Activity Feed
- Got Karma for Re: Why is the "splunk remove excess-buckets [index-name]" command not working (GUI or CLI) in our multisite indexer cluster?. 09-19-2021 10:26 PM
- Posted Help me write props.conf /transforms.conf for below data. on Splunk Search. 03-25-2020 09:18 PM
- Tagged Help me write props.conf /transforms.conf for below data. on Splunk Search. 03-25-2020 09:18 PM
- Tagged Help me write props.conf /transforms.conf for below data. on Splunk Search. 03-25-2020 09:18 PM
- Posted Fix datetime.xml file in SPlunk on Splunk Search. 03-25-2020 06:57 PM
- Tagged Fix datetime.xml file in SPlunk on Splunk Search. 03-25-2020 06:57 PM
- Tagged Fix datetime.xml file in SPlunk on Splunk Search. 03-25-2020 06:57 PM
- Posted Re: Why past data is missing even if date range is inside my retention policy of that index? on Splunk Search. 03-09-2020 01:57 AM
- Posted Re: Why past data is missing even if date range is inside my retention policy of that index? on Splunk Search. 03-09-2020 12:34 AM
- Posted Re: Why past data is missing even if date range is inside my retention policy of that index? on Splunk Search. 03-09-2020 12:20 AM
- Posted Re: Why past data is missing even if date range is inside my retention policy of that index? on Splunk Search. 03-09-2020 12:19 AM
- Posted Re: Why cant I see some data that I was able to see before 1 month? Even if retention policy of index is 3 years on Splunk Search. 03-09-2020 12:04 AM
- Posted Why past data is missing even if date range is inside my retention policy of that index? on Splunk Search. 03-08-2020 11:44 PM
- Tagged Why past data is missing even if date range is inside my retention policy of that index? on Splunk Search. 03-08-2020 11:44 PM
- Posted Re: What will be LINE_BREAKER for these events? on Getting Data In. 11-26-2019 07:53 PM
- Posted What will be LINE_BREAKER for these events? on Getting Data In. 11-26-2019 01:00 AM
- Tagged What will be LINE_BREAKER for these events? on Getting Data In. 11-26-2019 01:00 AM
- Posted Re: Why do two different users using same Sh, same app, same query, and same permissions, getting two different results? on Splunk Search. 11-25-2019 06:01 PM
- Posted Can 1 sourcetype have 2 CHARSET? on Getting Data In. 11-25-2019 05:58 PM
- Tagged Can 1 sourcetype have 2 CHARSET? on Getting Data In. 11-25-2019 05:58 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-25-2020
09:18 PM
36,03/26/20,13:12:04,Packet dropped because of Client ID hash mismatch or standby server.,IP,,B88584ADE973,,0,6,,,,,,,,,0
36,03/26/20,13:12:04,Packet dropped because of Client ID hash mismatch or standby server.,IP,,B88584ADE973,,0,6,,,,,,,,,0
11,03/26/20,13:12:04,Renew,IP,Oscarphone8,B841A4B2E9C8,,2541188417,0,,,,,,,,,0
11,03/26/20,13:12:04,Renew,IP,Oscarphone8,B841A4B2E9C8,,2541188417,0,,,,,,,,,0
31,03/26/20,13:12:04,DNS Update Failed,IP,xxx.jp,,,0,6,,,,,,,,,2
30,03/26/20,13:12:04,DNS Update Request,IP,xxx.jp,,,0,6,,,,,,,,,0
11,03/26/20,13:12:04,Renew,IP,xxx.jp,105BADA1EB91,,999576276,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0
31,03/26/20,13:12:04,DNS Update Failed,IP,xxx.jp,,,0,6,,,,,,,,,2
30,03/26/20,13:12:04,DNS Update Request,IP,xxx.jp,,,0,6,,,,,,,,,0
... View more
03-25-2020
06:57 PM
So I have to update my datetime.xml file in Splunk because timestamp extraction problem after 1jan 2020.
According to splunk we have to override new file provided from them to existing file.
Now my question:
I have 10I, 20SH, 2HF, 1000's of UF.
Do i need to update datetime.xml on just my Heavy forwarders?
Do i need to update new datetime.xml on all indexers as well? If yes, Please help me how to push configuration from master.
Thanks
... View more
03-09-2020
01:57 AM
Thanks for suggestion @gcusello
Everything looks fine by that also.
Still cant solve the issue.
... View more
03-09-2020
12:34 AM
Hi @gcusello
Yes, I am definitely able to see older data.
I wonder why some data is missing.
Is there any other possibility?
Thanks
Muiz
... View more
03-09-2020
12:20 AM
Hi @manjunathmeti
Retention is 3 years are events from Jan 2020 are missing.
Even if maxTotalDataSizeMB is reached and events were frozen. We have retention of 3years. Why would a event of Jan 2020 be frozen? Or freezing is random? Isn't freezing based on age? Oldest events will be frozen even if maxTotalDataSizeMB is reached?
... View more
03-09-2020
12:19 AM
Hi @gcusello
Even if maxTotalDataSizeMB is reached and events were frozen. We have retention of 3years. Why would a event of Jan 2020 be frozen? Or freezing is random? Isn't freezing based on age? Oldest events will be frozen even if maxTotalDataSizeMB is reached?
