Hello, We are running DM acceleration, we saw that every time the acceleration is running the disk got full. After investigation, we saw that the data of the old guid does not removed from disk and that cause our disk full.  We are running Splunk using Docker image and using ansible. looks like it is an issue with ansible but im not sure.  Any idea anyone ? Thanks ... View more

Hello, In one of out indexer we reached disk space in /var this is the path that takes all the space: opt/splunk/var/lib/splunk/prod/datamodel_summary   can i delete the files there ? how can i avoid this messages ? if it is not possible to remove them, what will be the best step in order to fix this issue ? also, how is it possible that it happens only in one indexer while i have indexer cluster with 3 peers?  thanks sarit ... View more

Hello I have  a query that contains some conditions and one of them is "AND NOT eventtype=..." the eventtype is not configured in our system so it is not supposed to return results..  my question is - if the condition is "AND NOT" but the eventtype not configured the query should return results or not ?   thanks ... View more

Hello i have kubernetese environment that contains : 1 SH 1 master 3 indexers in cluster we changed the pass4symkey in all of the components and now the status is that in the indexers the key stays as it should and in the master and SH it restored to something unknown every few hours. what is the reason and how can i solve it ? thanks ... View more

- We tried to implement shclustering with splunk-ansible (https://github.com/splunk/splunk-ansible) - But it is not possible to deploy apps from deployer, because scripts do not run initial push (unless specyfing splunk.apps_location), they rely on pulling configs from deployer instead Problem is that pulling configs from deployer does not work until first push from deployer. Internally this request to deployer 'GET /services/apps/deploy?output_mode=json HTTP/1.1' fails with 401 status. After the first push, this request is processed correctly with status 200. I tried to reproduce error internally (outside ansible) and managed to do it, can provide you diags with debug logs. I consider either Deployer implementation must be improved or ansible scripts to correctly handle shc. Steps to reproduce 1. Deploy SHCluster, 2. Restart any member of SHCluster, 3. Check its splunkd.log ... View more

Hello im using splunk image with Docker and Kubernetese. i want to create users automatically each time im creating new environment. is there a way to run kube job that runs cli commands? or maybe there is another way to achieve my goal ?    thanks ... View more

Hello im trying to count the number of events of each alert  the alerts are saved in a lookup file which looks like this: creation_time eventtype kv_key max_time min_time status tail_id uuids 1580820272 csm-cbb 5f401 1580820272 1578293527 Open N8 7fd5b533   when im running this query im getting no results found | inputlookup kv_alerts_prod | eval kv_key=_key | convert ctime(creation_time) AS _time | timechart span=1d count by _key   what am i missing ? thanks ... View more