It is related to the following answers, but is it recommended to invalidate THP after all? https://answers.splunk.com/answers/523835/turn-thp-off-on-universal-forwarder.html If it does not seem to affect indexing and search performance only, It seems there is no need to invalidate it. Also, if it is recommended, I would like to know how it is affected. I hope someone can tell me. ... View more

In my environment SH, indexer 1, indexer 2 exist, and distributed search is done for indexers 1 and 2 from SH. Yesterday, since data was duplicated in indexers 1 and 2, I give can_delete role to admin user of SH, and executed delete command on SH. However, despite all the data of indexer 1 being displayed as "deleted", all the data of indexer 2 was "errors". Also, the following error message appeared. ["hostname of indexer 2"] You do not have the capability to delete from "index name" However, when I executed the same command again, all the data of indexer 2 was "deleted" this time. I thought that connection of SH between indexer 2 was being disconnected when I executed delete command and received error messages, but there was no error that communication with the indexer 2 was interrupted. What is this phenomenon? It will be very helpful if someone tells me. ... View more

In my environment, UF monitors the file and forwards it to Splunk. It was able to capture the file without problems before, Due to the version upgrade of software that outputs log that was being monitored, and the character code is changed from Shift_jis to utf-16LE (with BOM), it is no longer imported. When checking the internal log of UF, message saying "it was a binary file, so ignored it". Is this a bug? Is there any workaround other than updating? If anyone knows, it would be greatly appreciated if you could tell me. UF ver: 6.2.0 ... View more

I set an alert that works everyday and sends mail. Today I clicekd "view results" on alert mail, then "The search you requested could not be found." message was showed in display. But I didn't delete search job manually. And not much time has passed since the alert has started. Why did this search job expire? I hope someone can tell me. ... View more

In importing log in "rising column" mode using Splunk DB connect v3, If communication fails while capturing a large capacity table, what is the status of log in Splunk? Will it incompletely be taken in? Or will it be in a state that it will not be taken in at all if there is input specification that it is taken in after the execution result of SQL is completed? Also is the value of "rising column" saved after indexed? Or is it saved when SQL processing is over? It would be greatly appreciated if someone knows about it. ... View more

In Splunk DB conenct ver 2.x.x, there is "auto_disable" setting. But I can't find these settings in Splunk DB connect ver 3.x.x. Was the "auto_disable" setting deleted from ver3.x.x? Please tell me if you know about it. ... View more

In my environment, as for the "csv" data to be captured, The column that is not needed is dropped using SEDCMD. For example, the following example excludes the third column "description". example Data time,ipaddress,description YYYY/mm/dd HH:MM:SS,192.x.x.x,this is ... YYYY/mm/dd HH:MM:SS,172.x.x.x,this is ... YYYY/mm/dd HH:MM:SS,10.x.x.x,this is ... props.conf SEDCMD-test = s/([^,]*),([^,]*),([^,]*)/\1,\2/g When searching, it seems that the third column "description" was excluded from the displayed raw event. But in the field list, "description" exists, and the field values corresponding to each event also remained as data. As for the order of processing, I think that SEDCMD will move first than license calculation. However, at the time of searching, it seemed that the data of the excluded column was captured, so I thought that the usage of licenses would not change. Will I can reduce license usage by the SEDCMD exclusion? ... View more

I created dashboard has two panels like below. Panel displaying results in table view Panel showing the count of result of panel1 To display Panel2, I use the <done> ～ </done> tag in the source of Panel1 like below. <done><eval token="arg1">$job.resultCount$</eval></done> However, editing the search in the panel1 on the UI editing screen will cause the <done> ～ </done> tag to disappear. Why is it happen? Is there a workaround? If anyone knows, it would be greatly appreciated if you could tell me. ... View more

I'm thinking to get data from MSSQL server by using DBconnect. Then I want get only new data by using "rising column". By the way, there is one point which concern me. When acquiring new data using "rising column", and using time columns, if data has the same time value with other data is added, can Splunk capture it? Example: Time Name 2017/11/24 10:00:00 John ← Already indexed 2017/11/24 10:15:00 Mark ← Already indexed 2017/11/24 10:15:00 Bob ← New! Also, if it is unenable, is there any good method? If someone knows about it, I would appreciate it if you could tell me. ... View more

In the following manual, when distributing the configuration file from the deployer, there is a describe that the local directory existing under the app of the SH cluster member will remain. http://docs.splunk.com/Documentation/Splunk/6.5.5/DistSearch/PropagateSHCconfigurationchanges The deployer never deploys files to the members' local app directories, $SPLUNK_HOME/etc/apps//local. Instead, it deploys both local and default settings from the configuration bundle to the members' default app directories, $SPLUNK_HOME/etc/apps//default. This ensures that deployed settings never overwrite local or replicated runtime settings on the members. Otherwise, for example, app upgrades would wipe out runtime changes. However, as a result of setting bundle, the local directory existing under SH cluster member's apps disappeared. If settings that is same with settings distributed by the setting bundle exists in the local directory of the SH cluster member, will it be deleted? ... View more