... View more
03-09-2020
12:04 AM
@manjunathmeti The above query is not running, and also data data cant be deleted because retention is 3 years and time stamp of data was in january 2020 only
... View more
03-08-2020
11:44 PM
SPL:
"(index=3y OR index=3mon) (host=x OR host=y)
name="RegisteredUserLog" actionType=egg pointGet=true (platform=0 OR platform=1)
| eval earned_date=strftime(_time, "%Y-%m-%d")
| stats count by event_id earned_date
| rename event_id as easy_id
| table easy_id earned_date"
Notes
- The data I am seeing today is different from when i saw and exported same data before 1 moth providing same date range.
- To give you idea, I am seeing 20K less results as compared to 1L events before one month for exact SPL and exact time range.
- Retention of index is not issue
- Date range is not issue
Please help
Thanks
... View more
11-26-2019
01:00 AM
2019-11-06 16:13:21,886 [9] DEBUG B005_01_01BusinessLogic -
2019-11-06 16:13:21,886 [9] DEBUG B005_01_01BusinessLogic -
2019-11-06 16:13:21,886 [9] DEBUG B005_01_01BusinessLogic -
2019-11-06 16:13:21,886 [9] DEBUG B005_01_01BusinessLogic -
2019-11-06 16:13:21,886 [9] DEBUG B005_01_01BusinessLogic -
Please write the LINE_BREAKER for these events, i know splunk will automatically do it for these events but these are not the only events I have. I cannot share share those events here. However every time stamp starts like this. If there is additional info to be written in props.conf. Please write
Thanks
... View more
11-25-2019
06:01 PM
I cloned the user that was not able to search the complete data, gave him different username and name, and now he started fetching all the data.
THis is quiet strange by Splunk.
... View more
11-25-2019
05:58 PM
I have a sourcetype named "abc"
It is configured to CHARSET=UTF_8
When I see the events, some events split because of no reason and when i check those particular events, they have encoding of utf-16.
What do I do?
... View more
11-21-2019
12:41 AM
Hi @gcusello
I found that app is "learned" for that particular sourcetype.
As i mentioned both users have same set of permission, if permission was the issue, why would other person be able to see the sourcetype results?
... View more
11-19-2019
07:40 PM
I checked and found out that the user with less event count, the query is not able to fetch one particular sourcetype. How to edit permissions? @gcusello
... View more
11-18-2019
11:05 PM
I checked and found out that the user with less event count, the query is not able to fetch one particular sourcetype. How to edit permissions? @HiroshiSatoh
... View more
11-18-2019
09:45 PM
Why 2 different users using same Searchhead, same app and same query and same permissions get 2 different results?
Could you please write in points the things I should troubleshoot.
Thanks
... View more
11-11-2019
06:15 PM
1 Karma
While the data is rebalancing, you cannot remove excess buckets. Splunk has this limitation clearly mentioned in their document.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Removeextrabucketcopies
... View more
11-10-2019
07:39 PM
Where to run this command?
... View more
11-10-2019
05:47 PM
We had to stop an indexer and add new one into cluster. Splunk generally automatically handles bucket replication but I am getting error. Please help
... View more
10-27-2019
08:41 PM
for HOST in ${HOSTS}
do
URI=http://${HOST}:80
count=99
result= /opt/splunk/bin/splunk search "index=${INDEX} sourcetype=${SOURCETYPE} SPLUNK_HEALTH_CHECK |stats count" -earliest_time ${EARLIEST} -latest_time ${LATEST} -uri ${URI} -auth ${USER}:${PASS} -preview F -output csv -timeout ${TIMEOUT} 2>&1 |grep -v count |tr -d '\n' |sed 's/"//g'
if expr $result : '[0-9]*' > /dev/null 2>&1; then
count=$result
result="OK"
fi
date +"%Y-%m-%d %T sh=${HOST} status=\"${result}\" delay_status=$count"
done
... View more
10-27-2019
08:40 PM
Hi
Please help me understand what will this saved search do?
index=os sourcetype=splunk_health_check |eval value=delay_status |eval message=if(status=="OK","",status) |eval status=if(status=="OK",status,"NG") |eval score=if(value==99,-1,value) |table _time sh status score message |rename sh to searchhead |search score<5 AND status!="OK" message!="*No error" AND message!="Proxy Error"
source is a script.
for HOST in ${HOSTS}
do
URI=http://${HOST}:80
count=99
result= /opt/splunk/bin/splunk search "index=${INDEX} sourcetype=${SOURCETYPE} SPLUNK_HEALTH_CHECK |stats count" -earliest_time ${EARLIEST} -latest_time ${LATEST} -uri ${URI} -auth ${USER}:${PASS} -preview F -output csv -timeout ${TIMEOUT} 2>&1 |grep -v count |tr -d '\n' |sed 's/"//g'
if expr $result : '[0-9]*' > /dev/null 2>&1; then
count=$result
result="OK"
fi
date +"%Y-%m-%d %T sh=${HOST} status=\"${result}\" delay_status=$count"
done
... View more
10-27-2019
07:10 PM
If we write the script, how do we pass authentication in bash?
... View more
- Tags:
- error
10-24-2019
01:01 AM
Do you mean all the including Deployement server , master, every search head and every indexer?
... View more
10-23-2019
11:34 PM
I want to know where is the location of launch.conf in our whole environment because i have to edit the proxy server inside it.?
Please help
... View more
10-22-2019
06:46 PM
Normally if run a query on SPLUNK and go to visualization with line chart. The query is simple count of logs indexed in one particular index per day.
Normal days: Graph is normal
This problem day: Line chart is doing lot of ups and downs(to almost zero). and then rising back.
How to I troubleshoot this. What could be the problem?
... View more
