All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What do you mean by "do not have a self storage attached"?  What problem are you trying to solve?
Hi, I'm trying to get a query for a table containing all the indexes that do not have a self storage attached, but I couldn't find anything useful. Does anyone has an idea of how to do it?   Thanks!
thanks a lot, that was the solution ! 
I'm seeing hundreds of these errors in the internal splunkd logs 01-16-2025 12:05:00.584 -0600 ERROR UserManagerPro [721361 SchedulerThread] - user="nobody" had no roles Is this a known bug? I'... See more...
I'm seeing hundreds of these errors in the internal splunkd logs 01-16-2025 12:05:00.584 -0600 ERROR UserManagerPro [721361 SchedulerThread] - user="nobody" had no roles Is this a known bug? I'm guessing knowledge objects with no owner defined is causing this. It's annoying because it fills the internal logs with noise. Is there an easy workaround without having to re-assign all objects without a valid owner/?
Second point I didn't get you. We have a seperate syslog server where UF is installed and from there logs will be forwarded to our DS. what can I do now? Do I need to give props.conf on both deploye... See more...
Second point I didn't get you. We have a seperate syslog server where UF is installed and from there logs will be forwarded to our DS. what can I do now? Do I need to give props.conf on both deployer and forwarder?
Hi @splunklearner , the props.conf must be deployed to the Search Heads (using the SHC-Deployer if you have a cluster). and to the Forwarder that ingest logs, using the DS. Ciao. Giuseppe
Hello, I wanted to know where I should keep this attribute KV_MODE=json to extract the json fields automatically? In Deployment server or manager node or deployer? We have props.conf in a app in DS... See more...
Hello, I wanted to know where I should keep this attribute KV_MODE=json to extract the json fields automatically? In Deployment server or manager node or deployer? We have props.conf in a app in DS. DS push that app to manager node. And manager will distribute that app to peer nodes. Can I add this in that props.conf? Or any alternative please suggest.
Hi @_pravin , in this case, I'm sorry, but the only solution is to open a case to Splunk Support. before opening the case, remember to prepare the diags of the CM, the OK IDX and one NOT OK IDX. C... See more...
Hi @_pravin , in this case, I'm sorry, but the only solution is to open a case to Splunk Support. before opening the case, remember to prepare the diags of the CM, the OK IDX and one NOT OK IDX. Ciao. Giuseppe
Hello @richgalloway found out | tstats ... by source provides less results than | tstats ... values(source)  in a search combining a query joined with tstats | tstats min(_time) as firstTime... See more...
Hello @richgalloway found out | tstats ... by source provides less results than | tstats ... values(source)  in a search combining a query joined with tstats | tstats min(_time) as firstTime max(_time) as lastTime values(source) as source WHERE index=* by host,index provides ALL sources | tstats min(_time) as firstTime max(_time) as lastTime WHERE index=* by host,index,source provides only 1 source
Hi @gcusello , We have enough space in the servers, it's not an issue with the disk. Thanks, Pravin
Hi @Karthikeya , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @_pravin , check if you have enough disk space in all your indexers. If you have, open a case to Splunk Support. Ciao. Giuseppe
You may use /opt/splunk/bin/genRootCA.sh to regenerate ca.pem & cacert.pem
Hi,   I have a indexers cluster with 4 indexers. All indexers have 8.1.14 splunk version. The OS of servers are RedHat 7.9. The indexers cluster are multisite. We have two sites. Each of sites have... See more...
Hi,   I have a indexers cluster with 4 indexers. All indexers have 8.1.14 splunk version. The OS of servers are RedHat 7.9. The indexers cluster are multisite. We have two sites. Each of sites have two server associated. In addition, we have a cluster manager, search heads cluster, development search head, development indexer and deployment server. All instances have splunk 8.1.14. I see the Splunkd Thread Activity looking for possible clues to a problem we have when indexing data in production. The problem is that sometime we don't have some events in production. Not matter what sourcetype or method used to ingest data. We suspect that can be problem of indexers or of index where data is ingested.
yes it can. and no it wont. because you wont be extracting fields at index time if you dont use indexed_extractions=json.  Splunk is very good at applying only what config matters. So when in doubt ... See more...
yes it can. and no it wont. because you wont be extracting fields at index time if you dont use indexed_extractions=json.  Splunk is very good at applying only what config matters. So when in doubt send them to both idx and sh. Splunk usually just figures it out.  The duplicate extractions issues happens when you do BOTH index time (indexed_extractions=json) AND Search time (kv_mode=json) in your props.conf config. Thats when they may collide, and is why i say i ALMOST never enable indexed_extractions=json as I would always prefer review of search time extract then only move key fields i need to index time for performance reasons. 
Hi,   I am trying to push the configuration bundle from the CM to the indexers. I keep getting the error message "Last Validate and Check Restart:  Unsuccessful" The validation is done for one of ... See more...
Hi,   I am trying to push the configuration bundle from the CM to the indexers. I keep getting the error message "Last Validate and Check Restart:  Unsuccessful" The validation is done for one of the indexers, and it's 'checking for restart' for the other two indexers. When I checked the last change date for all the indexers, only one of them has been updated and the other 2 are not. But it's opposite to what is shown in the UI of the CM.   Regards, Pravin    
To configure NetScaler to pass the source IP, you'll need to enable the Use Source IP (USIP) mode. Here are the steps to do this: Log in to NetScaler: Open your NetScaler management interface. ... See more...
To configure NetScaler to pass the source IP, you'll need to enable the Use Source IP (USIP) mode. Here are the steps to do this: Log in to NetScaler: Open your NetScaler management interface. Navigate to Load Balancing: Go to Traffic Management > Load Balancing > Services. Open a Service: Select the service you want to configure. Enable USIP Mode: In the Advanced Settings, find the Service Settings section and select Use Source IP Address. This will ensure that NetScaler uses the client's IP address for communication with the backend servers. Would you like more detailed instructions or help with another aspect of your setup?
Ok here my doubt is... Can one app which contains props.conf (with kv_mode=json) be distributed to both indexers and search heads? Because will it may lead to duplication of fields or events by any c... See more...
Ok here my doubt is... Can one app which contains props.conf (with kv_mode=json) be distributed to both indexers and search heads? Because will it may lead to duplication of fields or events by any chance? Index time and search time extraction I am asking about. Is it ok?
Are you trying to find errors send email *from* Splunk or using Splunk to find any email sending errors?  I'll assume the former for now. Splunk logs email it sends in python.log.  Searching for "se... See more...
Are you trying to find errors send email *from* Splunk or using Splunk to find any email sending errors?  I'll assume the former for now. Splunk logs email it sends in python.log.  Searching for "sendemail" should find them.  The only errors you're likely to find are failures to pass the email to the SMTP server.  Any failures beyond that point would be sent as mailer-daemon messages to the sending mailbox.  You'll only be able to search for those if you are Splunking the mailbox (not common).
It seems the company firewall blocked outbound traffic to 8088. Issue explained