As an outsider with no real knowledge of it I would say it's likely coming soon. Since AWS is their testing ground for all cloud items first they are likely aware of the need to support kernel 6.x. ...
See more...
As an outsider with no real knowledge of it I would say it's likely coming soon. Since AWS is their testing ground for all cloud items first they are likely aware of the need to support kernel 6.x. Also reviewing the link you provided the UF already supports that kernel release. Contact your Sales team or an assigned TSE to your account to see if they can get you this information for tentative release date.
You need a btool debug output for macros.conf on the ES SHC. The app is reading the proper file but it appears you have some override of that stanza coming from and outside file.
Hi, Here are a couple of ideas for quick checks: 1. Did you restart the collector after changing agent_config.yaml? 2. Did you add the new apache receiver to the metrics pipeline? 3. Did you chec...
See more...
Hi, Here are a couple of ideas for quick checks: 1. Did you restart the collector after changing agent_config.yaml? 2. Did you add the new apache receiver to the metrics pipeline? 3. Did you check for apache.* metrics using the metric finder? Or check for data in the apache built-in dashboard?
Hmm. 1. You don't need to escape quotes here. But that shouldn't matter here. The extra backslash should just be ignored. 2. More importantly, you use %7N - that might be the problem. https://docs....
See more...
Hmm. 1. You don't need to escape quotes here. But that shouldn't matter here. The extra backslash should just be ignored. 2. More importantly, you use %7N - that might be the problem. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables only explicitly lists %3N %6N and %9N
At one time, only indexers and HFs could accept HTTP input. I do not see that documented anywhere now, however. UFs do very little parsing, except for INDEXED_EXTRACTIONs.
WARN TcpOutputProc [22637 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=ip inside output group default-autolb-group from host_src= has been blocked for blocke...
See more...
WARN TcpOutputProc [22637 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=ip inside output group default-autolb-group from host_src= has been blocked for blocked_seconds=16061. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. ERROR TcpOutputFd [22638 TcpOutEloop] - Read error. Connection reset by peer It turns out there is no network interaction between the workstation and the splunk?
Hi @KJ10 ,
I’m a Community Moderator in the Splunk Community.
This question was posted 3 years ago, so it might not get the attention you need for your question to be answered. We recommend that ...
See more...
Hi @KJ10 ,
I’m a Community Moderator in the Splunk Community.
This question was posted 3 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.
Thank you!
1. Yes This is the constant delimiter ---------------------------- This is an Example (He/She) ----------------------------- 2. It picks up every 7th line and skips others. I think that is because i...
See more...
1. Yes This is the constant delimiter ---------------------------- This is an Example (He/She) ----------------------------- 2. It picks up every 7th line and skips others. I think that is because i used \n+ right? 3. I should have used "splunk btool props list" instead of inputs.. I ran the command and i see only one LINE_BREAKER for that sourcetype. Thanks for the info on BREAK_ONLY_BEFORE What is the Regex i should use it on the LINE_BREAKER?
i need to run a script to check if a list of linux servers have splunk installed and the process name. any idea what the process name is or the installed directory? and if its forwarding to splunk co...
See more...
i need to run a script to check if a list of linux servers have splunk installed and the process name. any idea what the process name is or the installed directory? and if its forwarding to splunk console?
https://splunkbase.splunk.com/app/3696 Get this app and place it on your DMC as best practice. The rest calls will access anything that is a search peer. The DMC node typically has your entire env...
See more...
https://splunkbase.splunk.com/app/3696 Get this app and place it on your DMC as best practice. The rest calls will access anything that is a search peer. The DMC node typically has your entire environment as a search peer in order to monitor the environment. The app does suggest install on a search head, but you might miss access to CM, HF, etc. Of course if you have a single node cluster then there is no need to worry about where you install. Follow the instructions for a cloud based environment.
Hello to everyone! I want to build a dashboard with which I can access information from config files of indexer cluster I know that the typical scenario to access config files is using REST endpoin...
See more...
Hello to everyone! I want to build a dashboard with which I can access information from config files of indexer cluster I know that the typical scenario to access config files is using REST endpoints "/services/configs/conf-*" But as I understood, these endpoints show only configuration files stored under /system/local/*.conf Is it a way to access config files stored under /manager-apps/local ?
@richgalloway Hi there. Thanks for the answer about MGMT port. I little confusing your answer about that UF do not support HEC. Previous version 8.2.6 of UF does working fine as HEC with binded 808...
See more...
@richgalloway Hi there. Thanks for the answer about MGMT port. I little confusing your answer about that UF do not support HEC. Previous version 8.2.6 of UF does working fine as HEC with binded 8088 port and forward through TCP data to Indexer nodes (9997) . Maybe Splunk removed it logic from UF in next versions after 8.2.6? What is replacement for HEC? We using UF because parsing do not using license. What is latest version of UF that can be configured as HTTP Event Collector?
There is the management mode setting that controls whether the UF listens to a TCP port or via UDS. See https://docs.splunk.com/Documentation/Forwarder/9.3.2/Forwarder/AboutManagementMode The manag...
See more...
There is the management mode setting that controls whether the UF listens to a TCP port or via UDS. See https://docs.splunk.com/Documentation/Forwarder/9.3.2/Forwarder/AboutManagementMode The management port itself is set in web.conf, not inputs .conf (it's not a data input). [settings]
mgmtHostPort = 127.0.0.1:9089 UFs do not support HTTP input.
The coalesce will work it is just that if the count is 1 it could be that it only occurs in component1 or component2 and you would have to do something slightly different if you want to distinguish w...
See more...
The coalesce will work it is just that if the count is 1 it could be that it only occurs in component1 or component2 and you would have to do something slightly different if you want to distinguish which set the component comes from