All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi. I do not understand well the SHC config, [raft_statemachine] disabled = <boolean> * Set to true to disable the raft statemachine. * This feature requires search head clustering to be enabled. ... See more...
Hi. I do not understand well the SHC config, [raft_statemachine] disabled = <boolean> * Set to true to disable the raft statemachine. * This feature requires search head clustering to be enabled. * Any consensus replication among search heads uses this feature. * Default: true replicate_search_peers = <boolean> * Add/remove search-server request is applied on all members of a search head cluster, when this value to set to true. * Requires a healthy search head cluster with a captain.  What changes in a SHC by setting "disabled = true or false"? By default is true. "replicate_search_peers = true" works only if disabled is false.   What does setting this to true or false do to the cluster?
edit the server.conf on the manager node or on the search heads?
Found the problem, and fixed. INFO KeyManagerSearchPeers [601811 TcpChannelThread] - Sending SHC_NODE_HOSTNAME public key to search peer: https://OLDIDX:8089 ERROR SHCMasterPeerHandler [601811 ... See more...
Found the problem, and fixed. INFO KeyManagerSearchPeers [601811 TcpChannelThread] - Sending SHC_NODE_HOSTNAME public key to search peer: https://OLDIDX:8089 ERROR SHCMasterPeerHandler [601811 TcpChannelThread] - Could not send public key to peer=https://OLDIDX:8089 for server=SHC_NODE_HOSTNAME (reason='') Inside the SHC nodes, there was a node to which, probably, time ago, i copied the "distsearch.conf" manually, without deleting all previous peers in UI or restarting  with a clean empty "distsearch.conf". So previous peers remained "as artifacts" (inside a system kv table?), and splunkd read them as active also if not present nor visible in "distsearch.conf" or in UI DistSearch Panel. Simple solution, from a SHC node UI, Delete all peers, one by one (the delete sync with other nodes) Insert again all peers, one by one (the insert sync with other nodes)   After a clean restart, WARNINGS messages with old IDXS/PEERS went away. So, it was a real artifact, i presume inside a system kv table, since on fs no .conf contains them !!! 🤷‍
I’m experiencing slow performance with my Splunk queries, especially when working with large datasets. What are some best practices or techniques I can use to optimize my searches and improve respons... See more...
I’m experiencing slow performance with my Splunk queries, especially when working with large datasets. What are some best practices or techniques I can use to optimize my searches and improve response times? Are there specific commands or settings I should focus on?
You guys are right, and my apologies. i was a bit excited to finally use the forum to test and see how fast the replies were. but i figured it out. the issue was that in the mac terminal, i wrote:  ... See more...
You guys are right, and my apologies. i was a bit excited to finally use the forum to test and see how fast the replies were. but i figured it out. the issue was that in the mac terminal, i wrote:  mv Splunk /opt/  and instead of moving "Splunk" to the directory, it just completely renamed "Splunk" to "opt" for some reason. i  just changed the name back to Splunk and it was up and running.
Hi @mninansplunk    If you're not sure which index contains your data, start with this search:     | tstats count where source="/var/www/html/PIM/var/log/webservices/*" by sourcetyp... See more...
Hi @mninansplunk    If you're not sure which index contains your data, start with this search:     | tstats count where source="/var/www/html/PIM/var/log/webservices/*" by sourcetype index host   This is a fast way to find which indexes contain your data and see the associated hosts and sourcetypes. Once you know the right index, you can do a more detailed search:     index=<your_index> source="/var/www/html/PIM/var/log/webservices/*" | stats count by source sourcetype host     For Files & Directories input - was it a typo there? single forward slashes like this?     /HostName/var/www/html/PIM/var/log/webservices/*   make sure file permissions on your input directory and your Splunk forwarder has access to the path Refer: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/GetthetutorialdataintoSplunk https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/GetstartedwithSearch https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html If this helps, Please UpVote.  
Hello @linaaabad! @MuS solution should give you a good start. Please don't use "join" instead use stats .. by as  above. Refer the below for documentation. https://lantern.splunk.com/Splunk_Pl... See more...
Hello @linaaabad! @MuS solution should give you a good start. Please don't use "join" instead use stats .. by as  above. Refer the below for documentation. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Searching_and_Reporting/Writing_better_queries_in_Splunk_Search_Processing_Language https://conf.splunk.com/watch/conf-online.html?search=PLA1528B#/    
Hi there, without sample events this can be tricky but since you provided the SPL and you join on UserAccountId I assume this field is available in both sourcetypes. If this is case, it would be as... See more...
Hi there, without sample events this can be tricky but since you provided the SPL and you join on UserAccountId I assume this field is available in both sourcetypes. If this is case, it would be as simple as   index=salesforce UserAccountId=* sourcetype="sfdc:user" OR ( sourcetype="sfdc:setupaudittrail" Action=suOrgAdminLogin ) | fields list of fields you want | stats values(*) AS * by _time UserAccountId   Hope this helps ... cheers, MuS  
Please add this  | eval foo=0 | foreach max* [ eval foo='<<FIELD>>'] | fields - max* | rename foo AS max at the end of your SPL  
Hey there! Have you tried executing this use case via no-code automation platforms? I know that Albato has an Integrator that can be used on the free plan. Furthermore, they have a library with se... See more...
