Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About leekeener
leekeener
Path Finder
Member since:
04-09-2018
02-06-2025
Community Statistics
| Posts | 25 |
| Solutions | 2 |
| Karma Given | 3 |
| Karma Received | 9 |
| Member Since | 04-09-2018 |
Activity Feed
- Karma Re: Why is KV Store certificate renewal not working? for helge. 02-02-2024 11:35 AM
- Posted KVStore error after upgrade to 9.0.1- Stand alone commands on Splunk Enterprise. 10-19-2022 10:26 AM
- Tagged KVStore error after upgrade to 9.0.1- Stand alone commands on Splunk Enterprise. 10-19-2022 10:26 AM
- Got Karma for Re: Dashboard Studio Line chart, how to remove circles?. 08-02-2022 01:35 AM
- Got Karma for Dashboard Studio Line chart, how to remove circles?. 08-01-2022 06:52 AM
- Got Karma for Re: Dashboard Studio Line chart, how to remove circles?. 08-01-2022 06:51 AM
- Got Karma for Re: Dashboard Studio Line chart, how to remove circles?. 06-22-2022 11:25 AM
- Got Karma for Re: Dashboard Studio Line chart, how to remove circles?. 06-22-2022 11:25 AM
- Got Karma for Re: Dashboard Studio Line chart, how to remove circles?. 04-28-2022 08:43 AM
- Posted Re: Splunk removes data from Index, how to set size limit only for index? on Getting Data In. 03-11-2022 07:03 AM
- Posted Re: Splunk removes data from Index, how to set size limit only for index? on Getting Data In. 03-11-2022 05:52 AM
- Posted Re: Splunk removes data from Index, how to set size limit only for index? on Getting Data In. 03-04-2022 05:51 AM
- Posted Re: Splunk removes data from Index, how to set size limit only for index? on Getting Data In. 02-07-2022 05:57 AM
- Karma Re: Splunk removes data from Index, how to set size limit only for index? for isoutamo. 02-07-2022 05:57 AM
- Posted Splunk removes data from Index: How to set size limit only for index? on Getting Data In. 01-19-2022 12:51 PM
- Tagged Splunk removes data from Index: How to set size limit only for index? on Getting Data In. 01-19-2022 12:51 PM
- Posted Index events being removed somehow on Splunk Enterprise. 09-28-2021 12:02 PM
- Tagged Index events being removed somehow on Splunk Enterprise. 09-28-2021 12:02 PM
- Tagged Index events being removed somehow on Splunk Enterprise. 09-28-2021 12:02 PM
- Posted Re: Dashboard Studio Line chart, how to remove circles? on Dashboards & Visualizations. 09-08-2021 08:24 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
10-19-2022
10:26 AM
I just went through this so posting here as I could not find the commands to fix it and had to open a ticket with support. Root cause was one of my servers had the server.pem certificate expired. This prevented the KV Store upgrade from working during the upgrade. This was on a windows heavy forwarder. Those are standalone, all the docs have commands for a SH cluster. So here are the standalone commands, hoping this helps someone. Took me a while to get them out of support.
./splunk migrate kvstore-storage-engine --target-engine wiredTiger
./splunk migrate migrate-kvstore
./splunk show kvstore-status --verbose
Thanks,
Lee.
... View more
Labels
- Labels:
-
administration
-
installation
-
upgrade
03-11-2022
07:03 AM
Hold the phone. I just found where volume:hot was being defined. We used Splunk services to setup our implementation in 2016 and she created a separate app for volume index management that I have never opened. It has an indexes.conf with only two stanzas for hot and cold volume and only two parameters each. In it, volume:hot maxVolumeDataSizeMB set to 650GB. I have adjusted this to match my free NVMe space on each indexer (7.5TB) and am going to reload. Hoping I finally have found it.
