpin and udpin ports. Following config in server.conf will fix the memory growth. [prometheus] disable... See more...
Linear memory growth on any splunk instance configured to receive data on splunktcpin, tcpin and udpin ports. Following config in server.conf will fix the memory growth. [prometheus] disabled = true
Hi guys! I think this screenshot describes my problem pretty well.  I just tried to play around with chatgpt and splunk but I didnt succeed.    Does someone know what to do with this error... See more...
Hi guys! I think this screenshot describes my problem pretty well.  I just tried to play around with chatgpt and splunk but I didnt succeed.    Does someone know what to do with this error message?  Please help me out here.   Best regards
| makeresults | eval value = 36 | eval display = "the total percentage is ".value." %" | fields - value
Does this give you what you want? | spath properties | spath input=properties attributes | spath input=attributes
Right now, just looking to drop/discard data > 512k. If I can get this working, we may refine. Now, when you refer to "sourcetype", is that "httpevent" (to refer to all defined HECs), or, is that t... See more...
Right now, just looking to drop/discard data > 512k. If I can get this working, we may refine. Now, when you refer to "sourcetype", is that "httpevent" (to refer to all defined HECs), or, is that the name of the defined event collector (in my example "event collector 1"?