cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sloshburch
Splunk Employee
Member since: ‎11-18-2011
‎03-26-2024
Community Statistics
Posts 1676
Solutions 225
Karma Given 363
Karma Received 416
Member Since ‎2011-11-18
Activity Feed
Topics I've Started
View All

Re: Error listing accelerated data models - Respon...

by Splunk Employee in Monitoring Splunk
‎03-05-2014 10:13 AM
‎03-05-2014 10:13 AM
I think I'm seeing the same issue. ... View more

Re: splunkd stop responding -> ERROR AdminManager

by Splunk Employee in Monitoring Splunk
‎03-05-2014 10:09 AM
‎03-05-2014 10:09 AM
Anything result from this? I'm seeing the same issue. ... View more

Re: "Gaps" in Timechart

by Splunk Employee in Splunk Search
‎03-04-2014 01:17 PM
‎03-04-2014 01:17 PM
I'm seeing the same issue but using (over last 24 hours): timechart span=30min avg(field1) avg(field2). Just like in this case, driving into the gap periods I see the data does exist. Updating the limits has not fixed it. Anyone have any other ideas? ... View more

Re: Summary indexeing in Distributed Search enviro...

by Splunk Employee in Getting Data In
‎02-27-2014 07:45 AM
‎02-27-2014 07:45 AM
Agree with linu1988 - To work around this same challenge, we have a master indexes.conf in a customer app that the deployment server sends to all of the indexers and the search heads. It allows the indexes to show up in the UI but given that the forwarders only send data to the indexers I don't have to worry about the Search Heads having any data. ... View more

Re: Gap in chart data

by Splunk Employee in Splunk Search
‎02-27-2014 07:37 AM
‎02-27-2014 07:37 AM
Are you proposing using both stats and timechart? For example a search like this is showing gaps for me as well (but searches with smaller time windows show the data does exist and can be generated by timechart) _some_base_search | timechart span=1d perc90(field) ... View more

Re: CASE() search option produces no results

by Splunk Employee in Splunk Search
‎02-26-2014 02:31 PM
‎02-26-2014 02:31 PM
See somesoni2's comment for the answer to this question. ... View more

Re: CASE() search option produces no results

by Splunk Employee in Splunk Search
‎02-26-2014 02:31 PM
‎02-26-2014 02:31 PM
Thank you somesoni2 - I didn't realize it had that complete-word restriction. I also thought I had previously tried wildcards with no luck. I now see wildcards work. Thanks everyone! ... View more

Re: Powershell Scripting for SPLUNK

by Splunk Employee in Getting Data In
‎02-26-2014 02:03 PM
‎02-26-2014 02:03 PM
I guess I assumed it was available as part of the splunk run time (like how it is for other scripts). Is it not the same as the $SPLUNK_HOME environment variable available to splunk already? Let me know if that made no sense. ... View more

Re: Powershell Scripting for SPLUNK

by Splunk Employee in Getting Data In
‎02-26-2014 12:57 PM
‎02-26-2014 12:57 PM
Were you able to get the %SPLUNK_HOME part of the cmd file to work? When I run it that way I get this: The module 'SPLUNK_HOME' could not be loaded. For more information, run 'Import-Module SPLUNK_HOME' ... View more

Re: CASE() search option produces no results

by Splunk Employee in Splunk Search
‎02-26-2014 09:49 AM
‎02-26-2014 09:49 AM
It's found preceded by letters org.something.somethingelse.somethingother.TypeOfException ending with a space or a : ... View more

CASE() search option produces no results

by Splunk Employee in Splunk Search
‎02-26-2014 08:33 AM
‎02-26-2014 08:33 AM
While using the CASE() feature of the search command (as per http://docs.splunk.com/Documentation/Splunk/6.0.2/Search/Usethesearchcommand#Use_CASE.28.29_and_TERM.28.29_to_match_phrases) I'm seeing no events produced but there should be. Example: earliest=@h-15min latest=@h index=index1 OR index=index2 _raw="*Exception*" produces results. earliest=@h-15min latest=@h index=index1 OR index=index2 CASE(Exception) produces NO results. This seems to ONLY happen while using the string "Exception". Other strings within the CASE() function are working as expected. This is on Splunk 6.0.2. Anyone seen this before? ... View more

Re: Splunk Hadoop Connect Compression

by Splunk Employee in All Apps and Add-ons
‎02-21-2014 08:58 AM
‎02-21-2014 08:58 AM
http://docs.splunk.com/Documentation/HadoopConnect/1.2/DeployHadoopConnect/Setupcompressedfiletypes shows that HadoopConnect supports various compressed file types. sdaniels, are you saying that there is no way to change the file format for the app? ... View more

Re: ModularPowerShell still running

by Splunk Employee in All Apps and Add-ons
‎02-07-2014 10:07 AM
‎02-07-2014 10:07 AM
Thanks! The forwarders in this case are on 5.0.2. I'll explore 6.0.1 to see if that resolves this. My central splunk instance is only on 5.0.2 right now so I'll have to check compatibility. ... View more

