All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @dude49 -- Im seeing this exact error message. Any memory of what the issue was?
Thank you for your insight. I do see it via https://<indexer>:8089
Five years in the future, I have this exact problem. @siddharthfultar long shot, but did you ever find an answer?
There are some limitations which licenses you could stacked to count towards combined license. I don’t know how it will behaves if there are violations for those rules in one stack. Could it be that ... See more...
There are some limitations which licenses you could stacked to count towards combined license. I don’t know how it will behaves if there are violations for those rules in one stack. Could it be that this is your issue? You could check what is your current license stack an if needed remove old licenses and add just locally this developer license. As already said this license haven’t any limits for user amount, but e.g. free license has.
There are 2 ids ABC00000000001 and ABC00000000002   ABC00000000001 has events types : 'Transfer' and 'MESSAGES'   [21.12.2024 00:31.37] [] [] [INFO ] [Application_name] - Updating DB record with ... See more...
There are 2 ids ABC00000000001 and ABC00000000002   ABC00000000001 has events types : 'Transfer' and 'MESSAGES'   [21.12.2024 00:31.37] [] [] [INFO ] [Application_name] - Updating DB record with displayId=ABC0000001; type=TRANSFER [21.12.2024 00:32.37] [] [] [INFO ] [Application_name] - Updating DB record with displayId=ABC0000001; type=MESSAGES   ABC00000000002 has events: [21.12.2024 00:33.37] [] [] [INFO ] [Application_name] - Updating DB record with displayId=ABC0000002; type=TRANSFER [21.12.2024 00:34.37] [] [] [INFO ] [Application_name] - Updating DB record with displayId=ABC0000002; type=MESSAGES [21.12.2024 00:35.37] [] [] [INFO ] [Application_name] - Updating DB record with displayId=ABC0000002; type=POSTING [21.12.2024 00:35.37] [] [] [INFO ] [Application_name] - Sending message to  Booked topic ver. 1.0 with displayId=ABC0000002 [21.12.2024 00:35.37] [] [] [INFO ] [Application_name] - Sending message to  Booked topic ver. 2.0 with displayId=ABC0000002   index=ABC source=XYZ | fillnull value="SENDING" type | stats values(type) as types by displayId   Expected output is ------------------------- ABC0000001 - TRANSFER                                  MESSAGES   ABC0000002 - TRANSFER                                 MESSAGES                                 POSTING                                 Sending message to Common Booked topic ver. 1.0                                 Sending message to Common Booked topic ver. 2.3   But Ouput is:   ABC0000001 - TRANSFER                                  MESSAGES                                 Sending    ABC0000002 - TRANSFER                                 MESSAGES                                 POSTING                                 Sending 
Also splunk, dbx, os, java and JDBC driver versions could help us.
One option is use SC4S https://splunk.github.io/splunk-connect-for-syslog/main/
Splunk forwarders didn’t support NLB between forwarders and indexers. Only place where you could use it is with HEC.
You should read this as a starting point to understand Splunk precedence. https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles Then you should also understand t... See more...
You should read this as a starting point to understand Splunk precedence. https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles Then you should also understand that precedence depends also are you indexing or searching. But as @richgalloway said best way to check it is btool with differentiaali options.
Port 8089 is for splunk internal management communication between nodes. E.g. all traffic from search head to indexer peers goes to this port. Also you could use REST calls to manage, get information... See more...
Port 8089 is for splunk internal management communication between nodes. E.g. all traffic from search head to indexer peers goes to this port. Also you could use REST calls to manage, get information or even run saved searches on nodes. Port 8000 is normally for GUI access.  Here is one diagram of ports and how those are connected https://community.splunk.com/t5/Deployment-Architecture/Diagram-of-Splunk-Common-Network-Ports/m-p/116657  
Hello, Can someone please provide the eksctl command line or command line in combination with a cluster config file that will provide an EKS cluster (control plane and worker node(s)) that is resour... See more...
Hello, Can someone please provide the eksctl command line or command line in combination with a cluster config file that will provide an EKS cluster (control plane and worker node(s)) that is resourced for installation of the splunk-operator and then experimentation with standalone Splunk Enterprise configurations? Thanks, Mark
We see the following on the server via the ss -tulpn  tcp LISTEN 0 128 0.0.0.0:8089 0.0.0.0:* user... See more...
