×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
esix_splunk
Splunk Employee
Member since: ‎10-04-2013
‎03-25-2021
Community Statistics
Posts 1026
Solutions 194
Karma Given 105
Karma Received 533
Member Since ‎10-04-2013
Activity Feed
View All

Re: Is there any way to forward kv store data on H...

by in Knowledge Management
‎05-24-2018 09:46 PM
‎05-24-2018 09:46 PM
My app is not Splunk cloud certified. So you’ll likely not get support to install it. You could run it from the HF if you can hit your Splunk cloud api from it. ... View more

Re: How to route data collected by Splunk Stream t...

by Splunk Employee in All Apps and Add-ons
‎08-16-2019 09:52 AM
‎08-16-2019 09:52 AM
I know this is older but I ran across this post when testing this scenario. The _TCP_ROUTING method in "Route inputs to specific indexers based on the data input" in the docs worked as advertised with the stream input for me. ... View more

Re: I cannot get Cisco Nexus 6004 to send syslog d...

by Splunk Employee in All Apps and Add-ons
‎04-06-2018 06:08 PM
‎04-06-2018 06:08 PM
Not sure on that, havent used the nexus in a few years. But by default in IOS, it is. HEre's a link to start : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_5syslog.html Against, run tcpdump / wireshark on the host. If its being sent over TCP, or a different UDP, it will catch it. ... View more

Re: Does ES use the same props and transforms as c...

by in All Apps and Add-ons
‎03-21-2018 05:07 AM
‎03-21-2018 05:07 AM
Thank You, I added that to the ES and it works great. ... View more

Re: How to add forward server in non-interactive m...

by in Deployment Architecture
‎04-05-2018 03:16 PM
‎04-05-2018 03:16 PM
splunk add forward-server server_ip:port --answer-yes ... View more

Re: control the indexing of the forwarders

by Splunk Employee in Deployment Architecture
‎03-18-2018 07:20 PM
1 Karma
‎03-18-2018 07:20 PM
1 Karma
There is no way to control onboarding of data sources from the indexer / cluster side. If the forwarder has the indexer splunktcp port, ssl cert, or autodiscovery password, they are trusted and data is accepted. ... View more

Re: Search for Error only in the latest log file c...

by in Splunk Search
‎03-14-2018 01:20 PM
‎03-14-2018 01:20 PM
@nmohammed did you try with your rex for finiding cid as well? The dedup command actually retains only the latest row based on the dedup criteria. This is based on the fact that latest event will be displayed first in Splunk (reverse chronological order of time). In this case I assumed cid + host should give unique record and that you would be interested only in the latest. When you say it did not help , what is the output of query vs what is the expected output? Also can you add sample data the scenario across multiple hosts where cid has error first and then it is fixed? ... View more

Re: i installed splunk forwarder and tried to run ...

by Splunk Employee in Splunk Enterprise
‎03-07-2018 09:42 PM
‎03-07-2018 09:42 PM
You need to run this as root, or sudo run this command, because to modify /etc/init.d, you need admin / root privileges. Additionally you need to specify the run-as user: ./splunk enable boot-start --accept-license -user splunk So if you run the above as root, and substitute splunk with the username of the service account you want to Splunk to run as, then you should be ok. Additionally, before finalizing this, you should change the ownership of /opt/splunk to the user designated... Do a service splunk stop and then : chown -R splunk:splunk /opt/splunk After that, you can start splunk via the service command, or sudo to the user you specified and start it that way. Do not start Splunk as root, or any other user. It will screw with permissions and throw errors. ... View more

Re: search a bucket without aggregating results

by in Deployment Architecture
‎02-15-2018 11:22 AM
‎02-15-2018 11:22 AM
Thanks! So the reason why the first image returns 5 results is because there are actually 5 other rows of data (for 5 different hosts/servers) which I didn't capture in the screenshot. It doesn't reflect the data that goes into creating the sparkline, it is only the result of all the hosts/servers from my query: stats sparkline(avg(Percent_CPU_Load)) as Activity avg(Percent_CPU_Load) as Average, max(Percent_CPU_Load) as Peak, min(Percent_CPU_Load) as Low, avg(pctIowait) as WaitTime by host That is why I believe the problem is in this part of the query: | search CPUbucket="Greater than 95%" CPU=all However, I need that part of the query because I want to search for ALL hosts/servers that have CPU Greater than 95%, so I need that search option in there. However, I also need the sparkline to show the individual trend of a specific host/server and somehow it's not portraying it accurately. ... View more

