Hi @splunklearner , the props.conf must be deployed to the Search Heads (using the SHC-Deployer if you have a cluster). and to the Forwarder that ingest logs, using the DS. Ciao. Giuseppe
Hello, I wanted to know where I should keep this attribute KV_MODE=json to extract the json fields automatically? In Deployment server or manager node or deployer? We have props.conf in a app in DS...
See more...
Hello, I wanted to know where I should keep this attribute KV_MODE=json to extract the json fields automatically? In Deployment server or manager node or deployer? We have props.conf in a app in DS. DS push that app to manager node. And manager will distribute that app to peer nodes. Can I add this in that props.conf? Or any alternative please suggest.
Hi @_pravin , in this case, I'm sorry, but the only solution is to open a case to Splunk Support. before opening the case, remember to prepare the diags of the CM, the OK IDX and one NOT OK IDX. C...
See more...
Hi @_pravin , in this case, I'm sorry, but the only solution is to open a case to Splunk Support. before opening the case, remember to prepare the diags of the CM, the OK IDX and one NOT OK IDX. Ciao. Giuseppe
Hello @richgalloway found out | tstats ... by source provides less results than | tstats ... values(source) in a search combining a query joined with tstats
| tstats min(_time) as firstTime...
See more...
Hello @richgalloway found out | tstats ... by source provides less results than | tstats ... values(source) in a search combining a query joined with tstats
| tstats min(_time) as firstTime max(_time) as lastTime values(source) as source WHERE index=* by host,index provides ALL sources
| tstats min(_time) as firstTime max(_time) as lastTime WHERE index=* by host,index,source provides only 1 source
Hi, I have a indexers cluster with 4 indexers. All indexers have 8.1.14 splunk version. The OS of servers are RedHat 7.9. The indexers cluster are multisite. We have two sites. Each of sites have...
See more...
Hi, I have a indexers cluster with 4 indexers. All indexers have 8.1.14 splunk version. The OS of servers are RedHat 7.9. The indexers cluster are multisite. We have two sites. Each of sites have two server associated. In addition, we have a cluster manager, search heads cluster, development search head, development indexer and deployment server. All instances have splunk 8.1.14. I see the Splunkd Thread Activity looking for possible clues to a problem we have when indexing data in production. The problem is that sometime we don't have some events in production. Not matter what sourcetype or method used to ingest data. We suspect that can be problem of indexers or of index where data is ingested.
yes it can. and no it wont. because you wont be extracting fields at index time if you dont use indexed_extractions=json. Splunk is very good at applying only what config matters. So when in doubt ...
See more...
yes it can. and no it wont. because you wont be extracting fields at index time if you dont use indexed_extractions=json. Splunk is very good at applying only what config matters. So when in doubt send them to both idx and sh. Splunk usually just figures it out. The duplicate extractions issues happens when you do BOTH index time (indexed_extractions=json) AND Search time (kv_mode=json) in your props.conf config. Thats when they may collide, and is why i say i ALMOST never enable indexed_extractions=json as I would always prefer review of search time extract then only move key fields i need to index time for performance reasons.
Hi, I am trying to push the configuration bundle from the CM to the indexers. I keep getting the error message "Last Validate and Check Restart: Unsuccessful" The validation is done for one of ...
See more...
Hi, I am trying to push the configuration bundle from the CM to the indexers. I keep getting the error message "Last Validate and Check Restart: Unsuccessful" The validation is done for one of the indexers, and it's 'checking for restart' for the other two indexers. When I checked the last change date for all the indexers, only one of them has been updated and the other 2 are not. But it's opposite to what is shown in the UI of the CM. Regards, Pravin
To configure NetScaler to pass the source IP, you'll need to enable the Use Source IP (USIP) mode. Here are the steps to do this: Log in to NetScaler: Open your NetScaler management interface. ...
See more...
To configure NetScaler to pass the source IP, you'll need to enable the Use Source IP (USIP) mode. Here are the steps to do this: Log in to NetScaler: Open your NetScaler management interface. Navigate to Load Balancing: Go to Traffic Management > Load Balancing > Services. Open a Service: Select the service you want to configure. Enable USIP Mode: In the Advanced Settings, find the Service Settings section and select Use Source IP Address. This will ensure that NetScaler uses the client's IP address for communication with the backend servers. Would you like more detailed instructions or help with another aspect of your setup?
Ok here my doubt is... Can one app which contains props.conf (with kv_mode=json) be distributed to both indexers and search heads? Because will it may lead to duplication of fields or events by any c...
See more...
Ok here my doubt is... Can one app which contains props.conf (with kv_mode=json) be distributed to both indexers and search heads? Because will it may lead to duplication of fields or events by any chance? Index time and search time extraction I am asking about. Is it ok?
Are you trying to find errors send email *from* Splunk or using Splunk to find any email sending errors? I'll assume the former for now. Splunk logs email it sends in python.log. Searching for "se...
See more...
Are you trying to find errors send email *from* Splunk or using Splunk to find any email sending errors? I'll assume the former for now. Splunk logs email it sends in python.log. Searching for "sendemail" should find them. The only errors you're likely to find are failures to pass the email to the SMTP server. Any failures beyond that point would be sent as mailer-daemon messages to the sending mailbox. You'll only be able to search for those if you are Splunking the mailbox (not common).
Simplest way to put it...create a single app with all your sourcetype configs in it, then distribute that app using the appropriate mechanism for 1. indexers (manager node) 2. Search heads (deployer ...
See more...
Simplest way to put it...create a single app with all your sourcetype configs in it, then distribute that app using the appropriate mechanism for 1. indexers (manager node) 2. Search heads (deployer for SHC or DS/Directly, if standalone)
Hi, I have a indexers cluster with 4 indexers. All indexers have 8.1.14 splunk version. The OS of servers are RedHat 7.9. The indexers cluster are multisite. We have two sites. Each of sites have...
See more...
Hi, I have a indexers cluster with 4 indexers. All indexers have 8.1.14 splunk version. The OS of servers are RedHat 7.9. The indexers cluster are multisite. We have two sites. Each of sites have two server associated. In addition, we have a cluster manager, search heads cluster, development search head, development indexer and deployment server. All instances have splunk 8.1.14. I see the Splunkd Thread Activity looking for possible clues to a problem we have when indexing data in production. The problem is that sometime we don't have some events in production. Not matter what sourcetype or method used to ingest data. We suspect that can be problem of indexers or of index where data is ingested.
i checked splunkd.log but did not find anything listed under connected or 9997 i did a netstat -an and cannot find any connections to 9997. where else can i check on a windows system that logs are ...
See more...
i checked splunkd.log but did not find anything listed under connected or 9997 i did a netstat -an and cannot find any connections to 9997. where else can i check on a windows system that logs are forwarding?
Can I put kv_mode = json in already existing props.conf in manager node then it will push to peer nodes? But you said it should be in search heads? Should I create new app in Deployer and in locals ...
See more...
Can I put kv_mode = json in already existing props.conf in manager node then it will push to peer nodes? But you said it should be in search heads? Should I create new app in Deployer and in locals hould I place props.conf (here I will keep kv_mode = json) and then deploy it to search heads? Sorry I am asking so many questions literally I am confused here...
kv_mode=json would be in the sourcetype on the Search Heads. Ingest_Eval will be props/transforms on indexers. Technically you can just put all the configs everywhere and splunk will sort it out.