All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @tmcbride17 , the correct question is what's the protocol that uses Splunk Universal Forwarder to forward logs to the Indexers? An add-on is a configuration on the UF. To send logs, the UF usua... See more...
Hi @tmcbride17 , the correct question is what's the protocol that uses Splunk Universal Forwarder to forward logs to the Indexers? An add-on is a configuration on the UF. To send logs, the UF usually uses TCP http or https, it depends if TLS is enabled or not and by default it uses the 9997 port but it can also use HEC, that's less efficient than the other. Forwarders are managed by the Deployment Server using TCP https on port 8089. Ciao. Giuseppe
What protocols does the Windows Add on use to collect data and sent it to the Splunk server? HTTPS?
Forgive me, but I still have doubts. Is your recommendation not to use Heavy Forwarder for normalization of data?
Hi @azer271 , if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager. If you are speaking of a Sear... See more...
Hi @azer271 , if you're speking of an Indexer Cluster, best practices hint to deisable web interface on Search Peers (Indexers) and maintain it on the Cluster Manager. If you are speaking of a Search Head Cluster, you have to use the Deployer to deploy Apps to the SHs, and the common configurations like the connection with the Indexer Cluster. If you don't have a Search Head Cluster but a stand-alone Search Head, you can run the command on the Search Head to connect it to the Cluster Manager and the Search Peers. The Deployer isn't a Search Head and cannot be configured as a SH. In conclusion, what's your requirement: you need an Indexer Cluster? if yes, mono site or multi site? you need a Search Head Cluster or a stand-alone Search Head? Remember that you cannot use the Deployment Server to deploy apps to the Indexer Cluster and to the Search Head Cluster. for more information, see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.3.2/DistSearch/AboutSHC Ciao. Giuseppe
Thanks, So this should be done in the indexer server right ?  
Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search ... See more...
Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search head) as members of the indexer cluster, (at least that is what I hear from the architecture lesson). For example, there is a Splunk deployer. I need to use this command or achieved through web: splunk edit cluster-config -mode searchhead -manager_uri https://x.x.x.x:8089 (indexer cluster manager IP) -secret idxcluster Another one suggested practice is adding the Splunk servers (mention above such as deployers) to distributed search > search peers as well in manager. I would like to know why these are good practice and what are the benefits of doing these. (The deployer is not really a search head?) Thank you.
Thanks, @PickleRick  I understand about the linear search nature of lookups. I was hoping there were perhaps some new commands on the horizon with the most recent (or future) versions of Splunk Ente... See more...
Thanks, @PickleRick  I understand about the linear search nature of lookups. I was hoping there were perhaps some new commands on the horizon with the most recent (or future) versions of Splunk Enterprise. Or someone might have experience with MLTK, or another Splunk product, to handle this use case. Thanks and God bless, Genesius
Hi @CHAUHAN812, In that case, in the indexes.conf file, you just need to adjust the frozenTimePeriodInSecs parameter in the 2 index stanzas. [index01] frozenTimePeriodInSecs = 34187400 [index02]... See more...
Hi @CHAUHAN812, In that case, in the indexes.conf file, you just need to adjust the frozenTimePeriodInSecs parameter in the 2 index stanzas. [index01] frozenTimePeriodInSecs = 34187400 [index02] frozenTimePeriodInSecs = 34187400 Restart Splunk after that
Hello, Thank you very much for all of the details, that did the trick and I can finally move on to the next task. Thanks again, Tom
Yes , I have an individual indexer which is installed on Linux machine. And I need to increase the frozenTimePeriodInSecs only for 2 of the indexes. So to increase the Frozen Time Period from 12 mon... See more...
Yes , I have an individual indexer which is installed on Linux machine. And I need to increase the frozenTimePeriodInSecs only for 2 of the indexes. So to increase the Frozen Time Period from 12 months to 13 months then I just need to update the frozenTimePeriodInSecs values to the indexes.conf file from the indexer server right ?   
