×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
smithy001
Explorer
Member since: ‎07-04-2018
3 weeks ago
Community Statistics
Posts 14
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎07-04-2018
Activity Feed
View All

Re: Revisiting REGEX to extract domain name from a...

by in Splunk Search
3 weeks ago
1 Karma
3 weeks ago
1 Karma
I know this is a very old post but here's a simple solution via spl at search time. Just split using "." and then use mvindex to extract the components. | eval host=mvindex(split(fqdn, "."),0) | eval domain=mvindex(split(fqdn, "."),1) | eval org_type=mvindex(split(fqdn, "."),2) | eval country=mvindex(split(fqdn, "."),3) Hope someone finds this useful Cheers   ... View more

Re: Postgtres binary vulnerabilities - is it safe ...

by in Splunk Enterprise
‎01-20-2026 03:19 AM
‎01-20-2026 03:19 AM
Thanks both for your input. Sadly if the vulnerability is picked up we have to fix...that's CE+ for you and an IMSEC that don't listen to reason. I did check the advisory  https://advisory.splunk.com/advisories/SVD-2025-0603 "postgres package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2023-5869, CVE-2024-7348, CVE-2024-10979, and CVE-2025-1094" hence me asking if it was safe to remove.   ... View more

Postgtres binary vulnerabilities - is it same to r...

by in Splunk Enterprise
‎01-16-2026 02:23 AM
‎01-16-2026 02:23 AM
There seems to be a lot of vulnerabilities surrounding  the postgres binary shipped with Splunk Enterprise. I'm trying to track down a version of Splunk this is shipped without any issues. We're currently 10.0.1 but looking online shows that 10.0.2 has issues...if we go to 10.0.4 will we be safe ?? OR is it possible just to remove the binary [I've seen it recommended to fix CVEs] To my knowledge Splunk doesn't even use postgres. Any input gratefully recieved. Thanks in advance   ... View more
Labels

Re: rf/sf set to 1 for 2 site system.

by in Deployment Architecture
‎11-23-2023 05:07 AM
‎11-23-2023 05:07 AM
Thanks for that information ... View more

Re: rf/sf set to 1 for 2 site system.

by in Deployment Architecture
‎11-15-2023 01:02 AM
‎11-15-2023 01:02 AM
Thanks for that, as I stated rf/sf is 1 per site so total of 2 searchable copies due to costs.  I  want to know the best way to spread the buckets of an index over as many indexers as possible to get the best bandwidth out of the I/O sub-system. Cheers   ... View more

Re: buckets - hot/warm and cold on 2 separate volu...

by in Deployment Architecture
‎11-15-2023 12:58 AM
‎11-15-2023 12:58 AM
So rather than have 2 volumes just have 1 and use tiered storage so that you only need to monitor the usage at the storage system. Make capacity planning much easier and hardware tiering is far more efficient/performant as accessed data will be elevated to  a higher performance tier.    ... View more

Re: buckets - hot/warm and cold on 2 separate volu...

by in Deployment Architecture
‎11-10-2023 01:18 AM
‎11-10-2023 01:18 AM
Thanks for the reply...I understand the use of 2 separate volumes.   I was asking if anyone could see a situation where the cold [spindle] volume could become full whilst the hot/warm[ssd] still had capacity if both were sized the same... 6 months on SSD 6 months on spindle... ... View more

Re: rf/sf set to 1 for 2 site system.

by in Deployment Architecture
‎11-10-2023 01:13 AM
‎11-10-2023 01:13 AM
the actual config has not been decided yet.   I'm trying to find the best one to spread the buckets across the indexers. ... View more

buckets - hot/warm and cold on 2 separate volumes

by in Deployment Architecture
‎11-09-2023 02:57 AM
‎11-09-2023 02:57 AM
if we configure a fast volume for hot/warm and slower spindles for cold and set maxVolumeDataSizeMB to enforce sizes. can you see any situation where cold would file but hot/warm would still have space? ... View more
Labels

rf/sf set to 1 for 2 site system.

by in Deployment Architecture
‎11-09-2023 02:46 AM
‎11-09-2023 02:46 AM
I have a client creating a new system that will have 2 sites with rf/sf per site being 1 and the total rf/sf being 2. Each site will have 3+ indexers. My question is how this effects bucket distribution over the indexers if you leave maxbucket as the default of 3 and is there any performance implications They're going rf/sf as 1 due to disk costs. Thanks in advance ... View more
Labels

Re: How to add packages to Splunk Docker Container

by in Installation
‎01-17-2023 11:16 PM
‎01-17-2023 11:16 PM
I've got the same issue...tried everything I know on the unix front...did you ever find a solution for this as it's a bit of a show stopper as I want to install keepalived on universal for simple HA solution Cheers ... View more

Re: Upgrade Failing with OSError type 28

by in Splunk Enterprise Security
‎02-17-2022 06:42 AM
‎02-17-2022 06:42 AM
Had the same issue. Cleared /tmp down and worked fine... Can only assume splunk GUI loads to /tmp ... View more

Re: Splunk 8.0 upgrade has no web server running

by in Security
‎11-27-2019 05:15 AM
‎11-27-2019 05:15 AM
v 7.3.1 to 8.0.0 [patched locally with datetime.xml fix] 4 node SH cluster with 6 node [2 sites] index cluster The readiness app seems to stop @ the culprit app and not scan any further!!!! We removed the *NIX app and the Tenable[Nessus] one and all it all started fine and dandy under version 8. ... View more

Re: Jenkins Plugin fails to install

by in All Apps and Add-ons
‎07-04-2018 05:38 AM
1 Karma
‎07-04-2018 05:38 AM
1 Karma
We had the same problem because the app was renamed from splunk_app_jenkins to SA-Jenkins on the Search Heads to align with our in house naming convention renamed back to splunk_app_jenkins restarted the search heads and all worked fine.... , ... View more
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma from
View All