×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
DEngineer1
New Member
Member since: ‎03-06-2012
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-06-2012
Activity Feed
View All

Re: Connecting a standalone search head to only 1 ...

by in Deployment Architecture
‎05-05-2017 07:39 PM
‎05-05-2017 07:39 PM
Hi Guys, Thanks for the help. I did some testing last night and I realized that might it might not be the configurations that is causing the problem. Here my infrastructure setup: Indexer is on AWS Search head is a VM instance in my company. Search head is able to telnet to index's IP via 8089. TCPdump on the indexer show the traffic too. However the search head is not able to added the indexer as a search peer. So I went ahead and create another Search head in AWS. This AWS search head have no problem adding the AWS indexer. Not sure what is wrong with the Search head in my company. The search peer is added via https://xxx.xxx.xxx.xxx:8089, using IP so I think DNS resolution is not an issue. The Search head in my company is behind a firewall with NAT outgoing IP. The AWS indexer can only see the NAT IP of my company gateway. Any configurations I need to do? 😞 ... View more

Connecting a standalone search head to only 1 inde...

by in Deployment Architecture
‎05-05-2017 01:56 AM
‎05-05-2017 01:56 AM
Hi Guys, I'm trying to connect a standalone search head to only 1 indexer. It's a simple setup, however I just not able to find any documentations on it. I'm not sure if I'm doing it right, but I'm tried to add search peers but I got the following errors: 05-05-2017 10:30:02.232 +0200 WARN AdminHandler:DistributedSearchHandler - While attempting to add peer at uri=https://xxx.xxx.xxx.xxx:8089 , no http response was received with a Date header. Cannot check skew. 05-05-2017 10:30:02.232 +0200 INFO KeyManagerLocalhost - Sending public key to search peer: https://xxx.xxx.xxx.xxx:8089 05-05-2017 10:30:02.764 +0200 ERROR KeyManagerLocalhost - Error while sending public key to search peer: Connection reset by peer Could anyone point me in the right directions? Thank you. ... View more

Re: How to return the latest events where one fiel...

by in Splunk Search
‎05-16-2016 04:06 AM
‎05-16-2016 04:06 AM
Hey thanks for the recommendation, streamstats really give me the "light bulb" I was thinking this might work: "search"| sort + Serial | streamstats window=2 global=f current=t first(complete) as next_com, first(serial) as next_serial | fields serial, complete, next_serial, next_com | eval test=if(complete > next_com, serial, 0) | fields serial, complete, test | eventstats max(test) as m_test | where complete == 0 | where (serial > m_test) However I do not know is this an efficient search... Comparing to using sub-search, will this be a faster search? ... View more

How to return the latest events where one field is...

by in Splunk Search
‎05-15-2016 05:09 AM
‎05-15-2016 05:09 AM
Hi Guys, I have got a problem which I need to return results when 1 field is of a certain value BUT only after a certain event. Serial_No Complete 7 0 5 0 4 0 3 1 2 1 1 0 In the case above, I only need to return rows where complete==0 BUT only considering rows that are after complete==1 (so the row where Serial_No==1 is not considered) In the example above the results will be: Serial_No Complete 7 0 5 0 4 0 Any possibility to get the result without any subsearches? Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM