Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search ...
See more...
Hello there. I would like to ask about Splunk best practices, specifically regarding cluster architecture. One suggested practice is to configure all Splunk servers running Splunk Web (aka: a search head) as members of the indexer cluster, (at least that is what I hear from the architecture lesson). For example, there is a Splunk deployer. I need to use this command or achieved through web: splunk edit cluster-config -mode searchhead -manager_uri https://x.x.x.x:8089 (indexer cluster manager IP) -secret idxcluster Another one suggested practice is adding the Splunk servers (mention above such as deployers) to distributed search > search peers as well in manager. I would like to know why these are good practice and what are the benefits of doing these. (The deployer is not really a search head?) Thank you.
Thanks, @PickleRick I understand about the linear search nature of lookups. I was hoping there were perhaps some new commands on the horizon with the most recent (or future) versions of Splunk Ente...
See more...
Thanks, @PickleRick I understand about the linear search nature of lookups. I was hoping there were perhaps some new commands on the horizon with the most recent (or future) versions of Splunk Enterprise. Or someone might have experience with MLTK, or another Splunk product, to handle this use case. Thanks and God bless, Genesius
Hi @CHAUHAN812,
In that case, in the indexes.conf file, you just need to adjust the frozenTimePeriodInSecs parameter in the 2 index stanzas.
[index01]
frozenTimePeriodInSecs = 34187400
[index02]...
See more...
Hi @CHAUHAN812,
In that case, in the indexes.conf file, you just need to adjust the frozenTimePeriodInSecs parameter in the 2 index stanzas.
[index01]
frozenTimePeriodInSecs = 34187400
[index02]
frozenTimePeriodInSecs = 34187400
Restart Splunk after that
Yes , I have an individual indexer which is installed on Linux machine. And I need to increase the frozenTimePeriodInSecs only for 2 of the indexes. So to increase the Frozen Time Period from 12 mon...
See more...
Yes , I have an individual indexer which is installed on Linux machine. And I need to increase the frozenTimePeriodInSecs only for 2 of the indexes. So to increase the Frozen Time Period from 12 months to 13 months then I just need to update the frozenTimePeriodInSecs values to the indexes.conf file from the indexer server right ?
If you have individual indexers then it is correct place. After change do reload for it. If you have indexer cluster then you must do this change on CM. Edit correct indexes.conf file somewhere under...
See more...
If you have individual indexers then it is correct place. After change do reload for it. If you have indexer cluster then you must do this change on CM. Edit correct indexes.conf file somewhere under master-apps or manager-apps. After that apply cluster-bundle, when it has distributed into search peers.
I want to increase one of my index frozen Time Period from 12 months to 13 months. I have increased the Max Size of Entire Index from the Splunk indexer > Settings. But I know this is not enough as m...
See more...
I want to increase one of my index frozen Time Period from 12 months to 13 months. I have increased the Max Size of Entire Index from the Splunk indexer > Settings. But I know this is not enough as my index frozen Time Period is set on 12 months period. So where should I update this value ? Should I need to update 'Indexes.conf' file for required indexes to the indexer server itself which is installed on Linux machine. What things I need to take care while updating this frozen Time Period.
@samy335 How did you register for the Splunk Cloud free trial account? Did you use your business email or personal email? If you used a business email, check with your IT team to see if they are...
See more...
@samy335 How did you register for the Splunk Cloud free trial account? Did you use your business email or personal email? If you used a business email, check with your IT team to see if they are blocking any external emails.
I am assuming due to the way the query is being evaluated, it doesn't just take latest value, and hence due to using max, it gets the largest value stored of that field for however long you store dat...
See more...
I am assuming due to the way the query is being evaluated, it doesn't just take latest value, and hence due to using max, it gets the largest value stored of that field for however long you store data in analytics.
You can either try and change the max to min which should get the lowest value always but better would be to append the following clause to the query to ensure that only the last 5 minutes of data gets used to get the value - SINCE 5 minutes
@refahiati Are you experiencing high resource usage on the Splunk Heavy Forwarder? If so, I suggest configuring syslog-ng or rsyslog on the Heavy Forwarder to collect logs and store them in a separa...
See more...
@refahiati Are you experiencing high resource usage on the Splunk Heavy Forwarder? If so, I suggest configuring syslog-ng or rsyslog on the Heavy Forwarder to collect logs and store them in a separate directory. You can then monitor that directory to forward the events to Splunk indexers. Additionally, review the queues in the metrics.log file for any potential issues.
we are feeding data for every 5 mins and if you see the data its 229 all the time in metric graph where as when we execute the query its different 219 value. 16/12/2024 23:55:00,46,0,229,229,5 17/1...
See more...
we are feeding data for every 5 mins and if you see the data its 229 all the time in metric graph where as when we execute the query its different 219 value. 16/12/2024 23:55:00,46,0,229,229,5 17/12/2024 23:55:00,46,0,229,229,5 18/12/2024 23:55:00,46,0,229,229,5
Hi Mario, Thanks for the response. When i added the query as metric, i m getting old value. For ex, the expiration days are 219 days. but it shows 229 days on the day when i created the metric. why...
See more...
Hi Mario, Thanks for the response. When i added the query as metric, i m getting old value. For ex, the expiration days are 219 days. but it shows 229 days on the day when i created the metric. why is that it not showing the current value. the value is not changing.
Better to contact 1st to partner - https://www.splunk.com/en_us/partners.html - Find a Partner button - https://www.splunk.com/en_us/about-splunk/contact-us.html
What exactly are you trying to achieve and how are you doing that? What you've shown is an event from Windows Security eventlog which is apparently an audit entry informing you that a process has be...
See more...
What exactly are you trying to achieve and how are you doing that? What you've shown is an event from Windows Security eventlog which is apparently an audit entry informing you that a process has been spawned on a machine. As far as I remember it doesn't capture command's output.
Can you describe your question little bit more for us? I'm not sure what you are asking? Splunk can ingest more than PB per day. It just depends on how environment has build and what are it's capac...
See more...
Can you describe your question little bit more for us? I'm not sure what you are asking? Splunk can ingest more than PB per day. It just depends on how environment has build and what are it's capacity. Data are stored into buckets on local disks or on S3 bucket e.g. in AWS or equivalent versions on GCP, Azure or onprem. All those are described on docs.splunk.com. If needed you can contact to your local Splunk Partner or directly to Splunk and they can present it to you. There are lots of videos, conf presentations etc. to tell more about Splunk.