We see the following on the server via the ss -tulpn  tcp LISTEN 0 128 0.0.0.0:8089 0.0.0.0:* users:(("splunkd",pid=392724,fd=4))  However, the browser at http://<Indexer>:8089 returns ERR_CONNECTION_RESET. What can it be?  while http://<Indexer>:8000 works as expected.
Use the btool command to see which settings will take effect the next time Splunk restarts. splunk btool --debug indexes list
Thanks @kiran_panchavat. That's what my understanding was but I got a different response from a support engineer (see below) that's why I wanted to confirm.  $SPLUNK_HOME/etc/system/local/indexes.co... See more...
Thanks @kiran_panchavat. That's what my understanding was but I got a different response from a support engineer (see below) that's why I wanted to confirm.  $SPLUNK_HOME/etc/system/local/indexes.conf (This file contains the default settings for the entire Splunk instance and will apply globally unless overridden.) $SPLUNK_HOME/etc/apps/search/local/indexes.conf (Configuration files in app-specific directories (like the search app) will override the settings in the system-level configuration files. This means that any settings defined here for specific indexes will take precedence over the default settings from $SPLUNK_HOME/etc/system/local/indexes.conf.)
@jkamdar  The configuration in `$SPLUNK_HOME/etc/system/local/indexes.conf` takes precedence over `$SPLUNK_HOME/etc/apps/search/local/indexes.conf`. For example, if you define an index called `wind... See more...
@jkamdar  The configuration in `$SPLUNK_HOME/etc/system/local/indexes.conf` takes precedence over `$SPLUNK_HOME/etc/apps/search/local/indexes.conf`. For example, if you define an index called `windows` in both `/system/local` and `/apps/search/local`, the configuration in `/system/local` will take precedence for the `windows` index. However, if you define `windows` in `/system/local` and a different index, such as `linux`, in `/apps/search/local`, the settings for `windows` will come from `/system/local`, while the settings for `linux` will come from `/apps/search/local`, as it doesn’t exist in `/system/local`. https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles#:~:text=Configuration%20file%20precedence%20order%20depends,precedence%20order%20of%20the%20directories. 
Hi @danielbb , as you can read at https://www.rsyslog.com/doc/index.html the default configuration is at /etc/rsyslog.conf but usually the conf files are in a subfolder defined in the above file at... See more...
Hi @danielbb , as you can read at https://www.rsyslog.com/doc/index.html the default configuration is at /etc/rsyslog.conf but usually the conf files are in a subfolder defined in the above file at the folder /etc/rsyslog.d. Ciao. Giuseppe
That's gorgeous @gcusello, I see the process running - syslog 930 1 0 Jan03 ? 00:00:01 /usr/sbin/rsyslogd -n -iNONE Thank you very much! Where is the default configuration/data... See more...
That's gorgeous @gcusello, I see the process running - syslog 930 1 0 Jan03 ? 00:00:01 /usr/sbin/rsyslogd -n -iNONE Thank you very much! Where is the default configuration/data mount point?
  Got a question about file precedency in Splunk. If I have 2 indexes.conf. One in $SPLUNK_HOME/etc/system/local/indexes.conf and 2nd one in $SPLUNK_HOME/etc/apps/search/local/indexes.conf, which o... See more...
  Got a question about file precedency in Splunk. If I have 2 indexes.conf. One in $SPLUNK_HOME/etc/system/local/indexes.conf and 2nd one in $SPLUNK_HOME/etc/apps/search/local/indexes.conf, which one would take precedence?   Mainly, to move all the data to be frozen after one year I have configured the default section in my $SPLUNK_HOME/etc/system/local/indexes.conf  frozenTimePeriodInSecs = 31536000 But it's different for other indexes in $SPLUNK_HOME/etc/apps/search/local/indexes.conf. So how would Splunk see it and apply?   Thanks for your help in advance. 
Please share a sanitized sample event and the props for the sourcetype.
Thanks @defection-io  for responding. The query is returning hosts which are basically our Indexers. We had config files in Indexers taht was removed as part of removing config files from Splunk envi... See more...
Thanks @defection-io  for responding. The query is returning hosts which are basically our Indexers. We had config files in Indexers taht was removed as part of removing config files from Splunk environment.  Regarding the source column , it is /opt/splunk/var/log/splunk/metrics.log so not of much help.