Activity Feed
- Got Karma for Re: How do I reload authentication from CLI?. 01-17-2025 12:00 PM
- Got Karma for Re: Question about "run as" (Owner or User ) for saved searches. Missing in version 7.. 05-16-2024 05:58 AM
- Got Karma for Re: Someone else configured field extractions, but I would like to delete some of them. Where do I find them?. 01-18-2024 12:12 PM
- Got Karma for Re: What are the minimum capabilities needed to modify and push config change from Deployment Server?. 07-02-2023 01:36 AM
- Got Karma for Re: Is there a way to accurately measure data model acceleration disk usage via Splunk?. 03-07-2023 11:51 PM
- Got Karma for Re: Question about "run as" (Owner or User ) for saved searches. Missing in version 7.. 01-20-2023 07:43 AM
- Karma Re: Why would Splunk NOT obey "dispatch.ttl" and delete results/artifacts early? for matthewhasty. 12-20-2022 01:19 PM
- Got Karma for Re: Autostart Splunk on boot. 12-09-2022 05:46 AM
- Got Karma for Re: Perform two lookups with same table and two different lookup fields?. 11-21-2022 04:47 AM
- Got Karma for Re: How to determine daily license usage in GB?. 11-08-2022 02:37 PM
- Karma Re: Can i assign a color to a string in a field if it is present in the field ? for varun99. 11-03-2022 09:57 AM
- Got Karma for Re: Getting error "Streamed search execute failed because: JournalSliceDirectory: Cannot seek to 0" when running a search. 10-01-2022 04:25 AM
- Got Karma for Re: Multiple SEDCMDs. 06-29-2022 11:41 AM
- Got Karma for Re: How to efficiently calculate max events per second (eps) by hour over long timeranges, like 30 days?. 05-31-2022 02:54 PM
- Got Karma for Splunk alert reply-to field doesn't exist?. 04-28-2022 02:13 PM
- Got Karma for BEWARE: srchFilter usage may negate each other in certain situation.. 04-28-2022 02:11 PM
- Got Karma for What is the correct earliest_time format for searches when programmatically querying Splunk?. 04-28-2022 02:07 PM
- Got Karma for Re: What is the correct earliest_time format for searches when programmatically querying Splunk?. 04-28-2022 02:07 PM
- Got Karma for Re: Is there any way to get Splunk to replicate Search History in a Search Head Cluster?. 04-28-2022 02:06 PM
- Got Karma for Re: Is there any way to get Splunk to replicate Search History in a Search Head Cluster?. 04-28-2022 02:05 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-19-2018
12:51 PM
https://docs.splunk.com/Documentation/Splunk/7.0.3/Report/Embedscheduledreports
"Embedded reports do not have all the features of reports as viewed in Splunk Web. For example, embedded reports do not have drilldown functionality, support for workflow actions, table sorting, or field expansion. When embedded reports display table visualizations, those tables are limited to 10 rows. "
... View more
05-23-2018
02:25 PM
Check to see whether you've supplied a timerange in the scheduled search. This a common mistake -- missing timerange. Without a timerange Splunk attempts to run the search across "All Time".
... View more
05-23-2018
02:21 PM
We have high cardinality data -- virtually every event is unique except for a small percentage of cases that we care about. So we're finding that we have count the unique ids, track them somehow in order to find the duplicates. Its just not feasible in Splunk when we have millions of events per minute.
Example:
search | stats count by unique_id | where count>1
(Millions of events per minute, results in a few hundred events where count>1). Summary indexing is not really a solution here since the unique_id could cross time/minute boundary.
... View more
04-09-2018
12:03 PM
4 Karma
It seems like mafisher has posted the resolution for this issue. We upgraded to version 7 and had the same issue with failed email alerts. Splunk should have documented this change to capabilities in the README.
... View more
02-21-2018
03:56 PM
1 Karma
Hey all, apparently this was resolved in 6.4.3 .. and in 6.6 reassignment can be done (by admin) in UI.
... View more
02-05-2018
04:50 PM
After dealing with this for a few years, it turns out that when a dc(field) causes out of memory forceful termination, just refactor the query to use :
... | stats count by field | stats count
The tradeoff here is that this type of search will consume more disk, however, a reasonable amount of memory will be consumed which will less likely cause the search to be forcefully terminated due to memory. The new risk now is possible termination caused by exceeding disk quota allocated for search.
... View more
02-02-2018
08:56 PM
This is web and api. There is currently no distinction between the two.
... View more
02-02-2018
02:17 PM
Yeah, estimate is not ok and in the case where it is estdc can be used. Depending on the data set, sometimes it works and other times still fails due to splunkd forcefully terminated.
