I didn't have any issues following the process for a clustered deployment here. I upgraded kvstore engine from mmap to WiredTiger on two clusters. We are running 8.2.3 at the time of this posting. I would recommend taking a backup of your kvstore then run through the migration process if that hasn't been performed yet. ... View more

To whoever might find this interesting. I've recently encountered with such issue after installing Dynatrace OneAgent chart in the same k8s cluster with Splunk. In my case I wasn't able to just delete the liboneagentproc.so file, so I had to uninstall Dynatrace chart and then delete /opt/oneagent directory in pod where Splunk runs. Link to upgrade notes: https://docs.splunk.com/Documentation/Splunk/8.2.1/ReleaseNotes/Knownissues ... View more

Thanks, yeah i was doing this mistake. ... View more

I just tested this on a standalone instance Splunk Enterprise v8.0.5   Set  %SPLUNK_HOME%\etc\system\local\server.conf [kvstore] storageEngineMigration=true Upgrade to v8.2.1 Success!    /opt/splunk/var/log/splunk/migration.log.2021-07-30: (only the relevant portion regarding kvstore migration) ===================================================================== Starting KV Store storage engine upgrade: Phase 1 (dump) of 2: ............... Phase 2 (restore) of 2: ...................Data sanity check completed successfully for all configured KV Store collections Successfully migrated to storage engine wiredTiger ===================================================================== (dev2) splunk@splnkhfvm-3hqdt:~ $ ./bin/splunk btool --debug server list kvstore | grep local /opt/splunk/etc/system/local/server.conf [kvstore] /opt/splunk/etc/system/local/server.conf storageEngine = wiredTiger /opt/splunk/etc/system/local/server.conf storageEngineMigration = true (dev2) splunk@splnkhfvm-3hqdt:~ $ ./bin/splunk show kvstore-status This member: backupRestoreStatus : Ready date : Fri Jul 30 12:19:36 2021 dateSec : 1627661976.923 disabled : 0 guid : 8297E92E-9E18-40DB-865C-54F7D9F82CBF oplogEndTimestamp : Fri Jul 30 12:19:29 2021 oplogEndTimestampSec : 1627661969 oplogStartTimestamp : Fri Jul 30 11:35:07 2021 oplogStartTimestampSec : 1627659307 port : 8191 replicaSet : 8297E92E-9E18-40DB-865C-54F7D9F82CBF replicationStatus : KV store captain standalone : 1 status : ready storageEngine : wiredTiger KV store members: 127.0.0.1:8191 configVersion : 1 electionDate : Fri Jul 30 11:35:07 2021 electionDateSec : 1627659307 hostAndPort : 127.0.0.1:8191 optimeDate : Fri Jul 30 12:19:29 2021 optimeDateSec : 1627661969 replicationStatus : KV store captain uptime : 2675 ​   So kvstore migration was a success when upgrading Splunk Enterprise from 8.0 to 8.2 in standalone mode.  Next step: Validate if this is true with SH Cluster upgrade as well.  ... View more

Hello Splunkers, I am trying my hand at building modular inputs using the Splunk AoB, and following the walk-through examples provided for REST API The tests performed while building the input worked and provided output in XML. The Interval is set for 300s. I have created one inputs, indexing data to one index. However, data is not indexed. There is some activity logged by the input in the _internal index as well. I have restarted Splunk, but no result as well. I have set my props and transform conf for extraction. The AoB docs do not mention anything about indexing data via the created Add Ons Can someone please help? Note: I am running the created Add-On on the same instance as the AoB.. does taht make any difference? Thanks in Advance!!! ... View more

Hi, There is an app on splunkbase named Alerts For Splunk Admins. Have you tried the app to find the slowness?   Regards Jan ... View more

Found this cool answer: https://answers.splunk.com/answers/697506/how-to-map-introspection-datasearch-propssid-to-th.html ... View more

You can do something like this to always add 72hours to your search from the timepicker (without modifying the timepicker at all): Your Base Search String Here [| makeresults | rename COMMENT AS "DO NOT CHANGE ANYTHING IN THIS SUBSEARCH SECTION!" | addinfo | rename info_min_time AS earliest, info_max_time AS latest | eval old_latest = latest | eval latest=relative_time(latest, "+72h") | table earliest latest | eval search="earliest=" . earliest . " latest=" . latest] | the | rest | of | your | search | with | pipes | here ... View more

We have encountered the same (a similar?) problem: The results shown under "reports" are not the most recent ones. We frequently see a sentence on top like "The following results were generated 7 days ago." while the most recent results were generated today (we can actually see them through "searches, reports and alerts" and clicking "View recent" for the correct scheduled search. This seems to be a bug of the "reports" view? Splunk version: 7.1.1 P.s. we áre working with indexed data. ... View more

Yes you can try that. ... View more

One way I figured out how to do this is using: | eval Week = strftime(strptime(_time, "%Y-%m-%d %H:%M:%S.%N"), "%V") strptime converts the _time [formatted in "%Y-%m-%d %H:%M:%S.%N"] to Unix epoch time. Then strftime extracts the week of year from the epoch time using "%V" The variable %V is not mentioned in the documentation. However, how do I declare custom weeks, if the business requirements are as such? ... View more

So we got around this particular problem using Scripted Input, with a python script running on a CRON schedule, executing the web query and ingesting the JSON response. This URL was not REST compliant, nor did the 3rd party tool have any such endpoints. Nevertheless, @niketnilay & @Damien Dallimore thank you for your help. 🙂 ... View more

Hi @kamlesh_vaghela the documentation states: Description Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string. The last sentence in bold is interesting. But your example is also quite good, which leads me to believe that either the documentation is unclear on this, and should be updated, or, this is a bug. ... View more