Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About twinspop
twinspop
Influencer
Member since:
06-09-2010
04-07-2021
Community Statistics
| Posts | 609 |
| Solutions | 72 |
| Karma Given | 384 |
| Karma Received | 232 |
| Member Since | 06-09-2010 |
Activity Feed
- Got Karma for Re: Why aren't defined field transformations showing in the GUI?. 09-09-2025 04:40 AM
- Got Karma for Re: Why is my log file sometimes ignored?. 05-19-2025 02:49 PM
- Got Karma for Re: How can I show the time of the last event in a stats by count table?. 12-11-2024 08:35 PM
- Got Karma for Re: Search to Identify when a host stops sending logs to Splunk. 10-09-2024 12:04 AM
- Got Karma for Re: Logging multiple sources from Docker with HEC: Are multiple sourcetypes possible?. 04-09-2024 06:41 AM
- Got Karma for Logging multiple sources from Docker with HEC: Are multiple sourcetypes possible?. 04-09-2024 06:41 AM
- Got Karma for Re: Logging multiple sources from Docker with HEC: Are multiple sourcetypes possible?. 04-09-2024 06:41 AM
- Got Karma for Re: How do I remove a dash (-) from the Account_Name field?. 02-22-2024 08:53 AM
- Got Karma for Re: How to configure props.conf for a Unix timestamp in a JSON log file?. 01-20-2024 09:06 AM
- Got Karma for Re: Why is my search head cluster captain logging KV Store replication errors?. 06-08-2023 12:21 PM
- Got Karma for Is there a way to convert a scheduled report to an alert? (6.6.3). 05-04-2023 03:51 PM
- Got Karma for Re: WinEventLog inputs: Why does current_only=1 skip server reboot events?. 03-15-2023 12:41 PM
- Got Karma for Re: How to change '_time'? _time is by default picking first alphabetical date column (Assigned) and doing +05:30. 09-30-2022 04:56 AM
- Posted Kafka add-on: Unable to initialize modular input on All Apps and Add-ons. 04-07-2021 07:52 AM
- Got Karma for Re: Is there any way to monitor CPU on Mac OS?. 03-20-2021 07:11 AM
- Got Karma for Re: With 8.1.2 or later should we still use an HEC tier on HWFs?. 03-08-2021 07:40 AM
- Posted Re: With 8.1.2 or later should we still use an HEC tier on HWFs? on Getting Data In. 03-05-2021 05:20 PM
- Posted With 8.1.2 or later should we still use an HEC tier on HWFs? on Getting Data In. 03-05-2021 05:19 PM
- Got Karma for Is there a way to convert a scheduled report to an alert? (6.6.3). 02-16-2021 11:23 PM
- Karma Re: Can you create/modify a lookup file via REST API? for 4n0m4l1. 12-15-2020 07:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-28-2017
08:52 AM
On the latest RHEL, when I run with RemainAfterExit set to false/no, internally generated restarts fail. Splukn just stops. Example, accessing the REST endpoint for system reload. Or if a deployment server delivers an app that is flagged for restart. I end up with no service running. If I set RemainAfterExit to true/yes, systemd completely loses track of splunk after any stop or internally generated restart. Neither situation is optimal.
... View more
11-27-2017
02:32 PM
I've created a new app for the busiest hosts to use with all 12 indexers listed instead of the single DNS entry. They are load balancing fine with this config. Still trying to figure out why they're limited to 3 entries on a DNS A list.
... View more
11-27-2017
02:19 PM
Done. Looks the same, which is to say, totally normal. All 12 hosts show up.
... View more
11-27-2017
01:42 PM
btool output is as expected. Aside from defaults:
[tcpout]
defaultGroup = prodDC1_indexers
[tcpout:prodDC1_indexers]
autoLBFrequency = 40
compressed = true
forceTimebasedAutoLB = true
server = myindexers.private:9997
useACK = true
The internal logs have literally zero mention of any other IPs. It's as if the SUF is only seeing 3 IPs. The 3 selected vary from SUF to SUF.
