Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About keerthana_k
keerthana_k
Communicator
Member since:
11-02-2012
06-05-2020
Community Statistics
| Posts | 89 |
| Solutions | 5 |
| Karma Given | 38 |
| Karma Received | 20 |
| Member Since | 11-02-2012 |
Activity Feed
- Karma Re: systemd start restart for splunk not working as expected for neilsquires. 06-05-2020 12:49 AM
- Karma Re: systemd start restart for splunk not working as expected for groland. 06-05-2020 12:49 AM
- Got Karma for Systemd start restart for splunk not working as expected (CentOS 7.3).. 06-05-2020 12:49 AM
- Karma Re: Using Deployment Server as Search Head Deployer for strive. 06-05-2020 12:48 AM
- Karma Re: How to resolve lots of Splunk internal connections in a CLOSE_WAIT status? for strive. 06-05-2020 12:48 AM
- Karma Re: How to force local indexing in each site of a multisite indexer cluster? for jkat54. 06-05-2020 12:48 AM
- Got Karma for Splunk upgrade causes error in Zoom out option in sideview utils based chart. 06-05-2020 12:48 AM
- Karma Re: Restricting index access from apps for gfuente. 06-05-2020 12:47 AM
- Karma Re: How do I change the owner of a saved search or view in a search head cluster environment? for rphillips_splk. 06-05-2020 12:47 AM
- Got Karma for Re: timestamp format of the input files. 06-05-2020 12:47 AM
- Got Karma for Re: timestamp format of the input files. 06-05-2020 12:47 AM
- Got Karma for Re: timestamp format of the input files. 06-05-2020 12:47 AM
- Karma PARSER: Applying intentions failed This search cannot be parsed when parse_only is set to true for Moogz. 06-05-2020 12:46 AM
- Karma Re: Splunk clean eventdata using duration for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: What happens to a summary index search during a server restart? for gfuente. 06-05-2020 12:46 AM
- Karma Re: How to display the timerange of cron schedule in dashboard for jonuwz. 06-05-2020 12:46 AM
- Karma Search Head severe performance issue for flle. 06-05-2020 12:46 AM
- Karma Re: Plotting a trapezoid on a chart and calculating its area for jtrucks. 06-05-2020 12:46 AM
- Karma Re: case: defaulting to "value" rather than NULL for sowings. 06-05-2020 12:46 AM
- Karma Re: Running outputcsv without append option for sideview. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
01-09-2017
02:10 AM
Thank you for your response. Does that mean that there won't be any need to buy additional license for data? We plan on using Splunk only for the app.
... View more
01-06-2017
03:44 AM
Hi,
We have a Hadoop cluster where in we are storing data. We have downloaded Splunk enterprise and the Splunk App for Hadoop Ops to look into our Hadoop cluster operations. We are not going to be indexing any data into the Splunk instance.
This being the case, do we have to pay for the license? As per my knowledge, license is only required when data needs to be indexed into Splunk.
Thanks,
Keerthana
... View more
11-16-2016
09:27 PM
Hi,
We have a Splunk distributed deployment with indexer clustering. We are currently exposing a Splunk app in the search head through REST and using it to fetch results and display in another application. We are currently running about 50 searches every 5 minutes.
However, we find that after a while the Splunk daemon stops responding to requests even though it shows running status. On debugging this issue and going through Splunk documentation and Answers, we want to increase the maxThreads and maxSockets value in server.conf. Currently it is set by default as 0 and we do not want to make in unlimited. How do we calculate the optimum value for these two options? What are the factors that should be taken into consideration?
Thanks,
Keerthana
... View more
11-14-2016
11:18 PM
This issue could still occur after we increase the ulimit when the number of file descriptors reaches 33% of set ulimit value.
... View more
11-14-2016
11:15 PM
Update: All these errors occur after splunk daemon stops responding to requests. Upon further debugging, we found that when splunk daemon stops, the rest.simpleRequest method which is called for authentication times out without closing the connection which results in many threads in CLOSE_WAIT state. We really want to know why exactly splunk daemon stops responding even when the splunk status command shows that splunkd is running.
