Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About traxxasbreaker
traxxasbreaker
Communicator
Member since:
05-28-2017
06-05-2020
Community Statistics
| Posts | 58 |
| Solutions | 14 |
| Karma Given | 15 |
| Karma Received | 16 |
| Member Since | 05-28-2017 |
Activity Feed
- Got Karma for How do I stop datamodel accelerations from turning themselves back on?. 10-06-2021 05:51 AM
- Karma Re: Reducing Splunk authentication storms for richgalloway. 06-05-2020 12:50 AM
- Karma Indexes.conf question for adalbor. 06-05-2020 12:50 AM
- Karma Re: how to solve Time difference issue? for richgalloway. 06-05-2020 12:50 AM
- Karma Performance impacts of Spectre/Meltdown mitigation for IgorB. 06-05-2020 12:49 AM
- Karma Re: Performance impacts of Spectre/Meltdown mitigation for rabbidroid. 06-05-2020 12:49 AM
- Karma Splunk DB Connect + Oracle - data isn't importing for kpavan. 06-05-2020 12:49 AM
- Karma Difference in license usage and diskspace usage for jackiewkc. 06-05-2020 12:49 AM
- Karma Re: How do I add to Splunk Enterprise Security license? for Richfez. 06-05-2020 12:49 AM
- Karma Getting an error with Service NOW add-on... for Log_wrangler. 06-05-2020 12:49 AM
- Karma Re: Indexer hosts with shared storage for Richfez. 06-05-2020 12:49 AM
- Karma Re: Indexer hosts with shared storage for dwaddle. 06-05-2020 12:49 AM
- Karma Re: Is the Monitoring Console (MC) tool really worth the effort of implementing? for jlaw. 06-05-2020 12:49 AM
- Got Karma for Re: unexpectedly installed a another instance of splunk on the Linux server on the same path,but the service is not started yet for the new installation.how to get it removed.. 06-05-2020 12:49 AM
- Got Karma for Re: Best practices: Can a su command be used to log in to Splunk instead of the username and password?. 06-05-2020 12:49 AM
- Got Karma for Re: Why did all of my servers stop sending logs? Configuration issue?. 06-05-2020 12:49 AM
- Got Karma for Re: Can I get info about these components in one place in Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: Can I get info about these components in one place in Splunk?. 06-05-2020 12:49 AM
- Got Karma for How do I stop datamodel accelerations from turning themselves back on?. 06-05-2020 12:49 AM
- Got Karma for Re: Upgrade from distributed to clustered environment retaining configurations and data?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 |
11-02-2017
02:33 PM
When you're on the Licensing page, try hitting "Change license group" and switching to an Enterprise license first. I suspect it's still set as a Trial license and isn't letting you add the full Enterprise license because the license group type doesn't match.
... View more
11-02-2017
02:14 PM
1 Karma
On the Splunk server, take a look in the directory for the AWS app under $SPLUNK_HOME/etc/apps . Under default/data/ui/views you should be able to see the original dashboard XML.
If that is the case, go to the app's local/data/ui/views and copy the XML for that view from the local directory to some temporary location. Then, in your browser go to http://yoursplunkserver:8000/en-US/debug/refresh to reload. Getting rid of the version in the local directory should set what displays back to the default dashboard.
... View more
11-02-2017
02:05 PM
1 Karma
Yes, like that document. You would be doing it from your deployer in your lab environment within an app that you would push out to your search head cluster members. You should not add your production indexers to your test cluster master.
... View more
11-02-2017
09:52 AM
I'd try running that SPLUNK_HOME/bin/btprobe -d '<C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket>' -r command first and see if it helps. Otherwise, I don't think I've ever encountered a "BTree" error that didn't require reinstalling the forwarder to resolve it, so that is what I'd try next.
... View more
11-02-2017
07:29 AM
Transaction does not go outside the time range of the search since it is only grouping events after they have been returned and does not affect the results returned by previous pipes in the search.
What you might want to do is expand the time range a little bit on either end to try to catch those starts and ends. For example you could include 11:55 PM to 12:05 AM, then filter further down in the search for transactions where adding the duration to _time doesn't put it on the current date to get rid of ones that started and finished before midnight. Filter again for transactions where _time gives the current date to rule out anything that started after midnight. To do that, you'd want to look at eval functions like strftime() , now() , relative_time() .