... View more
02-02-2018
02:11 PM
I've also seen this happen with improperly formatted lookup files where there are missing columns.
Internally, you could search:
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" lookup table invalid
02-01-2018 15:41:44.309 -0800 WARN SearchOperator:inputcsv - sid:searchparsetmp_741145440 The lookup table 'mylookup.csv' is invalid.
In this case the lookup file was missing a first column, e,g.
,field2,field3,field4
,cod,fish,tiger
,worm,bat,mouse
... View more
01-31-2018
10:07 AM
*Forcefully terminated search process with sid=1517416303.2383_ABC123 since its physical memory usage (36521.336000 MB) has exceeded the physical memory threshold specified in limits.conf/search_process_memory_usage_threshold (32768.000000 MB).*
Does anyone have a solution for this issue where using stats dc(field) results in forceful termination of the search? I cannot raise the memory allowance any higher (currently 32Gb) which risks our searcher going down when a user runs this type of query.
Obviously, it is caused by higher distinct counts but it is nothing unreasonable about the query.
Surely, Splunk has seen this many times and has a solution?
Is there some additional configuration that will allow us to workaround the high memory consumption for this type of search?
... View more
01-24-2018
12:41 PM
Stats can be used to get the most recent X value of Y, for example:
| stats latest(x) by y
How do I get the most recent 2 values of X by Y for comparing change in the value of X.
... View more
01-11-2018
03:40 PM
It looks like it can be done relatively easily based on the 6.x dashboard examples.
<dashboard>
<label>Drilldown URL Field Value Clone</label>
<description>Configure drilldown to redirect users to the URL value of the referer field.</description>
<row>
<table>
<search>
<query>index=_internal http:// | head 50 | table _time user referer</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<drilldown>
<condition field="referer">
<link>$click.value2|n$</link>
</condition>
<condition field="user">
<link>https://www.google.com q=$click.value2$</link>
</condition>
</drilldown>
</table>
</row>
</dashboard>
... View more
01-11-2018
03:02 PM
Do you have an example of how this can be done using simple XML? I'm familiar with overly complicated way that it is done using Advanced XML.
... View more
01-11-2018
02:48 PM
I understand that this can be done using Advanced XML. Does current version of Splunk allow us to more easily do this, and using simple XML?
... View more
08-30-2017
10:26 AM
1 Karma
I'd like to grant a user access to a dashboard. He does not need to run searches, just view a dashboard I created with pre-scheduled searches populating the panels.
... View more
08-25-2017
01:23 PM
Unfortunately, it appears that wildcards are not supported in default.meta.
... View more
08-22-2017
01:30 PM
1 Karma
I discovered that if you set the owner in the main stanza, it prevents any user (other than the specified owner) from sharing that object at the app-level.
... View more
08-22-2017
10:49 AM
Does anyone know whether wildcards will work in the default.meta? Trying to avoid having to update the file when new objects are created.
E.g.
[lookups]
access = read : [ * ], write : [ admin, power ]
export = none
[lookups/lookup*]
access = read : [ * ], write : [ admin, power ]
export = none
owner = admin
So if I create a new lookup file with name starting with "lookup", it will automatically be owned by admin with proper permissions.
... View more
07-31-2017
05:14 PM
2 Karma
One of Gareth's answers worked for me:
| rest "/services/admin/introspection--disk-objects--summaries?count=-1" | stats sum(total_size) by name | addcoltotals
... View more
06-16-2017
02:29 PM
I'm looking to obscure data by randomizing text. Does anyone have a simple way to do this against a field in Splunk? Let's assume that I'm doing this to export the data sample. I could eliminate the field altogether, but would like a randomized placeholder, vs just using eval of a fixed value or using random() which is numeric.
... View more
05-31-2017
10:19 AM
Thanks 🙂 It worked. To be clear this doesn't prevent the field extraction from being created. Users can still create their own private extractions, they just will not be able to share them.
[props]
export = system
access = read : [ * ], write : [ admin ]
[transforms]
export = system
access = read : [ * ], write : [ admin ]
... View more
05-31-2017
09:46 AM
1 Karma
No.
According to Splunk support and documentation, per-user search history replication does not work and setting the "config_replication_include.history = true" does nothing.
CIR-201: Replicating per-user search history under search head clustering
http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/HowconfrepoworksinSHC
"Note: The cluster does not replicate user search history. This is reflected in the default server.conf file, which includes the line, conf_replication_include.history = false. Changing that value to "true" has no effect and does not cause the cluster to replicate search history."
... View more
05-31-2017
09:45 AM
1 Karma
According to Splunk support today, per-user search history replication does not work and setting the "config_replication_include.history = true" does nothing.
CIR-201: Replicating per-user search history under search head clustering
... View more