... View more
11-13-2016
10:22 PM
Hi,
We have a Splunk deployment where we expose a splunk app through REST. We connect to the app and run approximately 50 searches every 5 minutes. However, after a while we observe that the searches stop running. Upon debugging we found the following:
In the webservice.log file, we got the following error:
2016-11-06 06:28:32,809 ERROR [581ecd72c57f75d01abbd0] init:479 - Socket error communicating with splunkd (error=('ssl.c:587: The handshake operation timed out',)), path = https://localhost:8089/services/auth/login
2016-11-06 06:29:02,853 ERROR [581ecd90d17f75d014d690] __init_:479 - Socket error communicating with splunkd (error=('_ssl.c:587: The handshake operation timed out',)), path = https://localhost:8089/services/auth/login
In the python.log file, we got:
Splunkd daemon is not responding: ("Error connecting to https://localhost:8089/services/auth/login: ('_ssl.c:587: The handshake operation timed out',)",)
In splunkd.log file, we got the following error:
11-13-2016 23:18:58.662 +0000 ERROR HttpListener - Exception while processing request from 1.1.1.1 for /en-US/custom/XXX/YYY/URLparameters: Connection closed by peer
11-13-2016 23:18:58.662 +0000 ERROR HttpListener - Handler for /en-US/custom/XXX/YYY/URLparameters sent a 0 byte response after earlier claiming a Content-Length of 26!
We ran the command netstat -neap | grep 8089 and got the following output:
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 0 136045514
tcp 0 0 127.0.0.1:8089 127.0.0.1:52914 SYN_RECV 0 0
tcp 0 0 127.0.0.1:8089 127.0.0.1:52908 SYN_RECV 0 0
tcp 1 0 127.0.0.1:8089 127.0.0.1:45149 CLOSE_WAIT 0 139900826 14993/splunkd
tcp 1 0 127.0.0.1:8089 127.0.0.1:45984 CLOSE_WAIT 0 140090123 14993/splunkd
tcp 1 0 127.0.0.1:8089 127.0.0.1:42823 CLOSE_WAIT 0 140067803 14993/splunkd
tcp 1 0 127.0.0.1:8089 127.0.0.1:33117 CLOSE_WAIT 0 140194381 14993/splunkd
tcp 1 0 127.0.0.1:8089 127.0.0.1:48657 CLOSE_WAIT 0 139922911 14993/splunkd
tcp 1 0 127.0.0.1:8089 127.0.0.1:60258 CLOSE_WAIT 0 140186060 14993/splunkd
The ulimit value for the system is set as 4096 and we found event in splunkd.log saying:
11-14-2016 04:13:25.605 +0000 INFO loader - Limiting REST HTTP server to 1365 sockets
11-14-2016 04:13:25.605 +0000 INFO loader - Limiting REST HTTP server to 1365 threads
How do we fix this issue? When does the CLOSE_WAIT status appear for any connection? Any help is greatly appreciated.
Thanks,
Keerthana
... View more
11-08-2016
08:33 PM
We are using splunk version 6.4.0. I am aware that replication and search factor entries are present in default/server.conf too but there might be a case where our customer would have set custom replication and search factors in his local/server.conf file.
... View more
11-08-2016
04:41 AM
Hi,
We are working on migrating a single site indexer cluster to multi-site indexer cluster. For this, we are using Splunk CLI to set the clustering attributes. We are using the following command:
splunk edit cluster-config -mode master -multisite true -available_sites site1,site2 -site site1 -site_replication_factor origin:2,total:3 -site_search_factor origin:1,total:2
However, running this command removes the existing replication factor and search factor entries that are present in the server.conf file. According to Splunk documentation, the replication and search factor values need to be present in the server.conf file to maintain pre-migration data.
Is there something we are doing wrong? How do we maintain the original factors while adding the new attributes for multi-site?
Thanks,
Keerthana
... View more
10-31-2016
05:01 AM
Hi,
Splunk documentation mentions that in case of site failure in a multisite indexer clustering deployment, the master maintains reserved copies of data to be assigned to peers of the non-functional site once it starts functioning again. Is there is any restriction on the time period upto which the reserved copy is kept alive waiting for the site to be up again? Similarly, is there any volume restriction for the same?
Thanks,
Keerthana
... View more
12-30-2015
03:54 AM
Actually we are running the search in back end from a Python script where we form the search query dynamically with the OR conditions. As we are not sure of the number of conditions, I wanted to know if there was a limit.
... View more
12-29-2015
10:31 PM
Hi,
I would like to know if there is a limit to the number of OR conditions that we can include as part of a search query?
Thanks,
Keerthana
... View more
07-13-2015
05:01 AM
Hi,
We have a Splunk application with two indexers and we have summary indexing running on both of them. I would like to know how exactly Splunk does the summarization.
Will the data from both indexers be combined and then aggregated?
Or, will the data be computed individually in each of the indexes?
If the second case is true, how accurate will the data be, considering that metrics like average will vary based on the sum and count of data present in each of the individual indexer?
