Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About hettervik
hettervik
Builder
Member since:
09-25-2015
Friday
Community Statistics
| Posts | 277 |
| Solutions | 24 |
| Karma Given | 117 |
| Karma Received | 59 |
| Member Since | 09-25-2015 |
Activity Feed
- Got Karma for How to find the worst searches in your Splunk environment and how to fix them. 2 weeks ago
- Got Karma for How to find the worst searches in your Splunk environment and how to fix them. 2 weeks ago
- Posted How to find the worst searches in your Splunk environment and how to fix them on Community Blog. 2 weeks ago
- Posted Re: AD-HOC searches on Splunk Enterprise. 3 weeks ago
- Got Karma for Mastering Splunk Source Types: A Complete Q&A Guide. 03-26-2026 01:33 PM
- Got Karma for Mastering Splunk Source Types: A Complete Q&A Guide. 03-26-2026 07:46 AM
- Got Karma for Mastering Splunk Source Types: A Complete Q&A Guide. 03-24-2026 09:11 AM
- Posted Mastering Splunk Source Types: A Complete Q&A Guide on Community Blog. 03-24-2026 09:00 AM
- Karma Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense Architect Certification (Beta) for cskokos_splunk. 03-24-2026 01:53 AM
- Posted Re: How long are asset list field values stored in the Splunk ES asset list framework? on Splunk Enterprise Security. 03-09-2026 04:20 AM
- Posted Re: How to periodically clean the Splunk ES asset list? on Splunk Enterprise Security. 03-09-2026 04:06 AM
- Karma Re: how can i list all indexes and sourcetypes?! for Micheal_S. 02-19-2026 05:10 AM
- Posted How to periodically clean the Splunk ES asset list? on Splunk Enterprise Security. 02-11-2026 04:25 AM
- Karma Re: Remove button for AI Assistant in Splunk Enterprise for thahir. 01-29-2026 02:23 AM
- Posted Remove button for AI Assistant in Splunk Enterprise on Splunk Enterprise. 01-25-2026 11:57 PM
- Posted Re: How long are asset list field values stored in the Splunk ES asset list framework? on Splunk Enterprise Security. 01-25-2026 11:36 PM
- Got Karma for Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and PREFIX. 11-04-2025 06:00 AM
- Karma Re: Is there a way to re-index data from an index to a new index, on a indexer cluster, without using collect? for PickleRick. 10-16-2025 04:17 AM
- Got Karma for Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and PREFIX. 10-15-2025 08:07 AM
- Got Karma for Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and PREFIX. 10-12-2025 11:46 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 6 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
03-28-2017
11:15 AM
I was thinking, if you set HEADER_FIELD_LINE_NUMBER so that Splunk will start reading the file from the line you want Splunk to read from, reading only the last "xxx" lines, wouldn't that work?
... View more
03-27-2017
11:16 PM
1 Karma
I don't know if this is what you're looking for, but you could perhaps set the HEADER_FIELD_LINE_NUMBER in props.conf.
HEADER_FIELD_LINE_NUMBER = integer
- Tells Splunk the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
- The default value is set to 0.
... View more
03-27-2017
06:41 AM
Maybe I'm missing something here, but I can't see that this app has a tags.conf, which I understand is needed to map logs to CIM. My events looks like the samples presented by Splunk in the documentation.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorActiveDirectory#Sample_AD_monitoring_output
... View more
03-27-2017
06:29 AM
Thank you for you answer. I was actually wondering if there's a TA for the ActiveDirectory logs that can map them to CIM. If that's even possible at all?
... View more
03-27-2017
03:21 AM
Hi. Did you find an answer for what to do with your ActiveDirectory logs? I'm facing the same issue here.
... View more
03-27-2017
12:05 AM
The solution was to run the "splunk resync kvstore" command, as linked to from the following thread:
https://answers.splunk.com/answers/513239/remove-reference-to-host-in-mongodb.html
... View more
03-27-2017
12:01 AM
The "splunk resync kvstore" command was just what I was loooking for, thanks! Worked like a charm.
... View more
03-23-2017
12:39 PM
Thanks for your comment. We are aware of the procedure in the Splunk documentation, but in this case, what's done is done. We could perhaps set up a new VM, install Splunk on it, and "trick" the search head cluster into believing that this new instance was the previously deleted instance. Then we could properly remove it, though this method takes a lot of extra work. A simpler way would be preferable.
... View more
03-23-2017
05:38 AM
Hi,
we have a search head cluster where a couple of the search heads where removed by shutting down the VMs. In other words, the search heads wasn't removed gracefully as they should be. Now the remaining search heads is complaining because mongodb can't reach the removed search heads. I'm getting the following error messages:
2017-03-23T12:27:42.296Z I NETWORK [ReplExecNetThread-1919] getaddrinfo("prod-searchhead-x") failed: Name or service not known
2017-03-23T12:27:42.290Z I REPL [ReplicationExecutor] Error in heartbeat request to prod-searchhead-x:8191; Location18915 Failed attempt to connect to prod-searchhead-x:8191; couldn't initialize connection to host prod-searchhead-x, address is invalid
Anyone knows how to forefully remove a host from mongodb in the search head cluster, so that we'll get rid of these error messages?
... View more
03-07-2017
08:16 AM
Unfortunately it didn't solve the problem with the KV Store. We'll create a ticket for Splunk Support. I'll update my question here when we find a solution. 🙂
... View more
03-03-2017
01:36 AM
Thank you, we'll try it out! Do you know if this will remove stored references to the deleted search head VMs in the KV Store as well?
... View more
03-02-2017
06:28 AM
Hi,
We had some search heads in a cluster, running on VMs. A couple of the VMs were deleted without properly removing the search heads from the search head cluster first. Now, Splunk is complaining that it can't reach some of the search heads in the cluster. When we try to remove them from the cluster, Splunk won't do it since it gets no reply from the search heads (obviously, since the VMs are deleted).
