All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @psla , I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that ... See more...
Hi @psla , I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
What do you mean by "HF is forwarding clients to MC"? A DC is issuing a POST to server's 8089 port for a /services/broker/phonehome/<client_info> endpoint. A server either responds if it's a DS or se... See more...
What do you mean by "HF is forwarding clients to MC"? A DC is issuing a POST to server's 8089 port for a /services/broker/phonehome/<client_info> endpoint. A server either responds if it's a DS or sends 404 if it isn't if I remember correctly. I don't recall any "relaying". What do you mean by "forwarding client info to MC"? Do you see POST /services/broker/phonehome/connection/... entries in splunkd_access.log on the MC? What is the deploymentclient.conf on your UFs? (effective config - from the btool output)
Hi @user487596 , sorry but I don't understand: what do you mean with "in all indexes without loading splunk"? You could use APIs to access Splunk from your application without using the Splunk GUI.... See more...
Hi @user487596 , sorry but I don't understand: what do you mean with "in all indexes without loading splunk"? You could use APIs to access Splunk from your application without using the Splunk GUI. Ciao. Giuseppe
hello.  @vigneshnarendra  So I'm curious about why maps are dangerous. In some cases system data may be lost. I would like to know the detailed reason why it is possible.
@gcusello , It's pretty clear what to look for, the question is how to do it in all indexes without loading splunk
| rex "^RAISE-ALARM(?<line>.*proxy)"
Have you included search head captain in your search? I believe only the scheduler node will get the failed logs. If you have included them, follow my next steps. Do you find them in your logs ... See more...
Have you included search head captain in your search? I believe only the scheduler node will get the failed logs. If you have included them, follow my next steps. Do you find them in your logs and they aren't extracted? Append the below SPL to extract them. | rex field=_raw "status=(?<status>\w+)" Do you get them when you do stats count on status?  If not then you have 100% success rate on the searches. 
Hi Team, We are using add-on to collect the Azure metrics through REST API. Data is getting ingested into Splunk cloud. However, we are seeing a lag of exactly 4 hours. Splunk Cloud is in UTC time z... See more...
Hi Team, We are using add-on to collect the Azure metrics through REST API. Data is getting ingested into Splunk cloud. However, we are seeing a lag of exactly 4 hours. Splunk Cloud is in UTC time zone. We have set the TZ=UTC  in HF apps/ local/props.conf as application is writing in UTC time. However, there is a lag in Splunk cloud.  https://splunkbase.splunk.com/app/3110 Any help is highly appreciated.
HI @munang. The risky command warning is only a safeguard for many commands which could be a potential risk if users run them without knowing what they are doing. https://docs.splunk.com/Docume... See more...
HI @munang. The risky command warning is only a safeguard for many commands which could be a potential risk if users run them without knowing what they are doing. https://docs.splunk.com/Documentation/Splunk/9.3.0/Security/SPLsafeguards You could set commands.conf as below and restart splunk to remove the warning. [<your_command_name>] is_risky = false  
Any ideas how it can be achieved?
Other than poor speed and performance, is there a reason why the map command is considered dangerous? The official documentation says that the map command can result in data loss or potential securi... See more...
Other than poor speed and performance, is there a reason why the map command is considered dangerous? The official documentation says that the map command can result in data loss or potential security risks. But I don't see any details. Why?   https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map    
Hi All, I am able to see only 4 status, why am I not able to see status=skipped and status = continued  
As you mentioned, you can only manually link it if it's within the same app. That said, you should fix the actual correlation issue, which will correctly link it to the other application. This migh... See more...
As you mentioned, you can only manually link it if it's within the same app. That said, you should fix the actual correlation issue, which will correctly link it to the other application. This might just be due to the correlation not being picked up on the downstream application. Should be a quick fix
Here I mean HF 1 is working as DS for UFs acting as DCs.   Other HF i.e HF 2, is not working as DS for UFs acting as DCs, but rather forwarding the clients info to MC   I dont want my MC to act a... See more...
Here I mean HF 1 is working as DS for UFs acting as DCs.   Other HF i.e HF 2, is not working as DS for UFs acting as DCs, but rather forwarding the clients info to MC   I dont want my MC to act as DS, I want my HFs to act as DS.   Why one is working correctly, other is not
Still the "is connecting with the UF" part eludes me. It's the DC that connects to the DS, not the other way around. Also "forwarding traffic" is also a strange term here. What do you mean? Sending ... See more...
Still the "is connecting with the UF" part eludes me. It's the DC that connects to the DS, not the other way around. Also "forwarding traffic" is also a strange term here. What do you mean? Sending events via outputs to MC?
what if  I want to remove RAISE-ALARM from staring
the index is appearing inside the indexer cluster dashboard inside cluster master but when i try to search it using Search Head i can't find any data i look at the splunkd inside one of the indexers ... See more...
the index is appearing inside the indexer cluster dashboard inside cluster master but when i try to search it using Search Head i can't find any data i look at the splunkd inside one of the indexers it's appears it working fine   should i do restart or something or do i need to change anything?
Just dedup the field you want <input type="dropdown" token="department" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup department | table department <i... See more...
Just dedup the field you want <input type="dropdown" token="department" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup department | table department <input type="dropdown" token="Location" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup Location | table Location <input type="dropdown" token="Company" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup Company | table Company You should also add a static value of "*" with a label of "All" to each dropdown
| eventstats values(eval(if(status="Issue","Bad",null()))) as Health | fillnull value="Ok" Health
Try something like this | rex "^(?<line>.*proxy)"