Are these single line events? Have you defined a props.conf for this source type? If they are single line events, your props should look something like this : [mysinglelinesourcetypeNAME] SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 25 TIME_PREFIX = ^\[ You can review what these options do via the Spec file : https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Propsconf But for a quick overview; 1) Assuming these are single lines, we force the sourcetype to be single line 2) We know the timestamp is at the beginning of the line, so we tell Splunk to stop looking after 25 characters 3) We also know that the time stamp comes at the beginning of the line "^" and after the bracket "[".. If this is multiline, this props would change a bit... ... View more

Ill answer some of these in parts... 1、There are a lot of duplicate events in summary index,I don't know why, the summary index will have duplicate events, and I'll make sure that the original event is not repeated ,(For example, there are no duplicate events in indexes such as nginx and Apache) SI (Summary Indexes) are populated based on scheduled searches or searches with the collect command. If you have not scheduled your searches that create the summary indexes properly, then you're going to get duplicated events.. E.g., if you have a schedule search that runs every hour searching earliest of -1d, then youre going to have huge overlapping of events. I'd check that first. 2、Sometimes, after the alarm is triggered, it doesn't necessarily write exactly to summary index (I'm sure the result is not empty)。That is to say, sometimes it doesn't write the results to summary index This could be the way you have the alert setup, if there are no results, it wont write the events... Hard to answer this. 3、The third question is a silly question. I'd like to ask if the summary index is for the report or for the alert? In Web UI - >settings - >Searches, reports, and alert, I choose an alert, and then enable summary indexing。Then I clicked on "Alerts" on the navigation bar, that alert has disappeared, but that alert appears in “Reports”. why ? Why does it transfer from alerts to reports when I enable the summary index? That enable option means write to summary index... Im not sure I understand the context full of this... Alerts will age out. But this being said, a SI can be used for reporting or alerts. Some customers aggregate data into SI, then run alerts against it. Additionally, ive seen customers create reports from SI, because its much much faster.. For your use case, you can most definitely use alerts to write events out to a summary index, and then report and alert off of that. You may want to look at the SI related commands such as collect (http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Collect) You can use this in your base searches to populate your SI indexes.. There are some downsides to using summary indexing. Mainly being, sourcetype changes (to stash) and also that SI is reliant on your saved searches to run and populate. This means if you miss a scheduled search, the SI wont populate and you need to back fill for that missing time window. This could lead to duplicate events. This is where Datamodels have come in.. They automatically backfill jobs, and you can aggregate data as neccesary.. Hope that helps. ... View more

Could you elaborate on what you mean "you can use event/streamstats against the data model base searches..."? By "base searches", are you referring to |datamodel [...] search (which will not leverage acceleration)? Or are you saying you can use event/streamstats in constraint of "root event"? ... View more

Adding a license doesnt effect the user or password tables. Were you using LDAP or SAML before? If you're unable to login, you can try renaming $splunk_home$/etc/passwd to passwd.old, and restarting Splunk. This will reset the admin password to the default changeme. From there you can login again. ... View more

Got same error Splunk Enterprise Version: 8.0.2 Build: a7f645ddaf91 06-01-2020 13:04:41.446 -0400 ERROR PipelineComponent - Monotonic time source didn't increase; is it stuck? ... View more

When you add each indexer as a search peer in distsearch.conf (or the GUI), vs joining the SH/SHC to a index cluster, you are essentially eliminating the mapreduce functionality of distributed search and the index cluster. This is because the SH/SHC no longer knows its searching a cluster, nor does it know where the searchable buckets are. So its essentially distributed to all indexers, and awaiting response. So extra compute... Rebuild your SHC to connect to the cluster master node and let search run properly. That should alleviate load. After that, you need to check through search log and determine where your searches are slowing down. E.g., is it indexer side disk or memory, or SH. From there, adjust resources as required.. ... View more

But I am unable to deploy it as it's not receiving success signal. ... View more

Hi, Yes, this is a bug This and fixed in 6.6.4 and 7.0.1: http://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/6.6.4#Admin_and_CLI_issues ... View more

If you don't normally see your indexing queues blocked, you are probably fine. Start with two parallelIngestion pipelines and monitor behavior. ... View more

list_storage_passwords in a capability in the authorize.conf file, refer to the capabilities page for more information. You should be able to add list_storage_passwords to the role that you need (e.g. the user role) Or Add and Edit Roles with Splunk Web ... View more

Thanks for the reply, but I have one question for daily data volumn less than 1GB/day we are using only one indexer(12 core CPU), for indexing process it will use 1 cores and remaining 11 cores will be available. So running 100 concurrent searches it will take more time to exceute ( If No. of sec. per individual search is=10 then Approx. time (sec.) to complete all searches = 90 seconds) . What will be the solution Will I increase more CPU cores in one indexer(Approx. 128 cores. ) or I have to follow indexer clustering concept because for index clustering minimum daily data volumn should be more than 20 GB/day. ... View more

Best practice is to not deploy Splunk infrastructure as a VM, regardless of settings. ... View more

or may be I need to define custom fields and define source types based on data. ... View more

anytime, thanks for the upvote(s)! ... View more

I'd say ask your sales rep, they can pull and give you a general number... ... View more

I would stop the UF on one system first, delete the app from the ../etc/apps folder, start the service and let the app redeploy. If that fails, I would upgrade or reinstall the UF software. Then lastly I would uninstall/reinstall. It stands to reason that the app is not the problem or it would not have deployed successfully to other hosts.. But maybe check the splunkd log these UF's for complaints about the app if it still fails. I can't guarantee anything. I'm just citing personal experience with picky UF's and deploying apps. We even had some linux UF's that wouldn't take the SPLUNK_TA_NIX app until the partial app was removed and the service restarted. ... View more

It is the amount of license usage per day, per source type. index=_internal source=*license_usage.log* type=Usage | eval gb=b/1024/1024/1024 | timechart span=1d sum(gb) AS sourcetype_volume_GB by st ... View more

That info is pulled from metadata (see the metadata command) and is based on the default searched indexes for the user that loads the page. You can adjust this via the user's roles and group memberships here : Manager » Access controls » Roles » Role Name » Default indexes. Update that for the indexes, or add all etc... ... View more

https://answers.splunk.com/answers/406009/why-is-splunk-crashing-whenever-i-try-to-start-the.html ... View more

If your usage is growing to that point, perhaps you should discuss with management about investing in real hardware and making it a production tool with storage and HA.. ... View more

Do NOT edit things in etc/system/default. Those are default values, not meant for local changes. For local changes, use local rather than default. https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Configurationfiledirectories What you describe - tcp port rather than splunktcp port - is exactly what's causing the indexer to not treat the cooked stream as cooked, and instead to index it as-is. turn off all tcp inputs you use to recieve data from forwarders (settings -> data inputs -> tcp) turn on receiving for those ports (settings -> forwarding and receiving -> configure receiving) ... View more

Thank you, this was the output authType = Splunk passwordHashAlgorithm = SHA512-crypt [cacheTiming] getUserInfoTTL = 10s getUsersTTL = 10s userLoginTTL = 0 [secrets] filename = namespace = splunk ... View more