... View more
11-27-2017
01:12 PM
I have a DNS entry set up for my 12 indexers. Recently I noticed a large consumer was throwing my traffic balance out of whack. I did some checking around metrics and see that all his servers (and some others to boot) are only cycling through 3 of the servers in the DNS list. Running host myindexers.private returns the entire list on the Forwarders' systems. But they are sending to only 3 of the returned IPs.
I have 8000 forwarders. About 3% of them are impacted by this weirdness. I'm still trying to narrow down what the commonalities are. It is always exactly 3 out of the 12.
EDIT: with a few dozen different versions in play, interesting that only 6.6.0 - 6.6.3 is showing this. (I don't have anything newer than 6.6.3 in service.)
EDIT2: Confirmed, no other versions are experiencing the indexer drop. Only 6.6.1 and 6.6.3. Turns out I have no 6.6.0 nor 6.6.2.
EDIT3: There appears to be an issue with 6.6.1 and 6.6.3, at least, where the longer the forwarder runs, the fewer indexers it will even attempt to talk to. I can reliably reproduce this issue with fresh, very basic, minimalistic installs. I cannot reproduce on versions before 6.6.x. This is true whether i list all indexers in outputs.conf, or use a DNS A list. Ticket open, diags exchanged, waiting...
... View more
11-07-2017
07:14 PM
7 Karma
Splunk Support provided this solution:
on the SHC captain, splunk stop , then splunk clean kvstore --local , accept the scary warning message, and finally restart splunk. The errors have subsided and as far as I can tell, no damage was done.
Hope this helps a future admin.
... View more
10-30-2017
08:50 AM
I should say that i have many other collections running, with exactly the same creation procedure. None triggered this error repeating. That said, I added the configs you suggested above to this single collection via the REST API. Confirmed via btool. The errors continue.
... View more
10-30-2017
08:34 AM
Case 000466442
And also this question: https://answers.splunk.com/answers/515448/why-does-splunk-re-index-this-rolled-file-how-to-t.html
... View more
10-29-2017
05:51 PM
Except you can't trust Splunk's logic in ignoring log files it's already seen. I've had to disabled the monitoring of rolled files in almost all situations because we end up with duplicate logs. Splunk's support has been, to be blunt, useless with tracking this down. Really, super frustrating.
... View more
10-29-2017
05:48 PM
The collection was configured as above. No other settings applied. These are the defaults as far as I can tell:
[userid]
profilingEnabled = false
profilingThresholdMs = 1000
replicate = false
replication_dump_maximum_file_size = 10240
replication_dump_strategy = auto
type = undefined
... View more
10-27-2017
01:48 PM
1 Karma
The log is repeating at sub-second intervals:
2017-10-27T20:44:53.389Z I REPL [ReplicationExecutor] Error in heartbeat request to shccaptain:8191; InvalidReplicaSetConfig Our replica set configuration is invalid or does not include us
The kvstore appears to be healthy otherwise.
> curl -sku admin:password https://shcmember:8089/services/server/info | grep -i kv
<s:key name="kvStoreStatus">ready</s:key>
> curl -sku admin:password https://shccaptain:8089/services/server/info | grep -i kv
<s:key name="kvStoreStatus">ready</s:key>
What's the problem? What's the fix?
EDIT: The error started after creating a collection by running this curl command:
curl -ku admin -d name=userid https://shcmember:8089/servicesNS/nobody/alpha_search/storage/collections/config
... View more
10-18-2017
04:51 PM
Nice. I mean, this still seems to be a bug to me, but nice workaround. :thumbs-up:
... View more
10-16-2017
11:04 AM
The CM shows all healthy. It looks like the error (displayed on the SHC) was old. I have deleted it and it hasn't returned.
