All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @rickymckenzie10  for your requirement, I would suggest to go for option 2 for upgarde let me explain difference as per my understanding  in most of the terms both works same but some differe... See more...
Hi @rickymckenzie10  for your requirement, I would suggest to go for option 2 for upgarde let me explain difference as per my understanding  in most of the terms both works same but some differences. with Maintenance mode  you are telling cluster master that  some activity will happen on the indexers, it can be stopping splunk on indexer, rebooting the server , upgrading Splunk . With Maintenance mode enabled bucket replication will not happen in the entire cluster  once maintenance mode disabled, bucket fixup tasks will complete. With Rolling upgrade command , manager node understands that its upgrade of cluster and with running Rolling upgrade command also enables maintenance mode and tries to minimize the impact to searches. 
Enabling maintenance mode simply tells the Cluster Manager to not bother doing bucket fix-ups.  Nothing happens on the indexers themselves. The upgrade-init command starts a rolling restart of the i... See more...
Enabling maintenance mode simply tells the Cluster Manager to not bother doing bucket fix-ups.  Nothing happens on the indexers themselves. The upgrade-init command starts a rolling restart of the indexers after setting maintenance mode.
I'm not sure what that statement means.  props apply only to the sourcetype, source, or host listed in the stanza name.  It may be necessary to replicate a stanza to cover all scenarios.
This gets me pretty close to what I need.  I modified it slightly to get to the data I need: | makeresults format=csv data="Day,Percent 2024-11-01,100 2024-11-02,99.6 2024-11-03,94.2 2024-11-04, 79.... See more...
This gets me pretty close to what I need.  I modified it slightly to get to the data I need: | makeresults format=csv data="Day,Percent 2024-11-01,100 2024-11-02,99.6 2024-11-03,94.2 2024-11-04, 79.9 2024-11-30, 49.9 2024-12-01,22.1 2024-12-02,19.0" | eval _time=strptime(Day, "%F") | foreach 50 80 100 [ eval REMAINING = 100 - <<FIELD>> | eval REMEDIATION_<<FIELD>> = if(Percent <= REMAINING, 1, null())] | stats earliest_time(_time) as Start earliest_time(REMEDIATION_*) as r_* I'll need to figure out a way to get the 100% field to show up after the stats command but I know I can do that in a brute force manner if necessary.   I haven't seen foreach before so thank you for such a concise, relevant example. 
Hi, We installed the #AbuseIPDB app in our Splunk cloud instance.  I created a workflow action called jodi_abuse_ipdb using the documentation provided in the app Label: Check $ip$ with AbuseIPDB ... See more...
Hi, We installed the #AbuseIPDB app in our Splunk cloud instance.  I created a workflow action called jodi_abuse_ipdb using the documentation provided in the app Label: Check $ip$ with AbuseIPDB Apply only to: ip Search string: |makeresults|abuseipdbcheck ip=$ip$ I'd like to be able to use this for a report but I haven't figured out how trigger to call this workflow action to provide results.  I've done Google searches and I've tried a number of things. I am hoping someone in the community might be able to help. Thank you! Jodi
@richgalloway   It works ... but however only if i pass source it taking this rule effective if i pass sourcetype this rule not effective in props.conf. Thank you..
Sure: https://community.splunk.com/t5/Getting-Data-In/Rolling-upgrade-vs-Maintenance-mode-commands-on-cluster-manager/td-p/705861 
I’ve read the documentation on these commands, executed both in a dev environment and observed the behavior. My interpretation of the commands is that they are the same. Does someone want to take a... See more...
I’ve read the documentation on these commands, executed both in a dev environment and observed the behavior. My interpretation of the commands is that they are the same. Does someone want to take a stab, and try to better explain them from your own perspective Please don't point me or reference to any Splunk docs, I've read them already and still can't see when is the best use case to use these. I want to read you're opinion! What is the main difference between these two commands? splunk enable maintenance-mode splunk upgrade-init cluster-peers Here is the scene: I will be upgrading a cluster of splunk cluster manager and their peers. Cluster manager Indexers I don't want to initiate a bucket fixup on each indexer (10 peers * 10TB on each peer). Which one best fits/servers my use case above?
Hi @rickymckenzie10 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I am not sure why you won't show us what you do have - perhaps we might be able to see what is wrong - what you are sharing with us at the moment is not moving things forward.
Yea no reference to server_pkcs1.pem in server.conf.  I already renamed file, and finding is gone.  Just watching/waiting now to make sure no issues.  Thanks!  
Its important to note that i wrote a similar line of code for another panel and got no error, see below: index = index name sourcetype = sourcetype name (field names) earliest =$StartTime$ latest=... See more...
Its important to note that i wrote a similar line of code for another panel and got no error, see below: index = index name sourcetype = sourcetype name (field names) earliest =$StartTime$ latest=$FinishTime$
Its important to note that i wrote a similar line of code for another panel and got no error, see below: index = index name sourcetype = sourcetype name (field names) earliest =$StartTime$  latest=$... See more...
Its important to note that i wrote a similar line of code for another panel and got no error, see below: index = index name sourcetype = sourcetype name (field names) earliest =$StartTime$  latest=$FinishTime$
This info actually matches the data from the CMC, the only issue I have is that you can't group the volume by index (although I can group by splunk_server/indexer).
Tried this already and got this error: Invalid value "$TimeRange.earliest$" for time term 'earliest'
Hi @smallwonder  Currently there is no option to limit data sent to splunk after reaching certian limit. you can try filter the data which i mentioned earlier post.
@Jamietriplet wrote: index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange$ latest=now() index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange.ea... See more...
@Jamietriplet wrote: index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange$ latest=now() index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange.earliest$ latest=$TimeRange.latest$
index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange$ latest=now()
index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange$ latest=now()
I am new to Splunk but spent a log time with Unifi kit. I am on the latest version of Unifi controller with a config for SIEM integration with Splunk. I have installed Splunk on a Proxmox VM using Ub... See more...
I am new to Splunk but spent a log time with Unifi kit. I am on the latest version of Unifi controller with a config for SIEM integration with Splunk. I have installed Splunk on a Proxmox VM using Ubuntu 24.04.   Is there a step-by-step guid on how to ingest my syslog data from Unifi into Splunk please?  Regards,   BOOMEL