Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About esalesapns2
esalesapns2
Communicator
Member since:
10-31-2018
11-20-2025
Community Statistics
| Posts | 44 |
| Solutions | 2 |
| Karma Given | 20 |
| Karma Received | 16 |
| Member Since | 10-31-2018 |
Activity Feed
- Posted Re: search to generate 5 sample events for lots of index/sourcetype pairs on Splunk Search. 11-20-2025 12:32 PM
- Posted search to generate 5 sample events for lots of index/sourcetype pairs on Splunk Search. 11-17-2025 08:12 AM
- Posted Re: I unable to initialize modular input "TA-Akamai_SIEM" defined inside the app "Splunk_TA_siem_connecto on Getting Data In. 07-01-2025 06:06 AM
- Got Karma for Re: How to get "splunk" user to read "root" user-owned files?. 02-24-2025 01:54 PM
- Posted Re: How do you schedule a report that needs to run multiple times for different time ranges? on Splunk Enterprise. 11-07-2024 10:44 AM
- Posted Re: disable learned sourcetype on Getting Data In. 10-09-2024 05:06 AM
- Posted Re: How do I get Tenable add-on to connect to Splunk? on Splunk Enterprise. 09-26-2024 01:34 PM
- Got Karma for Re: How to get "splunk" user to read "root" user-owned files?. 07-06-2023 07:36 AM
- Got Karma for Re: HTTP Event Collector: How to generate token through Splunk CLI ?. 01-30-2023 03:42 AM
- Got Karma for Re: How to get "splunk" user to read "root" user-owned files?. 11-10-2022 05:40 AM
- Got Karma for Re: HTTP Event Collector: How to generate token through Splunk CLI ?. 09-29-2022 11:37 AM
- Got Karma for Can the _introspection index use SmartStore?. 11-08-2021 08:57 PM
- Got Karma for Re: Is there an Audit log that tracks changes to content in Splunk Enterprise Security?. 10-01-2021 03:33 PM
- Karma Upgrade from 7.0.1 to 7.3.x and add-on compatibility for dkleczko. 06-05-2020 12:50 AM
- Karma Re: Splunk AWS inspector errors for FraserC1. 06-05-2020 12:50 AM
- Karma ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/eth#/speed: Invalid argument for jlstanley. 06-05-2020 12:50 AM
- Karma Re: Search performance impact & How to find user deploying high impact searches for VatsalJagani. 06-05-2020 12:50 AM
- Karma Re: Why does my drilldown with the rex command return an "Unbalanced quotes" error? for MathiasLindblom. 06-05-2020 12:50 AM
- Got Karma for Splunk Add-on for Unix and Linux sshdChecker.sh script error.. 06-05-2020 12:50 AM
- Got Karma for Can Splunk pull *the contents* of a lookup created in a search head cluster via rest command search into a non-cluster search-head?. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
11-20-2025
12:32 PM
this works great, but over lots of indexes over hours (some are infrequent log sources) it takes a long time, so I shortened the time to 15-minutes and it ran in a few minutes, thank you!
... View more
11-17-2025
08:12 AM
I need to provide feedback on ways logging formats could be improved. To that end, I'm trying to create a search that ends with: | stats values(source) values(_raw) by index sourcetype so I get some examples of logs, but I only want to see a max of 5 values in the source and _raw columns. I tried using foreach with append, but append isn't streaming, so I manually created 204 lines like this: index=index1 sourcetype=sourcetype1 | head 5
| append [ search index=index1 sourcetype=sourcetype2 | head 5 ]
| append [ search index=index2 sourcetype=sourcetype1 | head 5 ]
... It took a long time in "Parsing job...", but eventually produced the results I wanted. What are some different ways of getting this result?
... View more
Labels
- Labels:
-
search
07-01-2025
06:06 AM
I tried removing inputs.conf from the TA because I only wanted it for the props/transforms on my search head cluster. Still got the error. How?
... View more
11-07-2024
10:44 AM
I'm having the same requirement. Maybe one way would be to run it from an external program using API calls to kick off the searches and wait for them to complete?
... View more
10-09-2024
05:06 AM
I tried creating a default app.conf file with the stanza:
[install]
state = disabled
but it didn't disable the app.
Then I removed the app from etc/apps altogether, but it came back.
We run splunk as user "splunk" so then I removed the app and created a directory etc/apps/learned owned by root with permissions 500 (r-x------) so splunk couldn't recreate it. That worked.
... View more
09-26-2024
01:34 PM
the curl command works from the command line only if I specify "-k" (ignore SSL cert) how do I get Splunk to accept the cert?
... View more
02-04-2020
05:19 AM
Me too. Maybe it's trying to find an index that's not defined on the Heavy Forwarder? "idx=_w(s,0).end())"
... View more
12-30-2019
01:49 PM
Apologies, this will create a file named server.pem.pem that you will have to move to server.pem . You can omit the ".pem" from the end of the second command to save having to do this step.
