All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it v... See more...
  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it via search after indexing  
Hello, i am trying to intergrate the Splunk Ui Toolkit into my  own Splunk instace that is running on localhost. I am using react to get a sessionkey with the following function: async function ... See more...
Hello, i am trying to intergrate the Splunk Ui Toolkit into my  own Splunk instace that is running on localhost. I am using react to get a sessionkey with the following function: async function GetSessionKey(username, password, server) {     var key = await fetch(server + "/services/auth/login", {       method: "POST",       body: new URLSearchParams({         username: username,         password: password,         output_mode: "json",       }),       headers: {         "Content-Type": "application/x-www-form-urlencoded",       },     })       .then((response) => response.json())       .then((data) => {         return data["sessionKey"];       }); But i always get this on my network showing  
With HF - it can be complicated because the problem here typically would be not to have multiple instances but to _not_ have multiple input instances running at the same time and you'd need to replic... See more...
With HF - it can be complicated because the problem here typically would be not to have multiple instances but to _not_ have multiple input instances running at the same time and you'd need to replicate the state of the inputs in case of a need for fail-over. There is nothing out-of-the-box to do it. You can to devise something with zip ties and duct tape but those solutions typically have some issues specific to chosen architecture. Of course if you're not running any scripted/modular inputs and only have HFs as a "parsing layer" in front of indexes, there is no problem with having multiple HFs receiving data from UFs. With SC4S there is no problem with running multiple instances. The problem is that you want the sources to send only to one of them. You can try to do some tricks with "floating IP" either on the hosts themselves using keepalived or something similar or on the router using some form of network-level load-balancing but it doesn't give you 100% guarantee of no data loss during the switchover period. It's just how the syslog works.
And back to the original question - I suspect it's just how it works. Macro expansion is after all just a simple string substitution, there is no complicated magic behind it. If it's something that c... See more...
And back to the original question - I suspect it's just how it works. Macro expansion is after all just a simple string substitution, there is no complicated magic behind it. If it's something that could be useful, you might consider posting an idea on https://ideas.splunk.com
nothing happens when i use it doesnt fill the rows below when i use that. issue is happening for both catchup_updated_time and sky_ui_timestamp | sort -sky_id | eventstats values(catchup_updated_ti... See more...
nothing happens when i use it doesnt fill the rows below when i use that. issue is happening for both catchup_updated_time and sky_ui_timestamp | sort -sky_id | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id  
Hi @ejwade  I’m a Community Moderator in the Splunk Community. you are replying to question was posted couple of  years ago, so it might not get the attention you need for your question to be answe... See more...
Hi @ejwade  I’m a Community Moderator in the Splunk Community. you are replying to question was posted couple of  years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question with errors so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi @PeterBoard  Infact recently we faced same issue for domain controller server where UF stopped sending data found that ququs filled up. as per support they asked to change to useACK to Fals... See more...
Hi @PeterBoard  Infact recently we faced same issue for domain controller server where UF stopped sending data found that ququs filled up. as per support they asked to change to useACK to False to aviod issue and they said it not recomneded to Use useack= true on UF. in your case any errors your obeserved in splunkd.log during issue 
So what happens if you use eventstats instead of filldown?
How can we do  High availability for Heavy Forwarders and SC4S
Hi @jsbapple  I’m a Community Moderator in the Splunk Community. you are reploying to question was posted couple of  years ago, so it might not get the attention you need for your question to be an... See more...
Hi @jsbapple  I’m a Community Moderator in the Splunk Community. you are reploying to question was posted couple of  years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi Splunkers, SplunkEnterprise : 9.2.2 Splunk Security Essentials : 3.8   (and 3.4) I installed Splunk Security Essentials 3.8, but I can’t launch the app due to a Custom JavaScript Error. I ... See more...
Hi Splunkers, SplunkEnterprise : 9.2.2 Splunk Security Essentials : 3.8   (and 3.4) I installed Splunk Security Essentials 3.8, but I can’t launch the app due to a Custom JavaScript Error. I tried using an older version of SSE, but it didn’t resolve the issue. And I also enabled the ‘old version’ setting in the internal library, but it still didn’t help. If you know the solution please help........
FYI this was before the | filldown catchup_updated_time sky_ui_timestamp  
Hi thanks for helping! I got this still that first entry for 10:03:16... shouldnt be the cause and should be 10:02:43
Thanks @ITWhisperer  That worked perfectly. 
Hey , are you seeing any ERRORs in Splunkd for this App and Python ? i really think this is python computability issue as Splunk enterprise v9.3 supports app with Python v3.9 only.
Hi All, May i know if you are excited to be join the Sep month user group meeting of KL Malaysia Splunk User group?!.. planning this one for  2nd weekend of Sep (14th Sat or 15th Sun) and there wil... See more...
Hi All, May i know if you are excited to be join the Sep month user group meeting of KL Malaysia Splunk User group?!.. planning this one for  2nd weekend of Sep (14th Sat or 15th Sun) and there will be some real practical workshops. so pre-registrations are required so that i can keep a lab setup for you.  See you, virtually, lets learn Splunk, thanks.  Best Regards Sekar
I restarted indexers and CM multiple times.. seems to clear up a few buckets, but then sits there w/ pending state  
The /bin is not in the JAVA_HOME nor the config file which made the problem more perplexing.  after uninstalling/reinstalling and trying everything I could I now have a new problem... The new erro... See more...
The /bin is not in the JAVA_HOME nor the config file which made the problem more perplexing.  after uninstalling/reinstalling and trying everything I could I now have a new problem... The new error is now  " The Task Server is currently unavailable. Please ensure it is started and listening on port 9998. See the documentation for more details"
@ITWhispererThanks, but those didn't work.  I tried both of these. | makeresults | fields - _time | eval count=mvcount($servers_entered$) mvcount($servers_entered$) The first errors.  The seco... See more...
@ITWhispererThanks, but those didn't work.  I tried both of these. | makeresults | fields - _time | eval count=mvcount($servers_entered$) mvcount($servers_entered$) The first errors.  The second returns 0.
Have you tried  mvcount($servers_entered$)