Re: Why is the accelerated Data Model performing s...

by in Reporting
‎11-02-2018 07:42 AM
‎11-02-2018 07:42 AM
Did you get an answer to your question above as i am also have performance issues with | tstats ... View more

Re: I have 16 clients sending data to forwarders a...

by Splunk Employee in Deployment Architecture
‎01-22-2018 03:27 PM
‎01-22-2018 03:27 PM
You should create this on the Splunk Cloud side. You can create indexes yourself, via the GUI. Go to *Settings > Indexes * and create new. That will create them. ... View more

Re: How to increase pool size

by Splunk Employee in Deployment Architecture
‎01-16-2018 07:23 PM
‎01-16-2018 07:23 PM
You have to edit this on your License Master role. You can do this during production hours, but it is a change, so I recommend testing in a lab environment and scheduling outside of business hours. Read more here : http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Createalicensepool#To_edit_an_existing_license_pool ... View more

Re: Splunk not receiving data from forwarder - tri...

by Splunk Employee in Getting Data In
‎01-14-2018 08:10 PM
1 Karma
‎01-14-2018 08:10 PM
1 Karma
In addition to all of these, have you checked internal on your indexer to see if you can see the forwarders internal logs? index=_internal | stats count by host That will validate if the UF / Forwarder is connecting, and if the problem is in your inputs. Additionally try oneshot'ing a file from your forwarder and see if you can search it. ... View more

Re: Migration from standalone Splunk instance to I...

by in Deployment Architecture
‎01-16-2018 04:58 AM
‎01-16-2018 04:58 AM
I appreciate all of your feedback. I will be studying your posts carefully. Thank you. To explain more about what we are doing, it is not really syslog. We have an OPC server. The data we are interested in is OPC DA. We send that data into Kepware which converts the data to "tcp" (really udp?). Next, the data goes over the data diode to Splunk. The reason I put tcp in quotes is that Kepware calls the converted data tcp. But when the data goes over the diode it has to be udp. ... View more

Re: Questions about a Splunk Enterprise license

by in Installation
‎12-01-2017 07:06 AM
‎12-01-2017 07:06 AM
Thanks Mr Woodcock ... View more

Re: which technology Splunk use?

by in #Random
‎08-26-2018 11:57 PM
‎08-26-2018 11:57 PM
Splunk uses map-reduce technology which is basically key-value pairs terms. This is the main reason behind faster searching of data in splunk. ... View more

Re: Splunk indexer is not able to get the data fro...

by in Deployment Architecture
‎11-10-2017 03:57 PM
‎11-10-2017 03:57 PM
Hi i did ./splunk list forward-server and found that active forwards to indexer Ip and Port indexer IP:9997 Configured but inactive forwards: None i checked the url https://answers.splunk.com/answers/465/ive-set-up-a-forwarder-but-im-not-receving-any-events-on-the-splunk-indexer.html and found that using index=_internal source=*metrics.log tcpin_connections in splunk logs as below: ===== 11-10-2017 16:44:41.999 -0700 INFO Metrics - group=tcpin_connections, 1XX.XX8.X4.X0:47185:9997, connectionType=cooked, sourcePort=47185, sourceHost=1XX.XX8.X4.X0, sourceIp=1XX.XX8.X4.X0, destPort=9997, kb=7.93, _tcp_Bps=261.99, _tcp_KBps=0.26, _tcp_avg_thruput=0.27, _tcp_Kprocessed=2271.78, _tcp_eps=0.19, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.23, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=c8a78efdd40f, version=7.0.0, os=Linux, arch=x86_64, hostname=XXXXXXXXXXXXXXXXXXX, guid=XXXXXXXXXXXXX, fwdType=uf, ssl=false, lastIndexer=XXX.XX.XX.XX:9997, ack=false ==== It looks like every other logs i am getting other than monitoring file which is pointed to index np_test and source type 3dev1. [monitor:///opt/app/test/testlog/testLog.log] please suggest how to rectify this. ... View more

Re: Deploying Splunk HTTP Event Collector config v...

by in Deployment Architecture
‎11-12-2017 05:40 AM
‎11-12-2017 05:40 AM
nope, i am using the deplyment server to accomplish. what i was doing wrong was only trying to push splunk_httpinputs/local dir as opposed to the whole app. ... View more

Re: Summarizing data and storing it in a metrics i...

