All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @hazem , I'm not an exper in Load Balancers, and, as @isoutamo said, it depends on the Load Balancer: ask this question to a specialist of your LB. Ciao. Giuseppe. P.S.: Karma Points are appre... See more...
Hi @hazem , I'm not an exper in Load Balancers, and, as @isoutamo said, it depends on the Load Balancer: ask this question to a specialist of your LB. Ciao. Giuseppe. P.S.: Karma Points are appreciated by all the contributors
I had this same issue on a new install of Splunk, clients that still didnt have universal forwarder remove were connecting to this new instance. After removing the UF from those machines I was trying... See more...
I had this same issue on a new install of Splunk, clients that still didnt have universal forwarder remove were connecting to this new instance. After removing the UF from those machines I was trying to delete from client list and was receiving this message and would not go away. I needed to reenable deployment server on the new instance in order for me to delete clients by running the following command. Worked for me hope it helps. sudo /opt/splunk/bin/splunk enable deploy-server sudo /opt/splunk/bin/splunk restart
Unfortunately no. The dashboard studio PDF export function will put the entire dashboard on a single page. The older XML dashboards could at least split their exported PDFs into pages. You may find ... See more...
Unfortunately no. The dashboard studio PDF export function will put the entire dashboard on a single page. The older XML dashboards could at least split their exported PDFs into pages. You may find some success in exporting the dashboard studio PDF as a single page, then "print to PDF" with the "Page Sizing" set to "Poster". This should split your single-page PDF to a multi-page PDF, but it will likely take a lot of trial-and-error to get the formatting right. Another workaround is to have multiple dashboards (Part1,Part2,Part3 ... etc) and export PDFs for each of them, then combine them by printing them all to a single PDF.
Are you able to re-create the dashboard by copying the source code of that dashboard into a new dashboard both within and outside the ITSI app? This would at least show that there isn't an outside it... See more...
Are you able to re-create the dashboard by copying the source code of that dashboard into a new dashboard both within and outside the ITSI app? This would at least show that there isn't an outside item creating that gap. Then there must be something in the dashboard source code that you can adjust to change the gap height. I don't have ITSI in my test machine so I could not test it myself.
There are some troubleshooting steps you could try: 1. Use a different browser 2. Try to edit other macros 3. Try to add a new macro 4. Try to edit other knowledge objects, like field extractions... See more...
There are some troubleshooting steps you could try: 1. Use a different browser 2. Try to edit other macros 3. Try to add a new macro 4. Try to edit other knowledge objects, like field extractions, dashboards, etc 5. Make a new user with very high permissions (e.g. admin) and try editing the macro with it 6. Install a new search head, connect it to your indexers, then edit the macro
It is hard to say. If you must know what happened, then you could try installing Splunk into the drive again after formatting the drive to the state it was before install, and then see if it creates ... See more...
It is hard to say. If you must know what happened, then you could try installing Splunk into the drive again after formatting the drive to the state it was before install, and then see if it creates the problem again.
Hi everyone, I’m working on a dashboard in Dashboard Studio and need some guidance on exporting it as a PDF. Specifically, I would like to know how to split a multi-panel dashboard into several page... See more...
Hi everyone, I’m working on a dashboard in Dashboard Studio and need some guidance on exporting it as a PDF. Specifically, I would like to know how to split a multi-panel dashboard into several pages when downloading it as a PDF. Is there a way to configure the layout or settings to achieve this? Any tips or best practices for organizing content in Dashboard Studio to ensure each section appears on a separate PDF page would be greatly appreciated! Thanks in advance for your help!
As I said, this depends on e.g. are you using plain syslog, udp vs tcp vs tsl etc. If you are using udp there is no matter what you are doing, you will lose some events anyway.
hello @isoutamo  please advise the load balancing method connectivity from source IP to go to the forwarder node .. the persistency or we can keep it round robin? we have 2 forwarders
Oke Thankyou @isoutamo @PickleRick atleast in splunk can ingest everything. If want get specify data Analyst can regex it 
As I said, this depends on LB. In some vendors you will lose event if LB check if backend is up or down, and if it is down then e.g. F5 just drop the packet (or at least it done it couple of years ago... See more...
As I said, this depends on LB. In some vendors you will lose event if LB check if backend is up or down, and if it is down then e.g. F5 just drop the packet (or at least it done it couple of years ago when I last use it). You must change the profile to get it to work correctly.
That's true when you are using UDP and pure syslog. But fortunately usually you can select other transform protocol that UDP for syslog or even use rsyslog with RELP. In those cases I strongly recomme... See more...
That's true when you are using UDP and pure syslog. But fortunately usually you can select other transform protocol that UDP for syslog or even use rsyslog with RELP. In those cases I strongly recommend to use LB with correct configurations.
As most other configuration items this also has answer it depends on your environment. There are some known issues with some vendors and as @PickleRick said, pure syslog traffic with UDP is not good ... See more...
As most other configuration items this also has answer it depends on your environment. There are some known issues with some vendors and as @PickleRick said, pure syslog traffic with UDP is not good candidate for LB. But e.g. if you are using rsyslog with RELP protocol then it's totally different case. You could use e.g. F5 in front of rsyslog backends and this works well after you have select e.g. FastL4 profile for LB. Without it you will lost some events. r. Ismo
I agree with @PickleRick that this is quite probably ok. It’s totally dependent on your data.
Hello @gcusello  please advise the load balancing method connectivity from source IP to go to the forwarder node .. the persistency or we can keep it round robin? we have 2 forwarders
This actually looks OK-ish. You probably have some json data which gets parsed into those "multilevel" fields.
Well, not everything can be solved just by joined community wisdom. Sometimes you simply have to raise support case.
Hi @isoutamo  Thanks for your information, after i check it.  - Splunk Add-on for Unix and Linux [Installed] - Splunk Common Information Model (CIM) [Installed] - InfoSec App for Splunk [Not Inst... See more...
Hi @isoutamo  Thanks for your information, after i check it.  - Splunk Add-on for Unix and Linux [Installed] - Splunk Common Information Model (CIM) [Installed] - InfoSec App for Splunk [Not Installed] For the UF issue there is no problem at all, here I can get all the logs I need. It's just that the data I get has messy fields like this picture  I think it's not okay that's why i create topic for asking this problem  
Hi @PickleRick @marnall  Thankyou for your advice, but unfortunately i still can't change it even after i clear my cookies and/or cache. Can this issue solved using another method ?
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the de... See more...
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the default name of the drive in "My PC" was NFTS drive or something. Could not find the uninstall button in the apps settings, nor could I find any services related to splunk in windows services or task manager. I couldn't use the splunk application itself either. Couln't find a splunk folder in C drive either. I tried to run: chkdsk X: /f /r in CMD and I got the error "Chkdsk cannot dismount the volume because it is a system drive or there is an active paging file on it". I couldn't format the drive because it said it was in use. I ended up booting safe mode and formatted the drive there which has solved all my issues, but anyone know what the issue was?