Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About amitm05
amitm05
Builder
Member since:
04-30-2018
03-25-2021
Community Statistics
| Posts | 145 |
| Solutions | 19 |
| Karma Given | 24 |
| Karma Received | 51 |
| Member Since | 04-30-2018 |
Activity Feed
- Got Karma for Re: How to add a new search head to an existing SHC?. 05-22-2025 03:38 PM
- Got Karma for Re: Is there any option in Splunk to run a search in a loop?. 08-21-2024 07:08 AM
- Got Karma for Re: Help understanding real time searches. 07-22-2024 05:50 AM
- Got Karma for Re: How to add a new search head to an existing SHC?. 08-30-2022 08:07 AM
- Got Karma for Re: Trying to fix the corrupted bucket. Error - JournalSliceDirectory: Cannot seek to rawdata offset 0. 08-24-2021 01:47 AM
- Karma Search head dashboards receiving warning "Unable to distribute to peer named" for TISKAR. 06-05-2020 12:50 AM
- Karma How to prevent duplicates in batch mode? for trenin. 06-05-2020 12:50 AM
- Karma Re: How to count number of days a Store in is RED? for Shan. 06-05-2020 12:50 AM
- Karma Re: Splunk Cooked Data for arlombar. 06-05-2020 12:50 AM
- Karma Re: Self Signed Certificates in splunk for MoniM. 06-05-2020 12:50 AM
- Got Karma for Re: How do I set rising column when executing a script in DBConnect (SQL Server)?. 06-05-2020 12:50 AM
- Got Karma for Re: How do I set rising column when executing a script in DBConnect (SQL Server)?. 06-05-2020 12:50 AM
- Got Karma for Re: Search head dashboards receiving warning "Unable to distribute to peer named". 06-05-2020 12:50 AM
- Got Karma for Re: How to find earliest time a string appeared in a value?. 06-05-2020 12:50 AM
- Got Karma for Re: How to create a simple dashboard showing AD admin account lockout events?. 06-05-2020 12:50 AM
- Got Karma for Re: Line Breaking Not Working for some IIS logs. 06-05-2020 12:50 AM
- Got Karma for Re: Does the bandwidth between the splunk server and the client make difference in the time of response of the query?. 06-05-2020 12:50 AM
- Got Karma for Performance impact of connection refusals (Fwd --> Idx). 06-05-2020 12:50 AM
- Got Karma for Re: How to configure source_type to regex value?. 06-05-2020 12:50 AM
- Got Karma for Re: Does dbinspect output include cluster replication (RF) configuration?. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
06-27-2019
10:29 AM
yes, that is one alternative around it.
I still think, trying to upgrade your DB Connect to the latest might also work this out for you. But I'll leave this choice on to you. Thanks !
... View more
06-26-2019
01:02 PM
Have you tried this? Let us know.
You can also mention if you have already sorted this out OR Accept this one if it worked. It'll help others. Thanks
... View more
06-26-2019
12:59 PM
Do you have a Self Service or a Managed Splunk Cloud deployment ?
If it is Self Service, You must be a Splunk Cloud administrator to install and manage apps in your Splunk Cloud deployment.
It also needs to be checked if this app is available for self service installation OR whether you need to ask Splunk support to do that.
Check this -
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/SelfServiceAppInstall
... View more
06-26-2019
12:47 PM
Please let us know if this helps or if you require to discuss anymore. Thanks
... View more
06-26-2019
12:42 PM
ganon640
Try this -
| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "xyz" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*
And
| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*
The first one will give you result and the second one will not. Which is what your criteria is.
Let me know. Thanks
... View more
06-26-2019
12:20 PM
Hi @adalbor
Can you mention how is the log collection currently done ?
Is it UF -> HF -> Idx
OR HF -> Idx
If its the first case, you can just remove the HF layer for these windows logs and forward your logs directly UF -> Idx.
If its the 2nd case, I think you need to define these rules only on Indexer and not on your HF.
Let me know, if there is a gap in understanding yet.
Thanks
... View more
06-26-2019
12:02 PM
@suneel_k
I think the error in itself is clearly stating what the problem is. Have you followed the steps mentioned ?
A related thread if it helps you -
https://answers.splunk.com/answers/563957/error-when-accessing-apps-in-splunk-free-enterpris.html
... View more
06-26-2019
08:15 AM
1 Karma
@alanzchan
The decision is based on your requirements. Following is how this should be evaluated.
Normally self signed certificates are used in test/dev environment and external certificates are used in PROD. However, again depends on your data/environment security requirements and also the network zone you have set up your splunk infra. If it's exposed to "outside" world, it's always advised to use a proper certificate.
See -
https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPractices.pdf
Default certificate like you are following are not considered highly secure. If you want to get rid of your error, you'd want to go by this - https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtogetthird-partycertificates
Hope this helps. Let me know !
... View more
06-26-2019
06:33 AM
@tanzic
There is no limit stated by Splunk on the number for forwarders used with Free Splunk. So, I'll say you can go ahead and use as my UFs you want to use. It is only about the license usage which should remain within 500 MB and ofcourse it would be a 30 day trial period.
Thanks.
... View more
06-26-2019
03:03 AM
Ques -
Have you made sure you have relevant data events available on the dates of 18, 19, 20 ?
Is this the same behavior if you run your search over a different set of 7 days ?
... View more
06-26-2019
12:18 AM
yes thats correct understanding.
Glad that it helped. Can you accept this as an answer please.
... View more
06-26-2019
12:09 AM
No. with gunzip it wasnt working. I wasnt even able to get ahead of the first step. The second command was throwing error only.
