All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@jmunsterman  As mentioned @richgalloway  , you can use the stats command to retrieve all the results. Please find the attached screenshot for reference. I hope this helps, if any reply helps yo... See more...
@jmunsterman  As mentioned @richgalloway  , you can use the stats command to retrieve all the results. Please find the attached screenshot for reference. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
Thanks @kiran_panchavat, About the ulimits, what are the minimal ulimits requirements?
One way to see all 100+ values of the field is by using the stats command. ... | stats count by dnis  Of course, the table command also will list all values of the field (with duplicates, if any). ... See more...
One way to see all 100+ values of the field is by using the stats command. ... | stats count by dnis  Of course, the table command also will list all values of the field (with duplicates, if any). ... | table dnis
@danielbb  Please have a look https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/SystemRequirements#Considerations_regarding_system-wide_resource_limits_on_.2Anix_systems    I hope t... See more...
@danielbb  Please have a look https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/SystemRequirements#Considerations_regarding_system-wide_resource_limits_on_.2Anix_systems    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@danielbb  This allows different buckets to be stored on different storage types which can in turn is very useful to improve efficiency and reduce storage costs. Below are the recommended configurat... See more...
@danielbb  This allows different buckets to be stored on different storage types which can in turn is very useful to improve efficiency and reduce storage costs. Below are the recommended configurations for each bucket/storage type and example indexes.conf parameters that can be utilized . I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@danielbb  General Considerations for all Splunk servers 1.Setting Ulimits and Transparent Huge Pages 2.Turn OFF SELInux 3.Check the Firewalld – In case as per company policy you need to have OS-... See more...
@danielbb  General Considerations for all Splunk servers 1.Setting Ulimits and Transparent Huge Pages 2.Turn OFF SELInux 3.Check the Firewalld – In case as per company policy you need to have OS-level firewall make sure you open the required ports for Splunk on the OS. Following are a few useful commands you can use 4.Don’t Run Splunk as Root, Create a Splunk user & group, Give Splunk user Sudo privileges. 5.Storage Consideration for Indexers Splunk indexed data goes through various stages during its lifecycle as shown below: Hot Bucket > Warm Bucket > Cold Bucket > Frozen/Archived > Thawed(Manual process) This allows different buckets to be stored on different storage types which can in turn is very useful to improve efficiency and reduce storage costs.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.    
distinct results in splunk and how to show all data in selected fields vs the 100+ results  
We are creating an installation of one indexer, one search head, and one universal forwarder with syslog, and I wonder what the minimal OS requirements are--such as disabling transparent huge pages o... See more...
We are creating an installation of one indexer, one search head, and one universal forwarder with syslog, and I wonder what the minimal OS requirements are--such as disabling transparent huge pages on the indexer, file descriptors, etc. we are speaking about a bare minimum installation.
@danielbbYou can use this one to check as well. I'm using CentOS, but you can also try it on Ubuntu. [root@splunk-aio ~]# hostnamectl Static hostname: splunk-aio Icon name: computer-vm Chassis: v... See more...
@danielbbYou can use this one to check as well. I'm using CentOS, but you can also try it on Ubuntu. [root@splunk-aio ~]# hostnamectl Static hostname: splunk-aio Icon name: computer-vm Chassis: vm 🖴 Machine ID: ea171f1dc4b840a1b52a19ec5ae5afc4 Boot ID: 36db617c351e46d3b1677179c2796e36 Virtualization: kvm Operating System: CentOS Stream 9 CPE OS Name: cpe:/o:centos:centos:9 Kernel: Linux 5.14.0-325.el9.x86_64 Architecture: x86-64 Hardware Vendor: DigitalOcean Hardware Model: Droplet Firmware Version: 20171212 [root@splunk-aio ~]# I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@danielbb  [root@splunk-aio ~]# uname -r 5.14.0-325.el9.x86_64 [root@splunk-aio ~]# uname -a Linux splunk-aio 5.14.0-325.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jun 9 19:47:16 UTC 2023 x86_64 x... See more...
@danielbb  [root@splunk-aio ~]# uname -r 5.14.0-325.el9.x86_64 [root@splunk-aio ~]# uname -a Linux splunk-aio 5.14.0-325.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jun 9 19:47:16 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
Thank you @kiran_panchavat, How do I ensure that?
@danielbb  Ensure that the Ubuntu version meets the hardware and kernel requirements specified by Splunk. 4.x+, or 5.4.x kernel Linux distributions Please, don't forget to accept this solution if ... See more...
@danielbb  Ensure that the Ubuntu version meets the hardware and kernel requirements specified by Splunk. 4.x+, or 5.4.x kernel Linux distributions Please, don't forget to accept this solution if it fits your needs.
@danielbb Please have a look https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/SystemRequirements  If this reply helps you, Karma would be appreciated.
@danielbb  Splunk can support 4.x+, or 5.4.x kernel Linux distributions
That's why I suggested to look into DMC which has many searches. If you write those searches yourself it will take a lot of time. DMC will give those pre-built searches.   Now, if you don't have ac... See more...
That's why I suggested to look into DMC which has many searches. If you write those searches yourself it will take a lot of time. DMC will give those pre-built searches.   Now, if you don't have access to DMC in your environment, you can just install Splunk on your local laptop and use that to get searches.   To get the searches, you can open any panel in any panel, by clicking on the bottom-left "Open in search".   I hope this helps!!!
@mostafadehghad6   The Keycloak integration process is straightforward, it seems. You can follow these steps: 1. Open the add-on, navigate to the configuration tab, click "Add," and provide the nec... See more...
@mostafadehghad6   The Keycloak integration process is straightforward, it seems. You can follow these steps: 1. Open the add-on, navigate to the configuration tab, click "Add," and provide the necessary details, such as the client ID and secret key. 2. Create an input based on your specific requirements. 3. Ensure that the firewall rules allow communication between Splunk and Keycloak. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.  
We are about to create new VMs with the Ubuntu OS. Which version of Ubuntu is supported and recommended? 
The following instructions seem to remedy 99% of the issues: docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Shareperformancedata#How_to_opt_out Apologies for the noise.
Splunk installation in a secure facility.  I see the following blocked attempts to phone-home in our logs and infosec is unhappy.  How do I prevent Splunk from phoning home every 15 seconds? TCP_DEN... See more...
Splunk installation in a secure facility.  I see the following blocked attempts to phone-home in our logs and infosec is unhappy.  How do I prevent Splunk from phoning home every 15 seconds? TCP_DENIED/403 3836 CONNECT beam.scs.splunk.com:443 - HIER_NONE/- text/html TCP_DENIED/403 3906 CONNECT quickdraw.splunk.com:443 - HIER_NONE/- text/html Splunk Enterprise Version:9.3.1 Build:0b8d769cb912
Hello @VatsalJagani  Thanks for the info, Yes we have those DMC enabled but the problem is as we are new to Splunk we had given only limited access for now to SH. So we wanted to create some dashb... See more...
Hello @VatsalJagani  Thanks for the info, Yes we have those DMC enabled but the problem is as we are new to Splunk we had given only limited access for now to SH. So we wanted to create some dashboards to look with in the internal logs to detect the issues. I would like to start with the Universal Forwarder first.