All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick , Sorry for the late answer, you are rigth, i think we might have misunderstood how some attributes work in the indexes.conf and thus it was not strong enough to force the rolling of the... See more...
@PickleRick , Sorry for the late answer, you are rigth, i think we might have misunderstood how some attributes work in the indexes.conf and thus it was not strong enough to force the rolling of the warm buckets. We will surely rework the conf and see what happens but i think that was the main issue. Thanks a lot for your time and answers !
Hello @ITWhisperer , I tried this and got this same error: Invalid value "$TimeRange.earliest$" for time term 'earliest
Try something like this earliest = $TimeRange.earliest$, latest=$TimeRange.latest$
See the Getting Data In manual.
Hi @PolarBear01 , the only way to have HA at Forwarders level is to have two or more Receivers (rsyslog or syslog-ng or SC4S) , so your receiver will work even if Splunk is down; with a Load Balanc... See more...
Hi @PolarBear01 , the only way to have HA at Forwarders level is to have two or more Receivers (rsyslog or syslog-ng or SC4S) , so your receiver will work even if Splunk is down; with a Load Balancer that distributes syslogs between them and manages fail over. Receivers can be located on UFs or on Hfs, I usually use rsyslog on UFs! I don't know what you mean with manual balancing, for a real HA, you need a Load Balancer that  works without any manual action. There's also the possibility to configure DNS for load balancing and fail over managing, but DNS usually responds with a delay in case of fault of one receiver, so you loose first logs, for this reason a real Load balancer (e.g. F5) is the best solution for a real HA. The HFs are useful if you want to concentrate all logs before to send them to Splunk Cloud, otherwise (on premise) it isn't mandatory. Ciao. Giuseppe
Hi folks, I'm having a hard time picking the right architecture for setting up a solution to gain high availability of my syslog inputs. My current setup is: - 4 UFs - 2 HFs - Splunk Cloud Sysl... See more...
Hi folks, I'm having a hard time picking the right architecture for setting up a solution to gain high availability of my syslog inputs. My current setup is: - 4 UFs - 2 HFs - Splunk Cloud Syslog is now being ingested on one of the HFs as a network input. I saw that to solve my isssue I could injest my syslog logs on a UF and forward them to my HFs taking advantage of the built-in load balancing of the intermediate forwarders (aka HFs) which would simplify a lot the deployment. On the other hand another seen solution is manually implementing a load balancing machine in front of the HFs to injest the syslog data and manually balance load. Which solution is best suited for a splunk development? IMO 1st one is much more straight forward but I need to validate this is a correct aproach.   Thanks in advanced!
Hello, Can you please help to let me know what are the steps need to followed to do so? Thanks
Token was set using the time range control. see below image
Hi Team  Can you please help me to extract the data from the external website to Splunk Dashboard.  Is it possible ??  Example :  I've to fetch the below status from the website: "https://www.e... See more...
Hi Team  Can you please help me to extract the data from the external website to Splunk Dashboard.  Is it possible ??  Example :  I've to fetch the below status from the website: "https://www.ecb.europa.eu/"  Output in SPLUNK Dashboard: T2S is operating normally.  
Please show what is in your token and how you have set it
As you say: "is _not_ straightforward", and I agree, why I think the "solution" here is vague, and ought to be refined
Hello guys, I am trying to add a time range to my search, so the user can pick any time range and see data for the selected time (e.g. 24hours, last 30 days, previous year etc), . I created a time ra... See more...
Hello guys, I am trying to add a time range to my search, so the user can pick any time range and see data for the selected time (e.g. 24hours, last 30 days, previous year etc), . I created a time range control and token for this purpose, called TimeRange. But when I run my query, I get the below error: Invalid value "$TimeRange$" for time term 'earliest' Here is my query: base query earliest = $TimeRange$, latest=now () | other query
Hi mitag,  its been a while since you posted this. Were you able to work on such an app / add-on? I would be interested in it. 
The question was very vague and ambiguous. Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 in... See more...
The question was very vague and ambiguous. Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 interface and has a default route via 192.168.10.1. It sends its data to an indexer located at 10.1.2.3/24 but the connection is SNAT-ed so it appears to the indexer as coming from 10.20.1.1. What is internal and external in this case? It is _not_ straightforward. I could throw in an intermediate forwarder to this mix and possibly some HTTP proxy. "Internal" and "external" mean different things depending on where you look from.
@SreejithDas- You are installing Splunk IT Intelligence App which is not allowed to install from UI. You need to install it from backend/SSH only. Reference Document - https://docs.splunk.com/Docume... See more...
@SreejithDas- You are installing Splunk IT Intelligence App which is not allowed to install from UI. You need to install it from backend/SSH only. Reference Document - https://docs.splunk.com/Documentation/ITSI/4.19.1/Install/Install   I hope this helps!!! Kindly upload if it does!!!
@SreejithDas- You need to either increase the UI upload limit in web.conf or just install the ES from backend/SSH. https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity ... See more...
@SreejithDas- You need to either increase the UI upload limit in web.conf or just install the ES from backend/SSH. https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity  
Hello Experts, I am Getting Error while importing splunk-enterprise-security_732.spl Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description ... See more...
Hello Experts, I am Getting Error while importing splunk-enterprise-security_732.spl Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description This XML file does not appear to have any style information associated with it. The document tree is shown below. <response> <messages> <msg type="ERROR">Content-Length of 920287904 too large (maximum is 524288000)</msg> </messages> </response>   need help on this   #SplunkError #ContentLengthExceeded #EnterpriseSecurity  #UploadIssue #LargeAppFileError  
Hi, I have a python script that requires a hostname as input and then runs an Ansible job via AWX. Is there a way to install this cleanly via a dashboard or in a menu in ES? I actually just want t... See more...
Hi, I have a python script that requires a hostname as input and then runs an Ansible job via AWX. Is there a way to install this cleanly via a dashboard or in a menu in ES? I actually just want to enter the hostname and use it to start the script. Regards, David
Hello Experts, I am Getting Error while importing splunk-it-service-intelligence_4191.spl. Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error descri... See more...
Hello Experts, I am Getting Error while importing splunk-it-service-intelligence_4191.spl. Current Splunk version which is used here is Splunk EnterpriseVersion: 9.3.2 Here is the Error description "There was an error processing the upload.Invalid app contents: archive contains more than one immediate subdirectory: and DA-ITSI-DATABASE" Please help on this  #SplunkError #InvalidAppContents #AppUploadIssue #SplunkDebugging #ITSIError
Hi @PickleRick , I agree to a certain extend. The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is prese... See more...
Hi @PickleRick , I agree to a certain extend. The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is presented, unless they are sitting on the same network. But as many (most I suppose) are more or less distributed, you'll not be able to get the internal ip this way - right?