If you have individual indexers then it is correct place. After change do reload for it. If you have indexer cluster then you must do this change on CM. Edit correct indexes.conf file somewhere under... See more...
If you have individual indexers then it is correct place. After change do reload for it. If you have indexer cluster then you must do this change on CM. Edit correct indexes.conf file somewhere under master-apps or manager-apps. After that apply cluster-bundle, when it has distributed into search peers.
I want to increase one of my index frozen Time Period from 12 months to 13 months. I have increased the Max Size of Entire Index from the Splunk indexer > Settings. But I know this is not enough as m... See more...
I want to increase one of my index frozen Time Period from 12 months to 13 months. I have increased the Max Size of Entire Index from the Splunk indexer > Settings. But I know this is not enough as my index frozen Time Period is set on 12 months period. So where should I update this value ? Should I need to update 'Indexes.conf' file for required indexes to the indexer server itself which is installed on Linux machine. What things I need to take care while updating this frozen Time Period.    
hi,   i have used personnel email, its been more than week, i didn't receive the email yet, i have checked spams as well, but nothing is in there.
  @samy335  How did you register for the Splunk Cloud free trial account? Did you use your business email or personal email? If you used a business email, check with your IT team to see if they are... See more...
  @samy335  How did you register for the Splunk Cloud free trial account? Did you use your business email or personal email? If you used a business email, check with your IT team to see if they are blocking any external emails.
I am assuming due to the way the query is being evaluated, it doesn't just take latest value, and hence due to using max, it gets the largest value stored of that field for however long you store dat... See more...
I am assuming due to the way the query is being evaluated, it doesn't just take latest value, and hence due to using max, it gets the largest value stored of that field for however long you store data in analytics. You can either try and change the max to min which should get the lowest value always but better would be to append the following clause to the query to ensure that only the last 5 minutes of data gets used to get the value - SINCE 5 minutes
@refahiati  Are you experiencing high resource usage on the Splunk Heavy Forwarder? If so, I suggest configuring syslog-ng or rsyslog on the Heavy Forwarder to collect logs and store them in a separa... See more...
@refahiati  Are you experiencing high resource usage on the Splunk Heavy Forwarder? If so, I suggest configuring syslog-ng or rsyslog on the Heavy Forwarder to collect logs and store them in a separate directory. You can then monitor that directory to forward the events to Splunk indexers. Additionally, review the queues in the metrics.log file for any potential issues. 
we are feeding data for every 5 mins and if you see the data its 229 all the time in metric graph where as when we execute the query its different 219 value. 16/12/2024 23:55:00,46,0,229,229,5 17/1... See more...
we are feeding data for every 5 mins and if you see the data its 229 all the time in metric graph where as when we execute the query its different 219 value. 16/12/2024 23:55:00,46,0,229,229,5 17/12/2024 23:55:00,46,0,229,229,5 18/12/2024 23:55:00,46,0,229,229,5
Hi Mario, Thanks for the response. When i added the query as metric, i m getting old value. For ex, the expiration days are 219 days. but it shows 229 days on the day when i created the metric. why... See more...
Hi Mario, Thanks for the response. When i added the query as metric, i m getting old value. For ex, the expiration days are 219 days. but it shows 229 days on the day when i created the metric. why is that it not showing the current value. the value is not changing.
Better to contact 1st to partner - https://www.splunk.com/en_us/partners.html - Find a Partner button - https://www.splunk.com/en_us/about-splunk/contact-us.html
What exactly are you trying to achieve and how are you doing that? What you've shown is an event from Windows Security eventlog which is apparently an audit entry informing you that a process has be... See more...
What exactly are you trying to achieve and how are you doing that? What you've shown is an event from Windows Security eventlog which is apparently an audit entry informing you that a process has been spawned on a machine. As far as I remember it doesn't capture command's output.