×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
phoffman_splunk
Splunk Employee
Member since: ‎11-28-2012
‎06-05-2020
Community Statistics
Posts 30
Solutions 8
Karma Given 164
Karma Received 30
Member Since ‎11-28-2012
Activity Feed
View All

Re: knowledge bundle

by in Splunk Search
‎04-01-2025 01:11 PM
‎04-01-2025 01:11 PM
Excellent information and writeup, thank you for the verbose explanation! ... View more

Re: Search head returning no results from peer

by in Deployment Architecture
‎04-13-2021 02:12 PM
‎04-13-2021 02:12 PM
Thanks for this solution. it worked for me. I went ahead and made my Monitoring Console as standalone.  that fixed the issue.  ... View more

Re: Why some of our indexers stop listening on por...

by in Getting Data In
‎01-24-2017 11:24 AM
‎01-24-2017 11:24 AM
When I run the following - index=_internal host=x1209 group=queue blocked name=indexqueue | timechart count by queue I don't see the results matching the - index=_internal host=x1209 group=queue unblocked name=indexqueue | timechart count by queue Meaning, blocked versus unblocked. My problem is that only by bouncing Splunk, the 9997 port becomes open and it starts indexing. According to the License Usage - Previous 30 Days , this indexer hasn't indexed any data for three days until the bounce. ... View more

Re: Search Head Clustering: How to push config bun...

by Splunk Employee in Deployment Architecture
‎09-28-2015 11:47 AM
6 Karma
‎09-28-2015 11:47 AM
6 Karma
You should always allow Splunk to perform it's rolling restart process. But in the rare cases where it is necessary to control the restart process; you can run the following command (in it's entirety) splunk apply shcluster-bundle -action stage && splunk apply shcluster-bundle -action send This will bundle up the configs and push to the SHC peers; with no restart forced Then you can later run splunk rolling-restart shcluster-members from the captain to perform the restart of all peers. reference link:Control the restart process ... View more

Re: I upgraded to Splunk 6.2.2 and now get errors ...

by in Installation
‎10-28-2016 02:19 AM
‎10-28-2016 02:19 AM
No, it's a suggestion to update to the latest version, which is also the resolution to this issue. ... View more

Re: Why am I getting a server error on login page ...

by in Installation
‎04-30-2017 05:55 PM
‎04-30-2017 05:55 PM
had the same issue with splunk 6.5.3 in my case the problem was the firefox extension priv3+ ... View more

Re: How can I resolve this problem : The minimum ...

by Splunk Employee in Deployment Architecture
‎02-20-2015 08:53 AM
‎02-20-2015 08:53 AM
This topic is covered in the docs here: Set limits on disk usage ... View more

Re: bonnie++ -- anything Splunk Specific?

by in All Apps and Add-ons
‎12-20-2013 08:39 AM
‎12-20-2013 08:39 AM
That's fine -- thanks for the response -- I wanted to make sure I wasn't missing something obvious. Tim ... View more

Re: Upgrading to Splunk 5.0.6 from 4.2.3

by Splunk Employee in Installation
‎12-11-2013 11:22 AM
‎12-11-2013 11:22 AM
The documentation; will answer your question: http://docs.splunk.com/Documentation/Splunk/5.0.6/Installation/HowtoupgradeSplunk when upgrading to 5.0.x, going from 4.2.x is a supported path. Going to 6.x you have to be on 4.3+. There is also a list of things to consider and warnings on back ups before you update. The subtopics will answer questions around upgrade order for distributed environments and/or the order of forwarder upgrades in relation to your servers. ... View more

Re: TcpOutputProc Connection to ...... closed. Con...

by in Getting Data In
‎12-24-2013 02:20 AM
‎12-24-2013 02:20 AM
had the same problem, couldnt connect to indexer in windows for universal forwarder installation ( 5.0.4) please check the files in: path /SplunkUniversalForwarder/etc/system/local replace the config files under with those from: path /SplunkUniversalForwarder/ etc/ apps/Windows /local restart splunkforwarder: splunk restart it should get connected in splunk host i can see the forwarder has been connected and it has send logs. i had activated some advanced audit features. ... View more

Re: configuring splunk to start at boot time confi...

by in Splunk Search
‎06-27-2013 08:29 AM
‎06-27-2013 08:29 AM
I don't believe it's a change in a splunk .conf file. When you run the CLI that several people mentioned below, it will make an entry into /etc/init.d I believe. That's where you'd have to check, but you can't roll something out via the deployment server to that location. You may want to write a script that takes a list of hosts and runs the CLI on each host. ... View more

Re: Active Directory User Logon Failures

by in Getting Data In
‎05-07-2013 11:45 AM
‎05-07-2013 11:45 AM
Maybe I'm not explaining it right. The data is coming in tagged as "domaincontroller.domain", but I want it to be tagged as "domaincontroller". All the other data from the same domain controller, using the universal forwarder, is tagged as "domaincontroller". Why are the fields for the security stuff tagged differently? ... View more

Re: Not able to view my support cases

by Splunk Employee in Splunk Search
‎03-26-2013 07:00 AM
‎03-26-2013 07:00 AM
Only the Support team can look into that and fix for you. You will have to put in a ticket to Splunk support for that issue. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from