by in Splunk Enterprise
‎11-08-2017 08:33 PM
‎11-08-2017 08:33 PM
Thanks. Looks like the only way is an outputcsv file. collect puts to many extra fields and also stores the file into the spool dir which will be picked up by the default stash inputs stanzas. ... View more

Re: Forward raw data to remote host - avoiding out...

by in Deployment Architecture
‎11-06-2017 07:44 AM
‎11-06-2017 07:44 AM
Have been using CEF App for Splunk for ~ 5 months now, and 2 "bugs" identified by the Splunk CEF App team. We do use this app for forwarding CEF events, even though it consistently forwards only 80% or less of the filtered events it should (another "bug" according to Splunk). We are hopeful these issues will be resolved soon. This requirement is to forward RAW un-formatted data. Would appreciate any suggestions. Your responses are appreciated since for us this is difficult to reproduce Question1: what about using the same outputs/transforms/props configuration @ the indexers instead of the HF's? Would doing so avoid the "feature" causing indexing to stop, or would the filling up of the queues still ultimately cause the issue? Question2: Since this is only a problem of filling up of queues, once the remote host starts accepting connections, do the queues now empty? ... View more

Re: How to calculate the amount of data being arch...

by Splunk Employee in Splunk Search
‎11-05-2017 11:37 PM
1 Karma
‎11-05-2017 11:37 PM
1 Karma
On a side note, Atlassian is very open to feedback. I'd push this as a request on their github project page. Perhaps they'll add it! ... View more

Re: how to remove timestamp and host of heavy forw...

by in Deployment Architecture
‎11-06-2017 03:03 AM
‎11-06-2017 03:03 AM
We tried using sendCookedData = false with tcpout but it dont send any data to Qradar Send data using ‘tcpout’ in the outputs.conf. This allows the records to go out “un-cooked” (sendCookedData = false) and without any additional packet changes. Qradar did not seems to see these packets in our test yesterday. Not sure why. Send the data using ‘syslog’ in the outputs.conf This allows us to use “type = udp” which Qradar expects and prefers. Qradar got all the packets we sent, But it adds extra headers on the packets with our forwarders as the sending hosts and the time it was forwarded, not the original MPLS ASA time. ... View more

Re: How to move index defination from one app to a...

by in All Apps and Add-ons
‎11-06-2017 02:31 AM
‎11-06-2017 02:31 AM
hey @vikas_gopal Please follow the below steps to move index from one app to another app. 1) Stop Splunk 2) go to splunkhome/etc/app/search/indexes.conf (the directory where you saved your .conf file) 3) write mv indexes.conf /opt/splunk/etc//local/ 4) check if the file is moved or not. 5) restart splunk I hope this solves your problem. ... View more

Re: Validate logs to CIM Validation (S.o.S.)

by Splunk Employee in Getting Data In
‎11-05-2017 07:44 PM
1 Karma
‎11-05-2017 07:44 PM
1 Karma
First, you need to understand what the Common Information Model is, then perhaps your questions are easy to answer. The Splunk Common Information Model (CIM) is a shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time. The CIM add-on contains a collection of preconfigured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest. You can use these data models to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations with Pivot. The add-on also contains several tools that are intended to make analysis, validation, and alerting easier and more consistent. These tools include a custom command for CIM validation and a common action model, which is the common information model for custom alert actions. See Approaches to using the CIM for more information about the tools available in the CIM add-on. This is from the Docs page @ http://docs.splunk.com/Documentation/CIM/4.9.1/User/Overview I'd recommend reading this for a full understanding of what the CIM is used for. But as a very general and broad statement, its a way to normalize events from many data sources to a common naming convention so that you can write one search that will return results from various data sources. As an example, different network vendors use different field names for the source ip address field, e.g., some will use source or source_ip or src_ip src_ip_address. With that, you would have to write a search that would look for all those fields. With CIM, you can write one search that looks for src_ip and if your data sources are all CIM validated, that search will work for all the data sources. Again, there's a lot more then what I have outlined, I recommend reading the full docs for CIM to understand its full potential. ... View more

Re: Splunk DB Connect: What is the needed connecti...

by in All Apps and Add-ons
‎11-13-2018 11:10 AM
‎11-13-2018 11:10 AM
Integrated authentication is still an issue. Either the documentation misses a few steps or db connect is using the driver incorrectly. Best work around is to disable windows authentication, create a sql server username and password on the DB, use the MS-Generic Driver (without Windows Auth), and send the username and password in the query. Side note for username: I believe the username still must include the domain. Ex. (MyDomain\Username) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-25-2021 02:40 AM
Karma from