All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I'm trying to add the source information of the metric (Like k8s pod name, k8s node name etc.,) from splunk-otel-collector-agent and then send it to gateway (Data Forwarding model). I tried usi... See more...
Hi, I'm trying to add the source information of the metric (Like k8s pod name, k8s node name etc.,) from splunk-otel-collector-agent and then send it to gateway (Data Forwarding model). I tried using attributes and resource processors to add the source info, then enabled those processors in the pipelines in the agent_config.yaml. In gateway_config,yaml, I added the processors with from_attribute to read from agent's attribute. But I couldn't add additional source tags of my metric. Can anyone help here? Let me know if you need more info. I can share. Thanks, Naren
Can you post your db input configuration? Add it into block </> (editor box).
@Brett have you any answers to this?
Have you look these https://community.splunk.com/t5/All-Apps-and-Add-ons/Limit-choices-in-default-TIMEPICKER https://hurricanelabs.com/splunk-tutorials/how-to-set-custom-time-range-presets-in-splu... See more...
Have you look these https://community.splunk.com/t5/All-Apps-and-Add-ons/Limit-choices-in-default-TIMEPICKER https://hurricanelabs.com/splunk-tutorials/how-to-set-custom-time-range-presets-in-splunk/
@fatsug Hi! ASFAIK, the last_validated_bundle is different from the active_bundle because they have different purposes within the bundle lifecycle. The validation process creates a temporary bundle t... See more...
@fatsug Hi! ASFAIK, the last_validated_bundle is different from the active_bundle because they have different purposes within the bundle lifecycle. The validation process creates a temporary bundle to verify the configuration changes, while the apply process would create a new bundle including additional metadata and runtime information needed for the actual deploy across the cluster. When you run splunk apply cluster-bundle, it creates a new bundle from the master-apps directory and that's why you're seeing a different checksum than your validation step. After successful application, all checksums align since they're now referring to the same deployed bundle.
You should always disable any unnecessary components like kvstore where it’s don’t needed. See https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/DisableunnecessarySplunkcomponents
It could be like “host\s*=“. The best way is use btool with —debug to see where it has defined.
Hi I afraid that you must do this in HF or IDX with props and transforms? The reason for that is those file/directory names. I think that splunk internally expand those in one equal name and for that... See more...
Hi I afraid that you must do this in HF or IDX with props and transforms? The reason for that is those file/directory names. I think that splunk internally expand those in one equal name and for that reason you have only one monitoring stanza not three? Maybe you could try to put those in different order, put that wildcard only into latest. Use btool to look how splunk see those and in which order it put those. Another tool to check how those are read is use “splunk list inputstatus” that shows which files it has read and which stanza those belongs. r. Ismo
I didn't know you had to disable kvstore on indexers. It works, I was able to update my server. Thanks.
I just did this from the /opt/splunk directory on all 3 SHC members, and the deployer: grep --include=inputs.conf -rnw . -e "host =" The only place where I see the hostname being in an inputs.c... See more...
I just did this from the /opt/splunk directory on all 3 SHC members, and the deployer: grep --include=inputs.conf -rnw . -e "host =" The only place where I see the hostname being in an inputs.conf is in $SPLUNK_HOME/etc/system/local, and $SPLUNK_HOME/var/run/splunk/confsnapshot/baselinelocal/inputs.conf Kind of at a loss...
  Hi do you mind sharing the search string/spl you used to the the AD login information? Thank you!
Here https://conf.splunk.com/files/2017/slides/pushing-configuration-bundles-in-an-indexer-cluster.pdf is an old conf presentation about pushing cluster bundle. It contains quite much information and ... See more...
Here https://conf.splunk.com/files/2017/slides/pushing-configuration-bundles-in-an-indexer-cluster.pdf is an old conf presentation about pushing cluster bundle. It contains quite much information and starting page 41 is troubleshooting section. There are e.g. places where those bundles are stored on CM and peers. Basically you could look their content to see are those different which explains the difference of hash. r. Ismo
Hello. I tried this but i didn't worked. 
We are also facing the same situation. Any luck on how to resolve this? Thanks.
If I recall right you could put html files into appserver directory? See https://community.splunk.com/t5/All-Apps-and-Add-ons/Creating-an-APP-and-setting-a-custom-HTML-Webpag/td-p/398100
Does anyone know if there is a way to suppress the sending of alerts during a certain time interval if the result is the same as the previous trigger, and if the result changes, it should trigger reg... See more...
Does anyone know if there is a way to suppress the sending of alerts during a certain time interval if the result is the same as the previous trigger, and if the result changes, it should trigger regardless of any suppression or only trigger when there is a new event that causes it to trigger?
Probably you should install e.g. https://splunkbase.splunk.com/app/833 to collect some files, statistics etc. Also you should check Getting Data In documentations from docs.splunk.com and lantern.splu... See more...
Probably you should install e.g. https://splunkbase.splunk.com/app/833 to collect some files, statistics etc. Also you should check Getting Data In documentations from docs.splunk.com and lantern.splunk.com.
How do I change what metrics that is sent from my Macbook to Splunk?  Now I see average output but it I don't think its correct? I downloaded som files just to generate some traffic but that traffic... See more...
How do I change what metrics that is sent from my Macbook to Splunk?  Now I see average output but it I don't think its correct? I downloaded som files just to generate some traffic but that traffic do not show        
I agree.  I would try eventstats as well.
Hi @Syed.Musharraf, Fill out this form and let them know you are looking for on-prem  https://www.splunk.com/en_us/talk-to-sales.html