... View more
12-09-2014
12:44 AM
I am getting the limit as 50000 and not 10500. Also I read in the documentation that join is not affected by this.
[http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Aboutsubsearches][1]
... View more
12-08-2014
11:37 PM
Hi,
We are currently using join for creating summary index in our application. The search runs on a daily basis for the whole day. However, the results of the sub-search keep getting truncated. We have tried increasing the limits of join in etc/system/local/limits.conf as follows:
[join]
subsearch_maxout = 10000000
subsearch_maxtime = 3600
subsearch_timeout = 3600
In spite of this change, the results still truncated. Can anyone please let me know how to fix this issue.
Thanks,
Keerthana
... View more
10-30-2014
03:46 AM
Hi,
We have two separate analytic apps running in a single setup. Users should be able to access both the apps and view the dashboards present in them. However, currently it is possible for a user to search for data of an app using the search page of the other app.
For example, if we have two apps A and B using indexes indexA and indexB respectively, users are able to search for data contained in indexB from app A's search page.
We want to restrict this in such a way that a user searching in app A should be allowed access only to indexA and user searching in app B should be allowed to access only indexB.
Is this possible? If so, please let me know how it can be done.
Thanks in advance
Keerthana
... View more
09-24-2014
11:24 PM
I am facing the same issue. Can you give me some idea where I can get this library file.
... View more
09-18-2014
11:19 PM
Hi,
We don't need props.conf as we are using the lookup in search query. The app level permission is set to
[]
export = system
... View more
09-18-2014
01:53 AM
Hi,
We have an external lookup script in our application which uses some external database for performing lookup. It was working fine until recently.
We upgraded our Splunk version to 6.1.3. Suddenly the script is returning the following error:
"Script for lookup table 'external_lookup' returned error code 1. Results may be incorrect."
I tried running the script separately by providing input csv file and it worked without any error. So I am assuming this is due to the upgradation.
Below is my stanza in transforms.conf:
[external_lookup]
external_cmd = external_lookup.py
fields_list = field1 field2 field3 field4 field5 field6 field7
where field1 is the input field and the rest are output fields.
Please help me out with the issue.
Thanks,
Keerthana
... View more
- Tags:
- lookup
08-01-2014
02:32 AM
There was an issue in the conf file of my custom module to define the parameters. Once the issue was fixed, the dashboard was loaded correctly.
... View more
08-01-2014
02:24 AM
We had to place the swf component inside the appserver/static folder of our app. Then we were able to access it as follows:
<object id='mySwf' classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' height='100%' width='100%'>
<param name='src' value='/static/app/MyApp/flex/test.swf'/>
</object>
... View more
08-01-2014
02:09 AM
3 Karma
You can do this my mentioning your time format in props.conf file:
Under your configuration stanza, you can add
TIME_FORMAT=%d/%m/%Y
This will ensure that the timestamp for all the events of that type are considered in dd/mm/yyyy format.
... View more
06-10-2014
10:29 PM
Hi,
I have a csv file with nearly 50000 rows. When I try to fetch all the rows using the inputlookup command, I am not able to retrieve all the 50000 rows. Only 42000 odd rows are returned.
Also, when I use this csv for lookup, for all the rows that are present after the 5000th row, lookup is not happening. However, if I take a particular row and place it within the 5000 rows, lookup happens succesfully.
Can anyone explain this strange behavior? Please let me know what changes I should make in conf files to enable succesful lookup.
I checked the max_memtable_bytes value in my setup and my csv file size is way below the limit.
Thanks,
Keerthana
... View more
- Tags:
- csv
- inputlookup
- lookup
04-25-2014
05:51 AM
Hi,
We are using Splunk native apps to display geo based information. When we hover over the points plotted, the latitude and longitude information gets displayed. Is there any way we can avoid it? I want only the metric to be displayed. My search query is as below:
my search | geostats sum(Count) as Total
Here I want only the Total value to be displayed and the latitude and longitude values to be removed. Please help me out.
Thanks,
Keerthana
... View more
- Tags:
- map
04-10-2014
04:58 AM
1 Karma
We have a CSV table from where we perform lookups. The CSV file has nearly 50000 rows. When I run the lookup query, results are not returned for some of the rows. I picked one value for which lookup was not happening, made its entry the first row (earlier it was the 5286th row) in the CSV and reduced the number of rows in the CSV to 3. The lookup was then successful.
Is there any limit to the number of rows that will be looked up when we run lookup command?
I checked the max_memtable_bytes value in my limits.conf and the CSV table size is way below the limit. We use Splunk version 5.0.4
Thanks,
Keerthana
... View more
- Tags:
- lookup