... View more
03-11-2022
05:52 AM
So I am still seeing the data loss. I was able to find it in _internal as well. Here is my indexes.conf stanza for this index: # SCADA related indices [escadahist] homePath = volume:hot/escadahist/db coldPath = volume:cold/escadahist/colddb thawedPath = $SPLUNK_DB/escadahist/thaweddb maxDataSize = auto_high_volume maxHotBuckets = 10 maxWarmDBCount = 10000 maxTotalDataSizeMB = 500000 enableTsidxReduction = false After setting the above I clean the index and reset the rising counter in my DBConnect input to reload everything. 45 minutes into reloading I see the following in _internal: 03-02-2022 23:27:01.088 -0500 INFO BucketMover [7660 IndexerService] - idx=escadahist Moving bucket='db_1613378370_1587632768_210', starting warm_to_cold: from='/splunk/var/lib/splunk/escadahist/db' to='/splunkcold/escadahist/colddb, caller='trimVolume', reason='volume size for warm storage exceeded' And I see the size of the index be reduced, age of data be reduced, it is removing data again. I have opened a support ticket but they are not helpful. Does "caller='trimVolume'" hold a piece to the puzzle???
... View more
03-04-2022
05:51 AM
I tried the suggested settings with no change, it still removes events. I have opened a ticket with Splunk support. I will post the resolution here. Cheers, Lee.
... View more
02-07-2022
05:57 AM
Thanks for your answer. I will try these and reload the index. I will update this thread with the results.
... View more
01-19-2022
12:51 PM
I work at a utility and we have an index that contains SCADA events from the electric system. We have data that goes back to 2015. There are a very large number of total events (1.8 billion or so). I had an engineer trying to trend some voltages over a long time period and it was discovered that Splunk had removed all of the events before 8/1/2020. I cleaned the index and added enableTsidxReduction=false. I then cleaned and reloaded the index and it appears it has removed events prior to Jan 1 2017 this time. The total size of this index is only around 60GB, The SQL database we are loading it from is 100GB total, these events are only two tables. We use DB Connect with a rising column for loading. MSSQL to dedicated SCADA index. Two inputs, one for each table.
I would like for size to be only factor controlling when data leaves the index, I would also prefer for buckets to only be hot and warm, cold is on a much slower storage system and we have plenty of hot/warm space. what is the conf file settings that achieve this?
I have found the spec for indexes.conf and it is very daunting, I have scrolled down through it and it is hard for me to understand what is the right settings to use. Is there a guide somewhere that outlines the behavior and cotnrols for index data management?
We run a distributed system with two indexers on 8.2.3
Thanks for the help.
Lee.
... View more
Labels
- Labels:
-
index
09-28-2021
12:02 PM
I work for a utility company and, among many things, we have an index for some environmental and system totals. This index is used to to compute yesterday's sales and compare to same day last year, we also do some calculations for one year to date compared to previous year to date. This means that the dashboards may access events two years old. The data is a single event per day, going back to 1995. After loading the data (Which is via DB Connect, from SQL table) everything is great for a while and then one day the data up until about 18 months ago is gone. I am guessing it is being rolled to frozen via some kind of default. What setting should I use to keep all the data in the index and searchable?
... View more
Labels
- Labels:
-
troubleshooting
09-08-2021
08:24 AM
Here is an example with showMarkers false
... View more
09-08-2021
08:18 AM
5 Karma
I finally found it in an example, "chart.showMarkers": false/true, Maybe this helps somebody.
... View more
09-07-2021
08:44 AM
1 Karma
Howdy, I have searched through the settings and can't seem to find out the parameter needed to disable the little circles in the new Line chart, what am I missing? The circles are quite jarring compared to what my dashboards used to look like. I can't imagine that they aren't configurable?? New chart: Old chart
... View more
- Tags:
- line chart
Labels
- Labels:
-
chart
-
Dashboard Studio
09-10-2020
06:38 AM
We have a couple of good use cases for Splunk mobile and Splunk TV so I am experimenting with it to understand the care and feeding. For a Splunk mobile user to see what they should only be allowed to see I register their device with their username and password. We use AD LDAP Auth. We require 90 day password changes. When this change rolls around and password is changed the Splunk mobile app is broken and must be re-registered. I've seen similar behavior with Splunk TV however use of a service account there is possible so can be mitigated if necessary. How are other people working around this? Currently this would be a nightmare if I tried to roll it out. Thanks for your help. Lee.
