To Rez an old thread, I was having this very same issue today and have a suspicion about why the option wasn't showing.  I have 2 clustered environments; One Lab and one production. The production SH's show the option to install from file, the Lab does not. In the Lab, I was experimenting with installing apps in a one off scenario and now the option is gone, but in production where I've only pushed by deployment, the option is still there.  tl;dr : Because I tried to install a one off app to a SH in the cluster, it seems to have removed the option to install further apps per SH?   Anyone seen similar? ... View more

https://ideas.splunk.com ... View more

This was my issue. Thanks for this! ... View more

One of the issues I recently dealt with was the delay in sending security channel logs in Active Directory, which I finally resolved after a few days. Here are the steps I took to fix the problem: I investigated the queue issue in different pipelines. This link explains in detail how to identify and fix queue problems to reduce delays: index=_internal host=* blocked=true This way, you can check whether the issue is with the universal forwarder, the heavy forwarder, or a higher tier. I experienced this issue with both UF and HF. I increased the queue size and added the following parameter along with the queue adjustment: /etc/system/local/server.conf parallelIngestionPipelines=2 https://conf.splunk.com/files/2019/slides/FN1570.pdf To adjust the max speed rate in the ingestion pipeline, I modified the following parameter in limits.conf: [thruput] maxKBps = 0 https://community.splunk.com/t5/Getting-Data-In/How-can-we-improve-universal-forwarder-performance/m-p/276195 The final and most effective step was changing the following parameter in UF’s inputs.conf: use_old_eventlog_api=true If you have added the parameter evt_resolve_ad_obj=true to translate SID/GUID and it cannot perform the translation, it will pass the task to the next domain controller. It waits for a response before proceeding, which can cause delays. To fix this, I added: evt_dc_name=localhost By implementing the above steps, logs were successfully received and indexed in real-time. Thank you for taking the time to read this. I hope it helps you resolve similar issues. ... View more

try this: index=_audit action=search is_realtime=1 | eval search_type=case( search_id LIKE "scheduler%", "Scheduled Search", search_id LIKE "rt_scheduler%", "Real-Time Scheduled Search", search_id LIKE "dashboard%", "Dashboard", search_id LIKE "adhoc%", "Ad-hoc Search", 1=1, "Ad-hoc Search" ) | eval human_readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S") | stats count by user, search_type, _time | rename human_readable_time AS "Time", user AS "User", search_type AS "Search Type", count AS "Search Count" | sort - "Time" ... View more

Here <source>means have you typed exact path of the file or just <source> as is? ... View more

I tried editing from UI, increased the maxresults to 1000000 ,post that I am able to see only 50k results, but not all the results What other configurations needs to be changed in order to get all the results?  ... View more

No, I am using 9.1 and 9.3. However, I am experiencing the same problem on Red Hat 8. I will start a new thread as per your advice.  ... View more

As already stated, splitting inputs into separate apps and associating them with different serverclasses is the way to go. An input is a relatively "simple" idea. It might have features letting you filter _what_ you're ingesting (like particular files or windows event ids) but not _where_ they run or not.   ... View more

This is a thread from so long ago and is about a long forgotten version. Nowadays collect is much more flexible, especially if you're using output_format=hec ... View more

260 get me ? Yeah it can be a real headache, I tried LongPath Tool Program which helped a lot. ... View more

Hi @Naa_Win , try this, even if I did it more than five years ago, but it should still run! | rest splunk_server=local /services/deployment/server/clients\ | table hostname ip utsname *.restartSplunkd\ Ciao. Giuseppe ... View more

I have the same question, which capabilities are needed for the "Add Data" button? ... View more

@sudosplunk the setting is expected to be in inputs.conf ( not in custom inputs.conf). All modinputs honor meta setting starting 6.4 https://community.splunk.com/t5/Getting-Data-In/UF-Route-inputs-to-specific-indexers-based-on-the-data-s-input/m-p/147597 ... View more

Was getting similar errors too. Adding the /raw in my curl statement resolved the issue. ... View more

Responding to this bc we recently received the same question at Community Office Hours. In case anyone else is looking to do this, here's the expert guidance:  Option 1: Workload Management is your friend here. A very easy implementation without messing with all the roles  Workload Management examples (see scenarios 1 and 2) Configuring workload rules Option 2: Use Role Limitations to dictate the rule Follow guidance in: How to restrict usage of real-time search ... View more

Close. You don't need to restart the DS. Just reload the deployment classes. (if you're doing it via CLI, if I remember correctly, the GUI takes care of that automatically) ... View more

@inventsekar Thank you for your response. There is not just one Dashboard. We need to list out all the Dashboards that have autorefresh enabled. For which we don’t want to go one by one looking into the dashboards to find out because there are more than 1000 dashboards. Thank you in advance. ... View more

Thank you Emily Can you talk more about your services? Im interesting in this. ... View more

Hi to getting REST queries to work, all those servers must be defined as search peer to this instance. Usually you define only indexers as a peer for SH so that's reason you are not founding other SHs with it except on MC where you already have added those to be a peer to get REST API and MC working correctly. Scheduler is running on full splunk instances where are some search activities. This means at least SH and IDX and CM. Maybe also some HF could match to this and LM, DS and Deployer (cannot check it now). Easy way to drop IDXs away from that list (if you have only one IDX cluster/indexer where you send your internal logs) is | tstats count where index=_internal sourcetype=scheduler NOT [| tstats count where index=_internal sourcetype=scheduler by splunk_server | fields splunk_server | rename splunk_server as host | format] by host | table host | rename host as "Instances which can use as SH" If you have serveral IDXc + indexers connected to this SH then you need add some other indexes here to get full list of splunk_servers where events are stored. r. Ism  ... View more

One nice feature is shell completion. You could start it by  will be packaged with future (after 6.x) releases of Splunk; it will be found in SPLUNK_HOME/bin/ directory; further, the SPLUNK_HOME/bin/setSplunkEnv util will run this script, and confirm success with the message   Tab-completion of "splunk <verb> <object>" is available. More on https://community.splunk.com/t5/Deployment-Architecture/CLI-command-completion-Yes-and-here-s-how-For-bash-4-0-and/m-p/82552 and somewhere in docs, but I can’t found it now. Sourcing above to shell also se $SPLUNK_HOME r. Ismo ... View more

I don't understand the point of this link, it literally just takes us to the online Managing Indexers and Clusters of Indexers manual Use maintenance mode section    ... View more

did you manage to clear the exam? ... View more

can you please provide solution on this. We have same plan to integrate with splunk and HPOM and servicenow. ... View more

Hi there， i'm a new splunker I'd like to know what's means of these search result, such as "management", "default-autolb-group:xxx.xxx.xxx.xxx:9997:3:1" i can understand there is my HF ip and port, but what's means of :3:1, I have seen :0:0, :0:1.... thanks in advance. @woodcock  ... View more