About ddrillic

ddrillic · ‎07-20-2019

Both of them - no doubt ; -)

ddrillic · ‎07-17-2019

Thank you for the attention @mlevsh and the quote ; -)

ddrillic · ‎07-17-2019

We spoke about it at this thread and it might help you - How do we enable a forwarder boot-start?

ddrillic · ‎07-17-2019

The following mentions the *.bundle files but not their var/run/<app> location - Extended example: Deploy configurations to several forwarders In the page, we can search for fwd_to_splunk1-timestamp.bundle .

ddrillic · ‎07-17-2019

I guess the following explains it in the url from above - -- If you change a single file in the users directory, the deployer redeploys the entire users tarball to the captain. This is because the users directory is typically modified and redeployed only during upgrade or migration, unlike the apps directory, which might see regular updates during the lifetime of the cluster.

ddrillic · ‎07-17-2019

The command generates a beautiful and useful chart @rich7177. Maybe it's also the commands which are not used such as fields .

ddrillic · ‎07-16-2019

The documentation at Use the deployer to distribute apps and configuration updates speaks quite a bit about the deployer deploying users information - $SPLUNK_HOME/etc/shcluster/ apps/ <app-name>/ <app-name>/ ... users/ Is this feature being used as we usually speak about the deployer in the context of apps?

ddrillic · ‎07-15-2019

It makes sense @Azeemering - much appreciated.

ddrillic · ‎07-15-2019

Looks great - | makeresults | eval VLAN="Vlan819(RVP_CDN)" | rex field=VLAN "(?<VLAN>.+)\("

ddrillic · ‎07-15-2019

Any ideas about this one, by any chance?

ddrillic · ‎07-12-2019

As I prepare for the 24 lab exam, I see these different naming for the CLI secret parameter versus the pass4SymmKey in the configuration files. Why is it?

ddrillic · ‎07-12-2019

Very kind @rich7177 !

ddrillic · ‎07-12-2019

One of our clients wonder which solution is more loosely coupled – the Universal Forwarder or HEC. I see the decoupling with the Universal Forwarder solution as the writer to the logs and the reader (UF) are completely independent of each other. However, I'm not sure about the HEC solution. From Loose coupling -- In computing and systems design a loosely coupled system is one in which each of its components has, or makes use of, little or no knowledge of the definitions of other separate components. Subareas include the coupling of classes, interfaces, data, and services.1 Loose coupling is the opposite of tight coupling.

ddrillic · ‎07-12-2019

What about - | tstats count where index="wineventlog" by host ? works for me ...

ddrillic · ‎07-12-2019

A good demo is at DB Connect

ddrillic · ‎07-11-2019

Most of the data should be under splunk/var/run/splunk/dispatch . -- In the dispatch directory, a search-specific directory is created for each search or alert. Each search-specific directory contains several files including a CSV file of the search results, a search.log file with details about the search execution, and more. These are 0-byte files. You can read about at Dispatch directory and search artifacts The bottom of the page speaks about - -- Clean up the dispatch directory based on the age of directories

ddrillic · ‎07-11-2019

We use the following in order to assess the search proficiency of our users - -- Search Proficiency: A measure of how effectively saved searches are written by our users using our SPL language over the selected timeframe. It is calculated by measuring the number of events scanned (Scanned_Count) and the number of events brought back off disk (Event_Count). [Search Proficiency = (Event_Count / Scan_Count) * 100%] Does it make sense? Can we improve on that?

ddrillic · ‎07-10-2019

Makes perfect sense @richgalloway - thank you.

ddrillic · ‎07-10-2019

On the SH I see - [shclustering] .... replication_factor = 3 What is the replication_factor in this context? In the indexer cluster, we have a replication and search factor of 2.

ddrillic · ‎07-09-2019

Gorgeous ; -)

Posts	2272
Solutions	53
Karma Given	322
Karma Received	284
Member Since	‎12-26-2014

Online Status	Offline
Date Last Visited	‎03-23-2023 02:32 PM

Is the users deployer feature being used?

Why is the CLI secret parameter called pass4SymmKe...

Is the HEC a loosely coupled solution?

How do we measure Search Proficiency of our users?

What is the replication_factor in the SH's shclust...

How can we normalize our syslog host names?

What is the Average Usage in the MC’s Indexes and ...

How do bundles work with the forwarders?

Can not see the output of btool in windows

What are the limitations/benefits of using eval in...

Re: Splunk indexers cluster

Re: Splunk service didn't start automatically afte...

Re: Splunk service didn't start automatically afte...

Re: How do bundles work with the forwarders?

Re: Is the users deployer feature being used?

Re: How do we measure Search Proficiency of our us...

Is the users deployer feature being used?

Re: Why is the CLI secret parameter called pass4Sy...

Re: How to create a regex for extracting few chara...

Re: Why is the CLI secret parameter called pass4Sy...

Why is the CLI secret parameter called pass4SymmKe...

Re: How do we measure Search Proficiency of our us...

Is the HEC a loosely coupled solution?

Re: How to use tstats to show unique list of hosts...

Re: db connect documentation for unsupported versi...

Re: is it safe to delete the files and directories...

How do we measure Search Proficiency of our users?

Re: What is the replication_factor in the SH's shc...

What is the replication_factor in the SH's shclust...

Re: How can we normalize our syslog host names?