ModularPowerShell still running

by Splunk Employee in All Apps and Add-ons
‎02-07-2014 09:13 AM
1 Karma
‎02-07-2014 09:13 AM
1 Karma
I have the SA-ModularInput-PowerShell app deployed to some Windows universal forwarders. When the forward re-installs an updated version of SA-ModularInput-PowerShell, it fails because PowerShell.exe is still running and therefore has a file lock on the subfolder SA-ModularInput-PowerShell/windows_x86_64 . splunkd.log shows: 02-06-2014 17:48:15.337 -0500 WARN DeployedApplication - Failed to create file D:\App\SplunkUniversalForwarder\etc\apps\SA-ModularInput-PowerShell\windows_x86_64\bin\PowerShell.exe while untarring D:\App\SplunkUniversalForwarder\var\run\win_hosts\SA-ModularInput-PowerShell-1391725349.bundle: The process cannot access the file because it is being used by another process. Once I kill the PowerShell.exe process, the forwarder is able to proceed with re-installing the SA-ModularInput-PowerShell app. PowerShell.exe is running as User Name splunk_user in the Task Manager. Any idea why PowerShell.exe continues to run after the scripted modular input completes? Did I set this up wrong? Here's the input that uses the SA-ModularInput-PowerShell app. [powershell://Win32_Product] script = Get-WmiObject -Class Win32_Product -ComputerName . | Select-Object Name,Vendor,Version,Caption,InstallDate schedule = 0 9 * ? * * sourcetype = software_inventory_win index = inventory ... View more

Re: Difference between lastTime and recentTime in ...

by Splunk Employee in Splunk Search
‎02-07-2014 07:35 AM
‎02-07-2014 07:35 AM
Let me know if this is better suited as a separate question: Is it a correct interpretation to say that if using metadata like this: ( index=* OR index=_* ) type=hosts then the recentTime is the timestamp for the last event from each of the hosts while the lastTime is the last thing we "heard" from that host's forwarder? Said another way, if a forwarder does not see anything new written to a log file that it monitors, the recentTime will start to get older. If that same forwarder is forwarding it's _internal|_audit data then the lastTime may be more recent due to normal forwarder/indexer communication. Is that correct? I'm asking because I realize this could be an effective way to monitor for forwarders that stopped communicating with indexers. ... View more

Re: What capabilities provide access to Alert Mana...

by Splunk Employee in Security
‎02-05-2014 08:40 AM
‎02-05-2014 08:40 AM
Meanwhile, even without those permissions, a user could access the alert manager directly. Is that a bug or something? ... View more

Re: Adding a cluster peer: error Bad Request in ha...

by Splunk Employee in Deployment Architecture
‎02-04-2014 05:39 AM
‎02-04-2014 05:39 AM
I had the same issue and it was not the protocol. I had to hard code the IP instead of using the DNS name of the host. This worked fine in 5.0.2 but not after a 6.0.1 upgrade. ... View more

Re: alert_actions.conf being ignored

by Splunk Employee in Alerting
‎01-29-2014 10:35 AM
‎01-29-2014 10:35 AM
That may be for 6*, but is it different for 5*? ... View more

Re: Sharing global in config

by Splunk Employee in Knowledge Management
‎01-23-2014 08:17 AM
‎01-23-2014 08:17 AM
I see it now. I don't know why when I was searching the export field I didn't see it - thanks! ... View more

Sharing global in config

by Splunk Employee in Knowledge Management
‎01-23-2014 07:55 AM
1 Karma
‎01-23-2014 07:55 AM
1 Karma
This should be an easy one: From a config file perspective, how do I define an app's knowledge object (a savedsearch for example) as being shared globally? Thus far, I have been unable to find them in the local.meta and viewstates.conf ... View more

Re: Missing banner/bulletin capabilities

by Splunk Employee in Dashboards & Visualizations
‎01-07-2014 11:22 AM
‎01-07-2014 11:22 AM
In 5.0.2, restart_splunkd also controls the ability to post Bulletin Messages. Can anyone confirm if that is the case in all versions or just 5.0.2? If it's all versions then I'll submit a feature request to have it decoupled. ... View more

Re: Create new index without restarting Splunk ind...

by Splunk Employee in Getting Data In
‎01-02-2014 10:43 AM
5 Karma
‎01-02-2014 10:43 AM
5 Karma
Another approach that I think I just got to work: https://<hostname>:<splunkdport>/services/data/indexes/_reload That allows you to stage your index in the appropriate app from the deployment server, but then implement without restart. ... View more

Re: Create new index without restarting Splunk ind...

by Splunk Employee in Getting Data In
‎01-02-2014 10:42 AM
‎01-02-2014 10:42 AM
I think the -name part of the command is not used (at least it won't work in 5.0.2 but works when it is removed) I have seen the same issue the_wolverine mentioned. I can reload my index config but it won't create the appropriate directories. ... View more

Re: Sourcetype inheritance

by Splunk Employee in All Apps and Add-ons
‎12-30-2013 01:53 PM
‎12-30-2013 01:53 PM
Did you ever find a solution for this? I'm curious about the same 😞 ... View more

Re: Remove "First time logging in? Splunk's defaul...

by Splunk Employee in Security
‎12-20-2013 08:50 AM
‎12-20-2013 08:50 AM
Yea, that solved it. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-26-2024 06:34 PM
Karma from