×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
larshaugan
Explorer
Member since: ‎06-11-2018
‎06-05-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 2
Member Since ‎06-11-2018
Activity Feed
View All

Re: In Splunk hec, what should you check if you c...

by in Getting Data In
‎06-19-2018 11:31 AM
2 Karma
‎06-19-2018 11:31 AM
2 Karma
There are additional configuration that is needed to use fields in some cases. The data is automatically indexed (without the need for props and transformations on the HF/peer), but to be able to utilize the data configuration is needed at the SHC. With a configuration that is incomplete it will be possible to view the field while searching, but not possible to search with the field specified. The following steps helped resolve the issue: First check that the events actually are indexed: |tstast count where index=* k8s_node="node01.domain.tld" . If count > 0 the field is indexed (and you have access to it). search index=* k8s_node="node01.domain.tld" would still show 0 events. Then on the searchhead cluster you need to specify that the field you are looking for is an indexed field. This is done in fields.conf . [k8s_node] INDEXED = true If you are using a shdeployer (or another app on the searchhead for configuration rather than system ) you must ensure that metadata/default.meta contains the following. [fields] export = system Additional search time extraction will need to be specified in props.conf with settings like KV_MODE=auto depending on your source/sourcetypes This will allow you to search for fields with field=value rather than field::value like described in https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/IFXandHEC#Search_for_index-extracted_fields ... View more

In Splunk hec, what should you check if you canno...

by in Getting Data In
‎06-19-2018 09:41 AM
‎06-19-2018 09:41 AM
With Splunk HEC it is possible to send a HTTP POST with Json payload to services/collector/event . This supports the fields Json key, that enables you to add additional data to an event that is not present in the _raw (or event) data. Given the following json payload you should be able to search search index=* k8s_node="node01*" : { "event": "datadata", "fields": {"k8s_node":"node01.domain.tld", "k8s_namespace","namespacename"}} However when searching for fields that are not present in the _raw data, the search will not give you a match, and you will not be able to match searches to the items in the fields key. What could be done to resolve this? ... View more

Re: BucketSummaryProcessor - Timed out waiting for...

by in Reporting
‎06-13-2018 12:12 AM
‎06-13-2018 12:12 AM
What mitigated this problem for us, was to add acceleration.backfill_time to all accelerated data models (under the DM stanza in datamodels.conf). Set this to <= acceleration.earliest_time . (I assume this is only a issue with 7.1.1). ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All