May be the point is that 7z can also help, but ofcourse you'll have to choose gz while recompressing it back because that is what splunk expects.
... View more
06-25-2019
01:34 PM
1 Karma
I am not sure if you'd find many people who might be using Splunk in this manner.
But however at a high level for your requirement, it looks like you'll have to create templates for your VMs with specific Splunk Roles i.e indexers, search heads, Cluster Master, License Master etc.
If its only the clusters that you'd require to tear down and not the forwarders layer. You'd want to also reserve IPs for your indexers. So that whenever your clusters are available, forwarders can start sending data.
You'd require to consider connectivity tests to be run everytime after bringing up the clusters back. As well as a devops pipeline for installing the Splunk and deploying the relevant splunk confs.
An automated LDAP integration of your SHs so that your users are able to access and not have to do it all over manually.
I hope this gives you some tips.
... View more
06-25-2019
01:20 PM
@spectrum2035
Only the error does not give much info. Can you try to add some more info about the error ?
I am guessing if SHC means Search Head Cluster. Please check if you are able to find any errors/warnings in Monitoring Console on your search head dashboards and any warnings on General Health checks
... View more
06-25-2019
01:11 PM
@gregbo
Couple of queries - Can you mention where are you trying to get the perfmon data from ? Is this from local Splunk instance Or forwarder based ? To which user are you setting the permission ?
... View more
06-25-2019
01:03 PM
Hi wryanthomas
Can you specify which addon are you talking about ?
By the way, there can be addons which needs to be directly installed to SHs. These are valid in the cases where an addon specifically is being used for generating lookups to enrich your data with some intel.
One such example is https://splunkbase.splunk.com/app/3127/#/overview
So principally there is nothing wrong if your addon is only installed on SH and is directly creating/updating some lookups only.
Hope it answers your doubt. Let me know
... View more
06-25-2019
12:50 PM
1 Karma
Sorted.
Downloaded the journal file from the server. Decompressed it using 7z. Then recompressed to gz. Put it back in the bucket. And restarted splunk.
... View more
06-25-2019
12:47 PM
Hi David
Tried these but nope. Additionally I tried the exporttool to csv and then import back to reconstruct the bucket. But its failing to read the journal at all
... View more
06-25-2019
12:45 PM
yes, I've tried these steps already but its still not able to fix the jornal.gz
... View more
06-25-2019
11:41 AM
The searches that you are making with |dbquery arent getting indexed in splunk. You are just firing these queries directly on your DB through splunk. In splunk you can use the splunk commands on the results captured from this dbquery (if this is what you meant by saying that database releated search query is processed by splunk).
... View more
06-25-2019
10:03 AM
3 Karma
@maniu1609
I believe you should once go through -
https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Sitereplicationfactor
https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Sitesearchfactor
These will really help you clear your concept and in taking your decision.
At high level, replication and search factors is a trade off between performance/availability and disk space.
The more you increase on your search and replication factors, the more space you require. So that is certainly a factor to consider if you have a high data ingestion. This has to be calculated against data availability that you want.
For my suggestion to your specific env, taking both disk space and data availability into consideration. I'd say -
site_replication_factor = origin:2,total:3
site_search_factor = origin:1,total:2
This would mean that for :
replication factor - your data origin site will always have 2 copies and 1 copy with the other site. There will be a total of 3 copies always across the 2 sites.
search factor - your data origin site will always have 1 searchable copy and 1 copy with the other site. There will be a total of 2 copies always across the 2 sites.
Please accept as answer and upvote if this helps. Thanks.
... View more
06-25-2019
09:09 AM
@mmsbswe
Looks like you are trying to do this on the Univ forwarder itself. These would not apply on UF.
You'd require to take these settings of props.conf and transforms.conf onto your indexer.
Thanks!
... View more
06-25-2019
01:35 AM
Which version of Splunk are you on ?
The point is not that whether you are getting the option from GUI or not. Even if one is not getting it, I guess it can even then be given from the conf directly.
It is about the essence of it. In real time, your rolling window period keeps on adjusting the new search time window which means that at real time you are getting the coverage as per your defined criteria.
Still setting the cron job would keep on filling your dispatch and hit the performance and you will have to set a pretty low job expiration time because you would not want too many RT searches running Live on your system when all those jobs would be returning you with the same alert result.
If the cron time has to be filled - You must give it a 24 hour cron, as the default expiration time of searches in dispatch is 24 hours (if you have not changed it to something else). So basically at the run time of every new search you would expire your previous one.
... View more
06-25-2019
12:28 AM
1 Karma
@yutaka1005
Yes, the default listing of this setting is not there on Retention policies in Index Detail: Instance
You can relax if you are worrying about this setting is in-effect or not.
Thanks !! Let me know if there is any other doubt
... View more
06-24-2019
11:55 PM
1 Karma
@astatrial
https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutrealtimesearches
https://docs.splunk.com/Documentation/Splunk/7.3.0/Alert/DefineRealTimeAlerts
The above will be good reads to start with understanding RT searches and alerts in Splunk.
To answer your ques - Yes, in your case as the data is being injected into splunk all the time, a real time search keeps looking at the incoming steam of data continuously as well.
Now having said that realtime search runs continuously, so having a cron (rerun search at fixed interval) does not make much of a sense. For real-time saved searches, as soon as you click "Save", it will start running and KEEP running.
You'd find that while setting up the alert, you'd not find any Cron setting option on the GUI if you try to set a Real Time alert.
Hope this helps. Let me know.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-25-2021
10:22 AM
|
Karma from