How to we "force" the search heads out of the search head cluster when the search heads no longer exist?
Cheers.
... View more
01-19-2017
01:40 AM
Hi,
Long time no see!
Do you know why this error can occur? Could it be because the LINE_BREAKER is not configured right, and thus certain events get to big for this mpool thing?
... View more
05-25-2016
01:20 AM
Thanks for your answer! So, if we use one of these storage types, is the data still accessible from Splunk Cloud? I mean, Splunk can set it up for me so that when data is rolled to e.g. cold it is moved from the indexer in the cloud to some data storing service that can store bigger amounts of data?
Also, I see that it's possible to buy storage increments of 500 GB for Splunk Cloud, but I'm guessing this is rather expensive compared to moving the cold/frozen data to e.g. a local storage.
... View more
05-25-2016
01:05 AM
Okay, I have an open case at Splunk Support on this issue, but haven't had any activity on the case for about three weeks now. Looks like it has come to a dead end. After some discussions with several colleagues we've come to the conclusion that there are some "hidden" capabilities for the default Splunk roles, meaning that you can't just copy the capabilities from e.g. the default admin role and create a custom admin role with the same capabilities but different indexes. Sorry, this is the best answer I can give. Case closed.
... View more
05-11-2016
06:46 AM
Hi,
I've looked around in the documentation for how to set an archiving policy in Splunk Cloud, but I haven't found an answer yet. I know that the document "Safeguarding Customer Data in Splunk Cloud" talk about archiving, but in this paper they call it archiving when data is rolled from hot to warm. I want to to know if there's a way to roll to frozen in Splunk Cloud, and if so, what's the price of storing data this way compared to storing data in warm buckets?
... View more
05-11-2016
06:40 AM
Hi, I have a follow-up question. Whenever I create an index in Splunk Cloud I can set the retention time to whatever I want, so where does the "default" retention on 90 days take effect? Is it so that if I set a retention time to 150 days, data will still be deleted after 90 days?
... View more
05-11-2016
01:40 AM
You are absolutely right! The app I was looking at was from a former Splunk Cloud Trial instance. There is another app for the new prod-instance of Splunk Cloud which has all the servers listed. That surely clears things up. Thanks!
... View more
05-11-2016
01:28 AM
Thanks for your fast answer. So the fact that it says id.cloud.indicates that there's only one indexer? If so, why are there five servers showing in my Splunk Cloud GUI? These five show when i search for * with value, count and percent.
idx2.<customer>.splunkcloud.com 383 30.763%
idx3.<customer>.splunkcloud.com 292 23.454%
idx4.<customer>.splunkcloud.com 203 16.305%
idx1.<customer>.splunkcloud.com 199 15.984%
idx5.<customer>.splunkcloud.com 168 13.494%
... View more
05-11-2016
01:08 AM
Hi,
I'm wondering how load balancing in Splunk Cloud work.
When i install the splunkcloud.uf app on a local forwarder, the outputs.conf that is created in the app looks like so:
[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-<id>.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-<id>.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = <password>
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true
Notice that there is only one server listed. When I search for "splunk_server" in my Splunk Cloud it clearly says I have five indexers. Why aren't all those listed behind "server" as normal when using load balancing? I know there is something called the indexer discovery feature, but then I guess I would see a stanza for that in my outputs.conf. Could someone explain this to me?
... View more
04-28-2016
04:01 AM
1 Karma
Did anyone find a solution to this? We've stumbled upon the same problem it seems.
If the file has a header, this would be the other way around, right? That Splunk wouldn't read new files because it think they are the same as the old rolled ones. So that the file has a header couldn't be the problem.
... View more
04-25-2016
12:15 AM
I have sat up inheritance already. My custom admin role inherits from a custom power role and a custom user role. The custom power role and custom user role are copies of the default power and user roles in the same way the custom admin role are a copy of the default admin. In other words, this kind of inheritance setup doesn't seem to solve the problem. I've created a case on Splunk support. I'll update this thread if we find a solution.
... View more
04-25-2016
12:03 AM
Thanks for your answer. I tried searching for index=_internal index!=*_archive while being logged in as the default admin, and the search did indeed return no results. Then I tried removing the archive search restriction from from my custom admin role, but I still can't search internal indexes. I also removed the same search restriction from my custom power role and my custom user role from which the custom admin inherits, again to little help. For me it's starting to look like we've found a bug.
... View more
04-19-2016
06:35 AM
I found out why my MAX_TIMESTAMP_LOOKAHEAD wasn't working. A heavy forwarder was parsing the data, and thus marking it as "cooked" before it reached my indexer. When cooked data gets to an indexer it isn't re-parsed, and all source type settings on the indexer aren't taken into account. Case closed.
... View more
04-19-2016
06:31 AM
I haven't gotten a copy of authorize.conf from support, but I've looked over the list of settings on my custom admin role in the Splunk Cloud GUI. The only "enabled" settings in your list that aren't in my UI list in our Splunk Cloud are the ones listed below. All these settings are not choosable from "available capabilities" in the Splunk Cloud role edit settings. Could any of these settings be the reason why my custom admin role can't see internal indexes? If so, do you know how to enable them?
can_own_notable_events = enabled
create_external_ticket = enabled
edit_correlationsearches = enabled
dit_log_review_settings = enabled
edit_modinput_threatlist = enabled
edit_modinput_web_ping = enabled
edit_notable_events = enabled
edit_per_panel_filters = enabled
edit_postprocess = enabled
edit_reviewstatuses = enabled
edit_suppressions = enabled
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Friday
|