... View more
10-16-2017
08:16 AM
Indexer was running normally yesterday. We offlined it, and after maintenance, rebooted it. When it came back up, it had a new IP because reasons, and joined the cluster with the new IP. After realizing what happened, and much troubleshooting with my NOC, they got the right IP in place and I offlined/rebooted again. Everything looked normal, but I'm seeing this error today:
Search peer dc1prsplixap08 has the following message: Failed to register with cluster master reason: failed method=POST path=/services/cluster/master/peers/?output_mode=json master=DC1PRSPLDP01:8089 rv=0 gotConnectionError=0 gotUnexpectedStatusCode=1 actual_response_code=500 expected_response_code=2xx status_line="Internal Server Error" socket_error="No error" remote_error=Cannot add peer=11.1.136.166 mgmtport=8089 (reason: Peer with guid=C395587E-CB3A-4492-8662-71AFD3002A89 is already registered and UP). Make sure pass4SymmKey is matching if the peer is running well. [ event=addPeer status=retrying AddPeerRequest: { _id= active_bundle_id=F24FD19BC912B3FE530FB3917ED1B287 add_type=Initial-Add base_generation_id=0 batch_serialno=1 batch_size=20 forwarderdata_rcv_port=9997 forwarderdata_use_ssl=0 last_complete_generation_id=0 latest_bundle_id=F24FD19BC912B3FE530FB3917ED1B287 mgmt_port=8089 name=C395587E-CB3A-4492-8662-71AFD3002A89 register_forwarder_address= register_replication_address= register_search_address= replication_port=9000 replication_use_ssl=0 replications= server_name=dc1prsplixap08 site=default splunk_version=6.6.0 splunkd_build_number=e21ee54bc796 status=Up } ].
Linux, Splunk version 6.6.3
... View more
10-12-2017
11:08 AM
Spent all day yesterday trying to figure out why a client's logs weren't indexing. Most of the time I had no access to the server in question, so I was simply troubleshooting from internal logs, configs, and the sporadic logs that would show up briefly after a restart.
Finally, when I was just about to throw in the towel, I started poking around directories above the target files. The monitor line had an asterisk at this point in the path, so even though most other dirs didn't match further down the line, Splunk had to check them. Several of them had 100k+ files in them. So Splunk was stuck trying to read these dirs. Even performing just an ls | wc -l took over 10 minutes on a few of them.
I can find big directories with something like this and send it into Splunk for alerting:
find /path -size +100k -type d
Adjusting the size requirement as needed. Is there a better way to avoid these landmines?
Thanks,
Jon
... View more
08-29-2017
08:07 AM
I downvoted this post because not answering the question. extra search commands are not leading to the subject at hand: how to change a report to an alert in 6.6
... View more
08-29-2017
07:59 AM
If you're not running 6.6.x you don't understand. For REPORTS there is only an option to send an email when the report runs. Period. There is no qualifier for number of results returned, custom eval, or anything else. Even with "where count>0" i will still get email on every run regardless of results. In 6.6 REPORTS are inherently different from ALERTS and I don't see anyway to convert one way or the other.
... View more
08-29-2017
06:26 AM
No, the interface is totally different. If you have 6.6.x you will see.
... View more
If a saved search is initially created as an alert, I get the option to "Edit alert". But if it's saved as a report, that option is not there and Edit Schedule does not offer the same options. I can't see any way to modify a report to have a conditional alert. I can schedule a report. And I can assign an email action to a report. But the GUI offers no way to assign a conditional action to a report. In order to get the conditional verbiage, I have to recreate the saved search explicitly as an alert. Or edit config files directly.
The new paradigm of reports vs alerts is not ... handy. Maybe I'm just not used to it.
v6.6.3, Linux
... View more
08-28-2017
11:09 AM
Confirmed. As of 6.6 the SHC app bundle should include indexes.conf that lists all available summary indexes.
... View more
08-28-2017
10:25 AM
It looks like you have to explicitly define all potential summary indexes on the SHC.
... View more
08-28-2017
10:05 AM
In the re-write of the searches and reports interface, they've moved summary indexing to its own menu item under Edit.
Something else has changed though. The dropdown list for which summary index to use has been truncated. How do I control this? In 6.5.3 it listed all my indexes, about 150. It now has 3 or 4. I've yet to figure out why these get listed.
... View more
08-23-2017
09:04 AM
1 Karma
Old reply: Yeah, I see the HEC dashboards. But they simply say "You currently have no tokens configured" which is not correct. I don't see anything in the MC setup that references HEC.
Assuming I can get it working, this looks like a good place to start. Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-07-2021
02:44 PM
|