... View more
12-30-2019
01:43 PM
Or (on Splunk 7.3.2) you could run these commands to create a cert with a new expiration date:
$ mv /opt/splunk/etc/auth/server.pem /opt/splunk/etc/auth/server.pem,expired
$ splunk createssl server-cert -d /opt/splunk/etc/auth -n server.pem
... View more
12-30-2019
01:32 PM
I was getting this error due to an omission in my certificate. The certificate's "Subject" has no "O=", "OU=", or "DC=" specified. The default certificate created by Splunk uses "O=SplunkUser". Since mine was created with HashiCorp Vault, I don't see a way to get it to add one of those in addition to the "CN=" in the Subject, so I guess I won't be able to use Vault-generated certificates for my kvstore.
... View more
12-04-2019
09:23 AM
I followed the steps, but my status is still "starting" on the captain, replicationStatus is "Startup" on one member and "Down" on the other, even though it was "ready" when I brought up the captain solo. How long should it take to replicate?
... View more
11-13-2019
01:41 PM
I'm having the same issue in 7.3.2. System is logging in US/Eastern, Splunk is UTC. My props is based on source. Applied it on HF, and Indexer, no change to time setting.
... View more
11-04-2019
08:44 AM
1 Karma
I created a Splunk Health Dashboard for myself on the server that runs my Monitoring Console. The MC server is not part of my search head cluster. My search head cluster updates a lookup every hour that gets service account status that I'd like to add to my custom dashboard on my Monitoring Console. Is there a way to get the contents of the lookup in the search head cluster into a search on my Monitoring Console?
... View more
11-01-2019
09:03 AM
My interface is showing "up", but I'm getting errors for "speed" and "duplex", even if I cat them from the command line; I'm running on a fairly recent Splunk AMI in AWS, One wonders why Splunk hasn't seen/fixed this?
... View more
11-01-2019
07:56 AM
2 Karma
Yes, you can use "uuidgen" (with no arguments) from the linux command line to generate a token like the one the Splunk GUI does when it creates a new HEC input.
... View more
10-30-2019
01:02 PM
2 Karma
I wish that link still worked...
... View more
10-30-2019
07:14 AM
Splunk Enterprise, v7.0.3
I ran the search in https://answers.splunk.com/answers/750097/search-performance-impact-how-to-find-user-deployi.html
I see the exact same alert running 9 times in a 5-minute period that eats 130 to 165 data.pct_cpu each time.
It's an Alert private to a user scheduled to run at 8:00. It ran 9 different times from 9:23 to 9:28 am, according to the search.
Is it a bug in the search due to the way "stats latest(data.pct_cpu) is used that makes the "_time" off?
... View more
- Tags:
- splunk-enterprise
10-28-2019
06:17 AM
As of 7.3.2, Splunk uses systemd on RHEL 7 and sets the splunk startup in /etc/rc.d/rc3.d to S90splunk, avoiding this issue.
... View more
10-28-2019
06:10 AM
I had to remove/re-install the splunk_TA_nix app to get it to stop behaving this way.
... View more
10-10-2019
01:58 PM
I should say I restarted Splunk after I put the app back.
... View more
10-10-2019
01:57 PM
Ok, I stopped Splunk, removed the Splunk_TA_nix app, started splunk put the app back and started splunk, and I'm finally no longer getting lsof events. However, I now need to do the same on all my deployment clients... Good thing I was planning on working late.
... View more
10-10-2019
01:07 PM
This is on Splunk Universal Forwarder 7.0.1.
... View more
10-10-2019
01:06 PM
Yes, I did. I have since stopped Splunk, removed deploymentclient.conf, and the DS2-Splunk_TA_nix-cre directory, and set the indexes for all the Splunk_TA_nix inputs in Splunk_TA_nix/local/inputs.conf, and restarted splunk. I'm still getting a steady stream of lsof events every minute.
... View more
10-10-2019
12:41 PM
stop it altogether. some of my servers have 5M files open at a time...
... View more
10-10-2019
12:10 PM
I can't figure out why lsof.sh is running every minute. Here's the "btool inputs list --debug" output for lsof:
/opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf [script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh]
/opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf disabled = 1
/opt/splunkforwarder/etc/system/local/inputs.conf host = c20sbap01l01
/opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf index = cre_linux
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf interval = 600
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf source = lsof
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf sourcetype = lsof
Here's my splund.log output:
10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - New scheduled exec process: /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh
10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - interval: 60000 ms
I've tried restarting splunk to no effect... Notice that the interval is set to 600 (600 seconds) in the btool output, but 60000 (60 seconds) in the splunkd.log output. I'll try interval = -1 next, and then a single app after that.
... View more
Labels
- Labels:
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-20-2025
12:09 PM
|
Karma given to
