All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick   like while am searching in Splunk indexer am not able to see host, index and source for the windows server at that specific time.
Hi @PickleRick , firstly we planning to migrate data from existing server new server then afterwards splunk upgrade so here i wanted to know the steps  how to migrate data from my existing server to... See more...
Hi @PickleRick , firstly we planning to migrate data from existing server new server then afterwards splunk upgrade so here i wanted to know the steps  how to migrate data from my existing server to new server..within the server we know but now its new server so asking you how to migrate data.and the second  thing the installation and upgrade my team will see that and here i need only how to migrate my data. so kindly please help on this
I would like to seek advice from experienced professionals. I want to add another heavy forwarder to my environment as a backup in case the primary one fails (on a different network and not necessari... See more...
I would like to seek advice from experienced professionals. I want to add another heavy forwarder to my environment as a backup in case the primary one fails (on a different network and not necessarily active-active).  * I have splunk cloud and 1 Heavy Forwarder, 1  Deployment server on premise. 1. If I copy a heavy forwarder (VM) from one vCenter to another, change the IP, and generate new credentials from Splunk Cloud, will it work immediately? (I want to preserve my existing configurations.) 2. I have a deployment server. Can I use it to configure two heavy forwarders? If so, what would be the implications? (Would there be data duplication, or is there a way to prioritize data? Or is there a better way I should do this? Please advise.
This issue comes from a distributed environment where you have your search head separated from the indexers. To solve this you will need to create a "dummy index" on your search head with the same na... See more...
This issue comes from a distributed environment where you have your search head separated from the indexers. To solve this you will need to create a "dummy index" on your search head with the same name as the one on you indexer which you want to write the message into. This solved it for me.     Source: https://community.splunk.com/t5/Alerting/Alerts-triggered-actions-log-events/m-p/693487
That might indicate issues with the receiving indexer. Check its logs and health.
@PickleRick  error is something like Read error. An existing connection was forcibly closed by the remote host.
Hi  I found the below information from the community page,, however i am bit confused on step by step procedure    Link to the splunk community - https://community.splunk.com/t5/Getting-Data-I... See more...
Hi  I found the below information from the community page,, however i am bit confused on step by step procedure    Link to the splunk community - https://community.splunk.com/t5/Getting-Data-In/Reusable-Script-How-to-Reset-All-Tokens-with-a-Single-Click/td-p/472141?_gl=1*kqgr9a*_gcl_au*MTQ1NTQ1MDI1My4xNzMwNzcyMzM2*_ga*MTAzODg1MjI0My4xNzMwNzcyMzM2*_ga_5EPM2P39FV*MTczMDk2OTY3OC4xMS4xLjE3MzA5Njk5MTEuNjAuMC4xNjEyNDY3NTUx*_fplc*eWNFa0M3NWtnT0VvQjdhUjltM0VxTU9ocG1TNjh3aHFIc1l1cnFHN2g3ZGpXaFExTEpBcTdJckFPJTJCJTJCM1czMDBEU1BrUWdzVkE0Z2JrJTJCdkNnOWdpMFRBNyUyQmFGcFU4R3A4d3ExZGdrajdDUVA2VElkcEdPSjMlMkYzc2pzRVZuUSUzRCUzRA.. Thanks 
1. I'm not sure what you mean by "DR servers" here since in the main environment you have four indexers and you have only one "DR indexer". 2. Search head must be able to contact CM, indexers and LM... See more...
1. I'm not sure what you mean by "DR servers" here since in the main environment you have four indexers and you have only one "DR indexer". 2. Search head must be able to contact CM, indexers and LM (there can be additional requirements if you're using Stream but I'm assuming you aren't). So you should simply install a new SH, replicate (most of) the configuration and state (including kvstore contents) from existing SH and you should be ready to go. Just tell people to use the new address or update the DNS entry to point to the new SH. Remember about adjusting your network settings (firewall holes) for the new SH and check if you don't have any IP-based or certificate based restrictions on your indexer tier.
Strictly technically speaking, you can configure almost any role on any server. But not every such deployment is considered a good practice. Especially with a bigger deployment the CM is already a r... See more...
Strictly technically speaking, you can configure almost any role on any server. But not every such deployment is considered a good practice. Especially with a bigger deployment the CM is already a relatively "well-stressed" member of your environment (it has enough to do on its own without adding additional roles) so that while you can do that you should rather find another component to "colocate" the LM role. Anyway, the "connection timeout" messages typically indicate network-level issues - somewhere the traffic is getting filtered on firewall (or you have routing problems).
1. If you're migrating into another environment there will be issues. You can't completely seamlessly move from one point to another without anyone noticing. Even if you have some form of HTTP LB in ... See more...
1. If you're migrating into another environment there will be issues. You can't completely seamlessly move from one point to another without anyone noticing. Even if you have some form of HTTP LB in front of your SH(S) so that you can simply point it to other backend, you are bound to at least break existing browsing sessions, there will be issues with replicating last minute changes between those environment and so on. 2. There is no way to give a precise step by step fool-proof instructions which can be just executed without knowing what you're doing. 3. You're talking about migrating just a search head but you're posting in the Splunk Cloud section of the forum so it's not clear what you actually wanna do. Overall, as usual with more complicated stuff and people who ask question which seem to be significantly above their knowledge/expertise level (I'm not trying to offend you here - I'm trying to save you time/money by preventing you from breaking your stuff) - I'd advise to seek help from either Professional Services or your local friendly Splunk Partner who has certified and experienced engineers who will help you get through this process.
