Hi Team, We are receiving warn message as below on search head clusters. "The limit has been reached for log messages in info.csv. 18 messages have not been written to info.csv. Refer to search.log for these messages or limits.conf to configure this limit." What is relevance of info.csv and how this limit breach affect Splunk search performance and search results. Thanks, Mani   ... View more

Hi, I'm facing issue with data forwarding to splunk. i'm not sure where data being dropped and its happening randomly. Details: I have text (key-value pair) file with 6.5 million lines(events) with same timestamp (_time) configured. but while ingesting file to splunk via Heavy forwarder, it automatically incrementing _time +1 sec for every 100k or 200k events randomly. Observation: if the _time +1 sec increment happens for every 100k events, then no issues data completely ingest to splunk. if some times _time +1 sec increment happens for 200+k events, we are observing data drop, only 4 to 4.5 million events got ingested out of 6.5 million events. splunk log giving this warning: WARN DateParserVerbose - The same timestamp has been used for 500K consecutive times. If more than 200K events have the same timestamp, not all events may be retrieveable Splunk Environment details: Splunk Version: 7.2.6 OS: AWS Linux Machine Could you please advice what is root cause of this issue and remedy for same. Thanks In Advance !!!. Mani ... View more

Hi, I'm facing issue with data forwarding to splunk. i'm not sure where data being dropped and its happening randomly. Details: I have text (key-value pair) file with 6.5 million lines(events) with same timestamp (_time) configured. but while ingesting file to splunk via Heavy forwarder, it automatically incrementing _time +1 sec for every 100k or 200k events randomly. Observation: if the _time +1 sec increment happens for every 100k events, then no issues data completely ingest to splunk. if some times _time +1 sec increment happens for 200+k events, we are observing data drop, only 4 to 4.5 million events got ingested out of 6.5 million events. splunk log giving this warning: WARN DateParserVerbose - The same timestamp has been used for 500K consecutive times. If more than 200K events have the same timestamp, not all events may be retrieveable Splunk Environment details: Splunk Version: 7.2.6 OS: AWS Linux Machine Could you please advice what is root cause of this issue and remedy for same. Thanks In Advance !!!. Mani ... View more

Hi, I'm currently upgrading Splunk version from 7.0.3 to 7.2.6. If I do a manual upgrade it works fine. But if I try to do via automated Jenkins pipeline it's showing that I am installing Splunk for the first time. There is no admin user information & credentials. Splunk cluster currently in AWS cloud. Whenever I try to rebuild the stack, it thinks I am installing for the first time. i Are there any additional processes or steps to follow to overcome this issue? Please guide me on this. I followed the Splunk documentation exactly. Thanks in Advance, Regards, Mani ... View more

Hi, I'm new to splunk, i have couple of questions related to kv store. use case 1: i have created splunk app using splunk python sdk app name called "test_kvstore" and created one kv store name "test_data_kvstore" and added data to it aswell (using python sdk). next i have defined kvlookup in splunk search head (web ui & gave global permission) then i just try to see the kvstore data in splunk search head so put this command in search head |inputlookup test_data_kvlookup getting this error in search head. Error in 'inputlookup' command: Lookup failed because collection 'test_data_kvstore' in app 'test_kvstore' does not exist, or user 'manikandankasi' does not have read access i couldn't get why im getting this error since the app and kvstore already defined. Questions: is it kvstore data specific to the app or its stored globally? if i want see the test_data_kvstore then by default where its stored? and location? any help on this much appriciated !!! Thanks in Advance, Mani ... View more

i'm getting below log in almost all my scheduled summary. what does it mean will it affect the quality of search results. Could you please advice how to fix this issue ? DispatchManager::dispatchHasFinished(id='scheduler_c3ZjX2FwbV9ucF9kMnNwbHVuaw_YXBtX3NucG0__RMD5ef03de80f9dfee83_at_1547538000_374_2F96A993-8827-50B3-BBAC-FD84F8BCBD22', username='svc_apm_np_d2splunk') 01-15-2019 18:40:48.269 INFO UserManager - Unwound user context: svc_apm_np_d2splunk -> NULL 01-15-2019 18:40:48.269 INFO PipelineComponent - Process delayed by 46.548 seconds, perhaps system was suspended? Thanks in Advance, Mani ... View more