Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ddrillic
ddrillic
Ultra Champion
Member since:
12-26-2014
04-09-2025
Community Statistics
| Posts | 2272 |
| Solutions | 53 |
| Karma Given | 322 |
| Karma Received | 287 |
| Member Since | 12-26-2014 |
Activity Feed
- Got Karma for Re: Is it safe to delete .bundle files ?. 12-10-2024 06:45 AM
- Got Karma for Re: Do I need to make outputs.conf for all apps?. 07-10-2024 08:08 AM
- Got Karma for Re: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC ,SETTING $SPLUNKHOME (LINUX). 07-25-2023 03:13 PM
- Got Karma for Re: Use of _indextime field in table or stats command. 04-06-2023 03:46 AM
- Got Karma for Re: How to avoid reindexing files after setting crcSalt=. 01-13-2023 08:44 AM
- Got Karma for Re: How to avoid reindexing files after setting crcSalt=. 12-21-2022 09:22 AM
- Got Karma for Re: Converting bytes to GB or MB. 11-21-2022 08:55 AM
- Got Karma for Re: How to increase the replication factor?. 08-31-2022 06:16 AM
- Got Karma for Re: How can we normalize our syslog host names?. 06-27-2022 09:18 AM
- Got Karma for Re: Why would an index have several hot buckets open at the same time?. 01-06-2022 04:06 PM
- Got Karma for Re: "Couldn't determine $SPLUNK_HOME, perhaps it should be set in environment". 08-28-2021 02:33 PM
- Got Karma for Re: How to avoid reindexing files after setting crcSalt=. 06-07-2021 09:15 AM
- Got Karma for Re: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC ,SETTING $SPLUNKHOME (LINUX). 06-04-2021 08:58 AM
- Got Karma for Re: Splunk etc app directories. 04-21-2021 01:32 PM
- Got Karma for Re: Is it safe to modify maxTotalDataSizeMB in a clustered environment (indexes.conf)?. 01-15-2021 12:43 AM
- Got Karma for Re: How does indexer cluster replication affect license usage?. 12-28-2020 04:59 AM
- Got Karma for How can I find out which email server Splunk uses?. 12-11-2020 03:49 AM
- Got Karma for Re: Sending UF feed to two different Splunk instances, with two different index names.. 09-28-2020 08:30 AM
- Got Karma for Re: Universal Forwarder not sending data to indexer after successful connection. 09-04-2020 09:31 AM
- Got Karma for How can we avoid data loss in the summary indexes when there is an indexing latency in the cluster?. 09-01-2020 09:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-17-2019
01:39 PM
Thank you for the attention @mlevsh and the quote ; -)
... View more
07-17-2019
01:04 PM
We spoke about it at this thread and it might help you - How do we enable a forwarder boot-start?
... View more
07-17-2019
12:52 PM
The following mentions the *.bundle files but not their var/run/<app> location - Extended example: Deploy configurations to several forwarders
In the page, we can search for fwd_to_splunk1-timestamp.bundle .
... View more
07-17-2019
12:19 PM
I guess the following explains it in the url from above -
-- If you change a single file in the users directory, the deployer redeploys the entire users tarball to the captain. This is because the users directory is typically modified and redeployed only during upgrade or migration, unlike the apps directory, which might see regular updates during the lifetime of the cluster.
... View more
07-17-2019
10:32 AM
The command generates a beautiful and useful chart @rich7177.
Maybe it's also the commands which are not used such as fields .
... View more
07-16-2019
09:30 AM
The documentation at Use the deployer to distribute apps and configuration updates
speaks quite a bit about the deployer deploying users information -
$SPLUNK_HOME/etc/shcluster/
apps/
<app-name>/
<app-name>/
...
users/
Is this feature being used as we usually speak about the deployer in the context of apps?
... View more
07-15-2019
11:33 AM
Looks great -
| makeresults
| eval VLAN="Vlan819(RVP_CDN)"
| rex field=VLAN "(?<VLAN>.+)\("
... View more
07-12-2019
03:17 PM
As I prepare for the 24 lab exam, I see these different naming for the CLI secret parameter versus the pass4SymmKey in the configuration files. Why is it?
... View more
- Tags:
- parameter
- splunk-cli
07-12-2019
11:38 AM
Very kind @rich7177 !
... View more
07-12-2019
09:46 AM
One of our clients wonder which solution is more loosely coupled – the Universal Forwarder or HEC.
I see the decoupling with the Universal Forwarder solution as the writer to the logs and the reader (UF) are completely independent of each other.
However, I'm not sure about the HEC solution.
From Loose coupling
-- In computing and systems design a loosely coupled system is one in which each of its components has, or makes use of, little or no knowledge of the definitions of other separate components. Subareas include the coupling of classes, interfaces, data, and services.1 Loose coupling is the opposite of tight coupling.
... View more
07-12-2019
09:23 AM
What about - | tstats count where index="wineventlog" by host ? works for me ...
... View more
07-12-2019
07:20 AM
1 Karma
A good demo is at DB Connect
... View more
07-11-2019
03:30 PM
Most of the data should be under splunk/var/run/splunk/dispatch .
-- In the dispatch directory, a search-specific directory is created for each search or alert. Each search-specific directory contains several files including a CSV file of the search results, a search.log file with details about the search execution, and more. These are 0-byte files.
You can read about at Dispatch directory and search artifacts
The bottom of the page speaks about -
-- Clean up the dispatch directory based on the age of directories
... View more
07-11-2019
08:01 AM
We use the following in order to assess the search proficiency of our users -
-- Search Proficiency: A measure of how effectively saved searches are written by our users using our SPL language over the selected timeframe. It is calculated by measuring the number of events scanned (Scanned_Count) and the number of events brought back off disk (Event_Count). [Search Proficiency = (Event_Count / Scan_Count) * 100%]
Does it make sense? Can we improve on that?
... View more
- Tags:
- measure
07-10-2019
12:37 PM
Makes perfect sense @richgalloway - thank you.
... View more
07-10-2019
12:28 PM
On the SH I see -
[shclustering]
....
replication_factor = 3
What is the replication_factor in this context?
In the indexer cluster, we have a replication and search factor of 2.
... View more
- Tags:
- replication
07-09-2019
07:36 AM
The following seems to work for me @FrankVl as the period doesn't always exist -
^\d{4}\s+\S+\s+\d+\s+\d{2}\:\d{2}\:\d{2}\s+([a-zA-Z\-0-9]+)
... View more
07-09-2019
07:11 AM
Thank you @richgalloway for all your help - it was interesting to see these *.bundle files on the forwarder ; -)
... View more
07-08-2019
05:38 PM
*Will it always be .domain.com?
Yup
*If so you should be able to use REGEX In syslog or Splunk. I assume you want to do it in syslog?
It's a good question @jkat54 - I guess that syslog is the right place.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-09-2025
08:51 AM
|
Karma given to