Firstly, check what happens - when the UF "stops", check what's at the end of splunkd.log to see whether anything out of the ordinary happened and see the windows system/application logs for entries ... See more...
Firstly, check what happens - when the UF "stops", check what's at the end of splunkd.log to see whether anything out of the ordinary happened and see the windows system/application logs for entries regarding splunkd.exe to see if you see any indication of process crashing. It might be a configuration issue but it indeed might be a software bug so you might end up calling support for help.
Splunk does not have native capability to authenticate users against RADIUS server. If you're using an external app (there is at least one on Splunkbase but it doesn't seem to be actively maintained)... See more...
Splunk does not have native capability to authenticate users against RADIUS server. If you're using an external app (there is at least one on Splunkbase but it doesn't seem to be actively maintained), you probably have to either dig into the script code or try to contact the author. I don't suppose it's a very popular way of authentication with Splunk.
That is an interesting issue and it's definitely a browser issue. If I run your search I see the results with proper spacing differences. But. If I go into page source in developer tools I get... See more...
That is an interesting issue and it's definitely a browser issue. If I run your search I see the results with proper spacing differences. But. If I go into page source in developer tools I get this: They look evenly spaced, right? But they aren't. If I double click on those values to edit them, they "spread" (I think something changes font-wise when you're editing the contents). So it's definitely something with text rendering on the browser's side.
You're thinking about this too much as a "programming" exercise. SPL works differently. A bit like a bash one-liner (I suppose the pipe chars in the SPL syntax weren't chosen randomly ;-)) So pleas... See more...
You're thinking about this too much as a "programming" exercise. SPL works differently. A bit like a bash one-liner (I suppose the pipe chars in the SPL syntax weren't chosen randomly ;-)) So please be a bit more descriptive about what you want to do with those four fields returned from the ldapsearch.  
HF is just an indexer with local indexing disabled. So if you want to index locally you're effectively turning your server into indexer with additional forwarding enabled. So while for "pure HF" the... See more...
HF is just an indexer with local indexing disabled. So if you want to index locally you're effectively turning your server into indexer with additional forwarding enabled. So while for "pure HF" the forwarder license will do, for "indexing HF" you need to properly license the instance as if you'd do with any other indexer.
The question was because if you had HF in front of your indexers, there's were your index-time props would be applied. Since you're using UF to push data to Cloud, you indeed need to push an app to t... See more...
The question was because if you had HF in front of your indexers, there's were your index-time props would be applied. Since you're using UF to push data to Cloud, you indeed need to push an app to the Cloud as @sainag_splunk wrote.
Pro tip: "no luck" and "doesn't work" are bad words in a discussion forum as they convey little information in best case scenario.  If I have to read your mind, the second search returns no result.  ... See more...
Pro tip: "no luck" and "doesn't work" are bad words in a discussion forum as they convey little information in best case scenario.  If I have to read your mind, the second search returns no result.  Is this correct? Before diagnosing the second search, I want to delve into the first one first.  What's wrong with simply plugging your token in that one? ...base search (member_dn=$userid$ OR member_id=$userid$ OR Member_Security_ID=$userid$ OR member_user_name=$userid$) Not only is this the simplest way you can express your condition, but it is also more efficient. As to your second one, it does not express what you think it "should" do.  When the compiler sees a token in a search, it simply substitute it with the current value in that token space.  Suppose your user sets $userid$ to joeshmoe.  After compilation, the SPL engine sees this expression: index=windows_logs | where joeshmoe IN (member_dn, member_id, Member_Security_ID, member_user_name) It is highly unlikely for your data set to have a field named joeshmoe AND this field has some values that equal to one of those four fields.  It is much more likely that member_dn, member_id, Member_Security_ID, or member_user_name in your dataset has a literal value of "joeshmoe". In SPL, all eval expressions treat bare words as either a function name or a field name, not string literal. (As such, the second phrase in that second search, | eval userid=johnsmith, assigns a null value to userid.)   So, if you want to use the where command instead of plugging the token into index search, quote the token properly: index=windows_logs | where "$userid$" IN (member_dn, member_id, Member_Security_ID, member_user_name) I still recommend the first one, however. (Note: search (implied in the first line) is one of few SPL commands that interprets bare words as literals unless they explicitly appear in the left-hand side of a search operator such as = and IN. Hope this helps.
Hi @dharris_splunk , there's only one license to index logs, the normal license, as described at https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/TypesofSplunklicenses . Only for HFs, there... See more...
Hi @dharris_splunk , there's only one license to index logs, the normal license, as described at https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/TypesofSplunklicenses . Only for HFs, there's a Forwarder license but it doesn't permits to locally index logs. Ciao. Giuseppe
Hi @yuanliu  Could it be an issue with my Splunk profile? I am using Splunk Enterprise Version:9.0.4. My browser is Google Chrome Version 130.0.6723.117 (Official Build) (64-bit) and Microsoft Ed... See more...
Hi @yuanliu  Could it be an issue with my Splunk profile? I am using Splunk Enterprise Version:9.0.4. My browser is Google Chrome Version 130.0.6723.117 (Official Build) (64-bit) and Microsoft Edge Version 130.0.2849.68 (Official build) (64-bit) If it's a browser issue, why is it not working on another browser like Microsoft Edge? Thank you for your help
 HF do NOT need an enterprise license if you are just ingesting/parsing.  On a HF, if you are locally indexing "you need an enterprise license"        If this reply helps, Please UpVote