... View more
Labels
- Labels:
-
administration
01-23-2020
11:07 AM
I figured this out and you will not believe what it was. The fix was to use strptime and format it to show AM and PM, the 12:xx times were PM, not AM. I was quite amused by how the data was just so to prevent this from being a question you'd ask. Thanks for everyone's help.
... View more
12-31-2019
10:54 AM
Thanks for the help. I agree with everything you said yet I am getting these results: Most recent event should be the 1:34am one. I use a similar search in a bunch of reports so there was some superfluous stuff. A more concise search is at the bottom, this produced the results below.
2019-12-30 12:51:24 RH31B CLOSE-OPEN
2019-12-30 12:50:08 RH31B CLOSE-OPEN
2019-12-30 12:49:28 RH31B OPEN
2019-12-30 12:49:24 RH31B OPEN-CLOSE
2019-12-30 01:43:01 KR12B CLOSE
2019-12-30 01:42:18 KR12B OPEN
2019-12-30 01:42:16 KR12B OPEN-CLOSE
2019-12-30 01:35:12 KX12B OPEN
2019-12-30 01:35:09 KX12B CLOSE
Search:
sourcetype=escada_message breaker=* AND NOT DELETED AND NOT ACKNOWLEDGD
| eval uncmdops=if(operation == "OPEN" OR operation == "CLOSE" OR operation == "OPEN-CLOSE" OR operation == "CLOSE-OPEN" OR operation == "OPEN-CLOSE-OPEN" OR operation == "CLOSE-OPEN-CLOSE", 1, 0)
| search uncmdops>0
| sort - _time
| table _time breaker operation
... View more
12-31-2019
10:42 AM
I would love to share a screenshot, however I don't see how to do so. I can provide a link to an image, but I've no means to host the image for linkiing
... View more
12-31-2019
07:42 AM
I have a search results I want to show in a table. I noticed that the events were not sorted by time so I added the sort _time desc. I just noticed that the time is still off as 12:00 is coming before 01:00 times. What is the fix for this? Should I not be using a table? I like how it formats the results, maybe there is another way? Here is the whole serach, this is on some Electric SCADA data to show uncommanded breaker operations.
sourcetype=escada_message breaker=* AND NOT DELETED AND NOT ACKNOWLEDGD
| eval cmdops=if(operation == "COMMAND TO CLOSE" OR operation == "COMMAND TO OPEN" OR operation == "CONTROL TO CLOSE" OR operation == "CONTROL TO OPEN", 1, 0)
| eval uncmdops=if(operation == "OPEN" OR operation == "CLOSE" OR operation == "OPEN-CLOSE" OR operation == "CLOSE-OPEN" OR operation == "OPEN-CLOSE-OPEN" OR operation == "CLOSE-OPEN-CLOSE", 1, 0)
| eval totalcmd= if(operation == "COMMAND TO CLOSE" OR operation == "COMMAND TO OPEN" OR operation == "CONTROL TO CLOSE" OR operation == "CONTROL TO OPEN" OR
operation == "OPEN" OR operation == "CLOSE" OR operation == "OPEN-CLOSE" OR operation == "CLOSE-OPEN" OR operation == "OPEN-CLOSE-OPEN" OR operation == "CLOSE-OPEN-CLOSE",1,0)
| eval errors=if(operation == "Clearance" OR operation == "FAIL*" OR operation == "OVERIDE*" OR operation == "SET*", 1, 0)
| search uncmdops>0
| sort - _time
| table _time breaker operation
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-06-2025
05:33 PM
|