... View more
11-02-2017
06:46 AM
1 Karma
OK, it sounds like you have a test environment with a partial search head cluster that you want to search your production indexer cluster. In that case, assuming that you have a separate cluster master for your production indexer cluster, the replication and search factor on your test environment cluster master won't do anything since it is not controlling any test indexers. The replication and search factors on your test cluster master also will not have any affect on your test search heads.
That said, you should be able to configure server.conf via the deployer on your test search heads to search your production indexer cluster, you'll just need to make sure that the plain text value of pass4SymKey matches between the two. You'd have to point it to your production cluster master because your test cluster master (hopefully) isn't controlling your production indexers.
As far as having both cluster masters control your production indexers, the indexers would only be able to point to a single cluster master to control their configurations and replication behavior. Even if they could talk to both, you wouldn't want testing in your lab to be potentially breaking things on your production indexer cluster.
... View more
11-01-2017
05:48 AM
2 Karma
It is not recommended to use NFS for hot/warm index buckets at all, and for the cold or frozen buckets it's not recommended to share them. You should read through this very carefully if you want to continue going down that route. Also, If you're going to be running indexers on VM's and can't get dedicated hardware for them, you'll also want to make sure that you are following the best practices to keep the performance reasonable.
... View more
10-30-2017
05:30 PM
You will need to setup a clustering stanza in the indexer's server.conf file to use the same pass4SymmKey to use the same value as the cluster master. Note that these values are hashed, and if $SPLUNK_HOME/etc/auth/splunk.secret does not match with your cluster master, you will need to put the plain text value in on your indexer and let Splunk hash it when it starts up.
Additionally, you'll need to set the master_uri setting in your clustering stanza to point to the cluster master and make sure it's set to be a slave. Details on the indexer configuration can be found here. If your environment was first built by professional services, look around in the etc/apps directory on your indexers for an app that's called something like <org>_indexer_base which should have a lot of these settings already in place.
You'll also need to set your indexers to point to the license master (also in server.conf ) and to share all the inputs and index time settings of your other indexers. In many environments this is handled by apps pushed from the cluster master. If the indexers are Linux, also pay close attention to ulimits and THP at the time you are building your indexers.
... View more
10-30-2017
05:22 PM
Are you running on Linux infrastructure or Windows? If Linux, do you have THP disabled and the ulimits set to the recommended values? Either of those settings can cause performance problems, frequent crashes, and generally weird behavior.
When you open the dashboards first thing in the morning, is the screen completely blank for awhile, or does some of the UI load and it just takes a long time for the actual panels on the dashboard to populate?
... View more
10-30-2017
08:33 AM
Thank you, that's exactly the type of thing I suspected but didn't know to look for. This happens to be an ES staging instance for testing upgrades before deployment to the search head cluster where the SOC wants to validate using production data, but we don't want the datamodel accelerations running all the time. Disabling those inputs and doing a quick restart seems to have done the trick.
... View more
10-30-2017
07:04 AM
2 Karma
I have an instance where I want to keep data model accelerations disabled but they seem to keep turning back on if I hit the debug/refresh REST endpoint or restart the Splunk instance...
For example, I disable acceleration on all of the data models in the app through the UI, then check the local datamodels.conf file and everything's fine except that I still see those datamodel acceleration searches running on the indexer side. Once I refresh or restart the instance to try to kill off what's still running on the indexers, I see each stanza in local/datamodels.conf revert from acceleration = false to acceleration = true until I disable it again.
What's especially interesting is the remote searches logs from the indexers and the Settings -> Data Models page still show the data model accelerations happening even though I set the below stanza in system/local/datamodels.conf, so I'm really not sure how they are running regardless of whether the values in the app's local/datamodels.conf stay set.
[default]
acceleration = false
Any ideas on how to make these stay turned off so I'm not fighting with them each time I restart the Splunk instance for other reasons?
... View more
10-27-2017
01:25 PM
Is the question how to add it to the actual indexer cluster by connecting it to the cluster master, or how to make it show up as part of the indexer cluster on the DMC after it's already been added to the cluster?
... View more
10-27-2017
01:22 PM
2 Karma
The scheduler logs are in the _internal index. If you use the Monitoring Console, you'll also find some good stuff that will point you to data sources that will be helpful for looking at scheduler behavior under Search -> Scheduler Activity.