Hey there! Have you tried executing this use case via no-code automation platforms? I know that Albato has an Integrator that can be used on the free plan. Furthermore, they have a library with several apps already available: https://albato.com/apps
ok but max is a value that I get from the index and not a value that I attribute.  My problem is that the value I get from the index is the same for all 3 LPARs, I only want to display it 1 time.  
Hi there, if your max value is static, you could do something like this: index=_internal sourcetype=* | timechart span=1h count by sourcetype | eval max=10000000 and this will produce 1 max line o... See more...
Hi there, if your max value is static, you could do something like this: index=_internal sourcetype=* | timechart span=1h count by sourcetype | eval max=10000000 and this will produce 1 max line on the graph like this:   Hope this helps ... cheers, MuS
I need to replace the variables in the field rule_title field that is generated when using the `notable` macro.  I was able to get this search to work but it only works when I table the spec... See more...
I need to replace the variables in the field rule_title field that is generated when using the `notable` macro.  I was able to get this search to work but it only works when I table the specific variable fields. Is there a way I can do that but for all title regardless of title and variable fields?     
Usually (as always, it's a general rule of thumb; impossible to say without a detailed knowledge of your environment and data; YMMV and all the standard disclaimers) fiddling with search concurrency ... See more...
Usually (as always, it's a general rule of thumb; impossible to say without a detailed knowledge of your environment and data; YMMV and all the standard disclaimers) fiddling with search concurrency is not the way to go. You can't get more computing power to run your searches that you have raw performance in your hardware. So even if you raise the concurrency splunk will be able to spawn more processes with searches but they will starve each other of resources because there's only so much iron underneath to use. So check what is eating up your resources, disable unneeded searches, optimize the needed ones, teach your users to write effective searches and so on.
Hey @Meett , this does not solve the issue, I think the culprit is what I've shared in my own comment/reply?
Hello how can I display only 1 value of these 3 "maxCapacitMachine" results (which are the same in all 3 cases) in a BY timechart?  
Currently without hitting the submit button,when i load the dashboard it get result  of the below usage statistics of the selected test environment  Query used first checks  if  env is selected "t... See more...
Currently without hitting the submit button,when i load the dashboard it get result  of the below usage statistics of the selected test environment  Query used first checks  if  env is selected "test"  then use "index" as "np-ap" and set "stageToken" as "test"  I want  the submit button to work and get the result only after the env  ,data entity  and date is selected and hit the submit button index="np-ap" AND source="--a-test" <query>index=$indexToken$ AND source="-a-$stageToken$"   <form version="1.1" theme="dark"> <label> stats</label> <fieldset submitButton="true"> <input type="dropdown" token="indexToken1"> <label>Environment</label> <choice value="pd-ap,prod">PROD</choice> <choice value="np-ap,test">TEST</choice> <change> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </change> </input> <input type="dropdown" token="entityToken"> <label>Data Entity</label> <choice value="aa">aa</choice> <choice value="bb">bb</choice> <choice value="cc">cc</choice> <choice value="dd">dd</choice> <choice value="ee">ee</choice> <choice value="ff">ff</choice> <default>aa</default> </input> <input type="time" token="timeToken" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <html id="APIStats"> <style> #user{ text-align:center; color:#BFFF00; } </style> <h2 id="user">API</h2> </html> </panel> </row> <row> <panel> <table> <title>Unique</title> <search> <query>index=$indexToken$ AND source="-a-$stageToken$" | stats count </query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
Hello, I'm having a hard time trying to find what data source events from a search are originating from, the Search is: source="/var/www/html/PIM/var/log/webservices/*" I've looked thru the "Files... See more...
Hello, I'm having a hard time trying to find what data source events from a search are originating from, the Search is: source="/var/www/html/PIM/var/log/webservices/*" I've looked thru the "Files % Directories" (Which I thought I would find it in there) and the rest of the Data Inputs, but can't seem to locate it anywhere. A side question   I tried creating a new Files % Directories Data Input by putting the full Linux path like below: //HostName/var/www/html/PIM/var/log/webservices/* But It says Path can't be empty.  I'm sure this is probably not how you format a Linux path, just couldn't find what I'm doing wrong. Thanks for any help at all, Newb      
@sainag_splunk is correct.  This has to be a bug in 9.2.  I'm about to upgrade to 9.3, so I rushed a bunch of tests.  The results suggest that it has something to do with search results or with input... See more...
@sainag_splunk is correct.  This has to be a bug in 9.2.  I'm about to upgrade to 9.3, so I rushed a bunch of tests.  The results suggest that it has something to do with search results or with input.   9.2.2 9.3.1 Basic search like makeresults, tstats, no input No problem No problem Some complex searches, with inputs No problem (Not tested) Latest dashboard with some other searches, similar inputs Cannot Open in Search (N/A) Code copy of problematic dashboard Cannot Open in Search No problem Recreattion of problematic dashboard Cannot Open in Search (N/A) So, the last two rows are really interesting and took quite some time.  I copied the entire JSON from a problematic dashboard to a test instance running 9.3.1 that has similar test data, and saw no problem.  Then, I tried several methods to recreate that problematic dashboard in the 9.2.2 instance.  First, I simply copied JSON to a new test board and saw the same problem.  I thought there might be something wrong with the code.  So, I copied individual searches and inputs, in two different ways.  They all give the same problematic results.