By tweaking one of the Monitoring Console searches a little, I get something like this which covers most of the fields you are looking for:
index=_internal host= sourcetype=scheduler
| eval alert_actions = if(isnull(alert_actions) OR alert_actions == "", "none", alert_actions)
| eval window_time = if(isnotnull(window_time), window_time, 0)
| eval execution_latency = max(dispatch_time - (scheduled_time + window_time), 0)
| dedup sid
| table sid, user, app,scheduled_time, dispatch_time, run_time, result_count, status
However, that will only give you info for the scheduled searches and not the real time, ad hoc, or remote searches. For those, you'll want to take a look at the _audit index. If you do a transaction on the search_id field, you can look at other fields like search for the search string, is_realtime to determine if it's realtime. The _audit index logs will also tell you the start and end time ranges of the search and how many events were scanned while it was running.
... View more
10-27-2017
12:57 PM
Yes.
When you create the alert through the UI, you can set the trigger conditions based on the number of events returned, then it will let you enter a value and indicate whether you want the event count to be greater than, less than, or equal to that value (along with a couple more options).
So if you have that search that is supposed to return an expected number of events and you set the alert to trigger if the event count is either zero or less than some number of events you are expecting, the alert will trigger if you are not getting the right number of events returned.
... View more
10-26-2017
09:12 AM
Does your AD account have restrictions on which hosts it can login from? I find that I can only make accounts work via the API if they do not have restricted login hosts, or are restricted to the hosts running Splunk (if they are domain members).
... View more
10-26-2017
08:27 AM
OK so it sounds like part 1 on the discrepancy is due to the difference in the _internal index retention which affects the license master logs that will show and the retention on the index shown here. The disk utilization on the indexer represents a much longer time period than what's reflected in _internal.
To address the second part of the question on reducing disk usage without changing the retention period, here's a couple options:
Check your cluster master to see if there are excess bucket copies that you can remove to free up some space.
If the data is infrequently accessed past a certain age or if slower searches beyond a certain age aren't a concern, look into tsidx reduction.
Make sure your replication and search factors aren't too high as this will require additional space for the extra copies.
Use something like |dbinspect index=index1 | chart count by guId to make sure you didn't happen to catch much higher than average space usage for that index due to a bucket imbalance. If the bucket counts aren't reasonably close to even, first make sure you don't have an imbalance on incoming data then consider doing a cluster rebalance for just that index (or include others if you notice the problem on other indexes too).
... View more
10-26-2017
07:22 AM
How long are your license master logs being retained? Your cumulative size reported from the license master is limited by your log retention on the _internal index, but it looks like the index you are asking about holds a full year's worth of data.
... View more
10-25-2017
02:19 PM
That would depend on the permissions set per object. If you have a lookup that was only writeable by the removed user, then you'd want to change ownership so someone who's still around can modify it. If the lookup is already writeable by other people, then it won't matter as much at least in terms of short term functionality.
Honestly though, it's probably easier to just change all the objects from the removed user to the new one, that way you don't have to sift through everything to figure out where the new ownership matters or potentially miss something resulting in people coming back to you months later because they can't modify an object that they need to. Remember that the person taking over the ownership is likely going to be taking a good look at all the objects they inherit regardless of type and they'll just remove something if they don't need it, so even though it's a little more work up front to change the ownership to a different user it will save you some cleanup down the road.
... View more
10-25-2017
01:50 PM
I'm not sure how search quotas would apply to scheduled searches owned by "nobody", if there's a lot then it's possible that they could all be treated as one user from the scheduler's perspective, but I haven't actually seen that problem happen. I prefer to change them to a new user so there is clear ownership, especially if an app is being used by multiple teams and I need to have some idea of who owns which content within it.
Changing ownership to a new owner also forces the teams who should be responsible for the content to evaluate whether they still need it and avoid duplicating it rather than just having it sit in the environment forever after the original owner leaves because no one takes responsibility for it. I have heard mentions of performance problems caused by large local.meta files due to entries for old/unused content, so forcing cleanup and clear content ownership is probably a good thing.
You should also note that if you're looking specifically at cases where knowledge objects were orphaned due to the user being removed, there is now an option to reassign ownership through Splunk Web which seems a lot less painful than doing it in local.meta, but I haven't tried it myself yet.
If you're changing local.meta directly, the debug/refresh REST endpoint should work, but it wouldn't be a bad idea to check after hitting it that the ownership did actually change.
... View more
10-25-2017
01:40 PM
2 Karma
I'm going to assume that you are going to be building new indexers rather than clustering your existing ones. If that is the case, you would need to start by building your cluster master and new indexers.
For your search heads you will need to setup the new search head cluster with the deployer and get it searching both the new indexers and the old indexers, assuming your current 2 aren't going to become part of your cluster. It's especially important to move the search heads first if you are also upgrading Splunk versions on this move since the search heads have to be either the same or a higher version than the indexers. Then, you'll want to copy over the default app directories from your old search head to the deployer and push them out, but be very careful not to include out of the box apps like "search" in that push. The local app directories are best setup by copying them to each cluster member so that users will be able to delete their own content. If you push them from the deployer, the cluster members will see them merged into default from the deployer, so users wouldn't be able to delete their own content and some don't like that.
For the user level directories on the search head, I just copied them to each SHC member because we're using LDAP, but if you have locally defined users you'd likely want to treat that migration similarly to the app migration in which you define default content on the deployer and local on each cluster member.
Next, make sure your new indexers are setup with the same input and parsing configurations as your old ones. Then, you have 2 options, and the best one for you will depend on your comfort level and the tolerance for a complete outage of indexers in your environment.
Option 1:
Have your forwarders start sending new data to your new indexers. After you flip your forwarders, take a good look at your old indexers to make sure they are not still taking in data. Once you're sure they aren't, restart all of them to roll any hot buckets to warm. Then you should be able to use the guide at https://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/MigrateaSplunkinstance to actually move the data. Note that the legacy buckets won't replicate, if that is a huge concern you might want to consult with professional services since they do have some methods of making those buckets replicate anyway. As the data is activated on the new servers, you should take down the old servers that the data came from to prevent duplicates from being returned in the search results.
Option 2:
Take your old indexers offline, follow the migration instructions linked above, bring up your new indexers, then have your forwarders redirect to the new ones. This is simpler to implement but results in more downtime. You could theoretically reduce the downtime by doing an rsync in advance, then a second rsync during the change window just for the updates.
After that, since you are going from 2 indexers to 3, you would want to rebalance your cluster so that the buckets are being searched evenly across the indexers. Otherwise the 2 that got the migrated data would be getting most of the load.
Now, if you are looking to migrate your existing indexers into a cluster rather than building new ones, you'll want to check https://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Migratenon-clusteredindexerstoaclusteredenvironment for guidelines on how to do that. You'll still need to address your search heads first if you are upgrading to a newer version.
... View more
09-02-2017
04:34 AM
Just want to note that this search will only show an accurate breakdown by source if your combination of indexes, sourcetype, sources, and hosts is below the "squashing threshold". Index and sourcetype are guaranteed to remain accurate with a large number of combinations but the others are not. See this answer for some more details.
... View more
09-02-2017
04:25 AM
I hope you found something for the actual routing in the time since you asked this, or would request to see any relevant events in your splunk.d log related to that config, but I also wanted to put a word of warning out there on TCP syslog forwarding from your indexers.
If your syslog destination is down, what will happen? Is the IP you put in there actually a VIP that will always point to an active syslog destination?
If not what I've seen happen in scenarios when a TCP syslog destination is down, Splunk continues to hold the data destined for it in it's internal queues. Over time, which is relatively short for a high volume of data the queues all fill up and eventually result in the indexer being blocked and unable to return search results. As the forwarders redirect to other indexers, they start taking the rest down too.
While I hear there's also some settings that could change the behavior of whether splunk continues to hold the data in queue while waiting on the TCP response, we've also switched to UDP syslog forwarding to prevent a problem on the destination from taking out our indexing cluster again.
... View more
09-01-2017
04:44 PM
This was the advice I'd gotten and implemented to move into a search head cluster. In my case it was standalone to cluster but these steps should still accomplish what you're looking for.
Put only the default directories of the apps from your old environment on the deployer. Make sure you do not inadvertently put the search app on the deployer, trust me when I say the results are not pretty if you do and that gets pushed.
Push the bundle from your deployer.
Copy the users directory and the local directories of the apps to each search head cluster members. This way, since they're not defined on the deployer, users will be able to delete them and fully manage their own objects.
Do a rolling restart to apply those local and user updates.
... View more
09-01-2017
04:18 PM
What OS is your Splunk instance running on? If you installed it by untarring the app in etc/apps rather than a UI upload, I'd double check the file permissions and ownership within that app.
... View more
09-01-2017
01:42 PM
If you're using Splunk cloud, I think they generally manage settings that aren't configurable via the GUI. That said, I haven't heard of customers having to worry about disk utilization on their Splunk cloud indexers. You might want to engage support to inquire about those settings or see if you even need to worry about the infrastructure disk utilization when using their managed service.
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
