cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
BARNEYRUDD
Explorer
Member since: ‎02-11-2019
‎03-02-2022
Community Statistics
Posts 9
Solutions 0
Karma Given 12
Karma Received 1
Member Since ‎02-11-2019
Activity Feed
Topics I've Started
View All

Re: Alerts are working, but "No triggered alerts f...

by in Alerting
‎09-13-2021 11:22 PM
‎09-13-2021 11:22 PM
I had this problem and managed to solve it by adding an "Add to triggered alert" trigger action ... View more

Re: Splunk SmartStore: Do warm buckets need to rol...

by in Getting Data In
‎01-14-2020 06:01 AM
‎01-14-2020 06:01 AM
Nice explanation, I was wondering how to manage the lack of a cold bucket function. ... View more

Re: Duplicate GUIDs for cloned forwarders - how to...

by in Deployment Architecture
‎11-25-2019 09:34 AM
1 Karma
‎11-25-2019 09:34 AM
1 Karma
I tried this on cloned indexers in version 7.3.0 (in my lab) with the same GUID and it worked (deleting instance.cfg) ... View more

Re: Unable to view thawed data

by in Splunk Search
‎11-22-2019 12:50 AM
‎11-22-2019 12:50 AM
Hi @Prakash493 I tried the REST URL you suggested but got nothing (empty page with no results) and I think it's because my Splunk deployment where I have the problem is not in a cluster, it's standalone. I tried modifying the URL to find an equivalent for a standalone environment but couldn't find anything. Do you know what the equivalent URL for a standalone environment would be? I'm thinking maybe your problem is specific only to a clustered environment. ... View more

Re: Unable to view thawed data

by in Splunk Search
‎11-19-2019 06:35 AM
‎11-19-2019 06:35 AM
Thanks @Prakash493. Could you give me the exact name of the frozen flag you are referencing? And the method to check for it if my REST URL is wrong? I looked at my problem again and realised I was getting a warning on the rebuild command, not sure if it's important/significant or not. I'm using a windows laptop with restricted admin privileges, so maybe my issue is to do with that. WARN Fsck - Failed to rename tmpDir='C:\Program Files\Splunk\var\lib\splunk\ito ps\db\db_1561999955_1558706749_5-tmp' to stageDir='C:\Program Files\Splunk\var\l ib\splunk\<myindex>\thaweddb\db_1561999955_1558706749_5-stage'.Reason='ERROR_ACCESS_ DENIED'. Will try to copy contents So I tried the thaw on a Linux VM running Splunk and my data thawed correctly and was searchable. I then interrogated the rest endpoints on the Windows and Linux machine, but I didn't find the "frozen" flag you were talking about. I found references to thaw and frozen but nothing surprising. For example fields that reference frozen for the index in question: coldToFrozenDir - C:\xxxxxxxxx\frozen_directory coldToFrozenScript - No value frozenTimePeriodInSecs - 172800 REST API URL I used: https://127.0.0.1:8089/servicesNS/nobody/search/data/indexes/<my _index>____ . ... View more

Re: Unable to view thawed data

by in Splunk Search
‎11-15-2019 01:39 AM
‎11-15-2019 01:39 AM
Hi @lhanich1, no updates, I haven't looked any further into this. ... View more

Re: Splunk unable to read specific files even thou...

by in Security
‎09-17-2019 03:03 AM
‎09-17-2019 03:03 AM
I'm on 7.3.1 (universal forwarder) and have this problem. The workaround proposed below by @fharding worked for me. ... View more

Unable to view thawed data

by in Splunk Search
‎07-09-2019 08:38 AM
‎07-09-2019 08:38 AM
Hi, I'm testing thawing of some frozen data and it's not working. I have thawed some previously frozen data and am expecting to see it in the search, but the search result returned is empty. Some questions: - Could this a bug (I'm following the recommended method from Splunk admin training)? - How could I take my investigation further? Procedure: stop Splunk copy frozen data (bucket) to a thawed directory run rebuild command - Splunk rebuilds (this appears to work as I see the metadata files are created (Sources.data, bloomfilter, Hosts.data etc). start Splunk search (index=itops earliest = -365d). Result: 0 events - No results found. Try expanding the time range. A few more details: - Running SE version 7.3 - the data is from 2 weeks ago (I set the data in the index to age out/freeze after two days) - this is a test platform - Seeing some weird logs in the internal index that I don't understand: 7/9/19 5:14:53.226 PM 07-09-2019 17:14:53.226 +0200 INFO DatabaseDirectoryManager - Getting size on disk: Unable to get size on disk for bucket id=itops~5~8D8C5421-3FB9-4E28-A7DA-D62472398A71 path="C:\Program Files\Splunk\var\lib\splunk\itops\thaweddb\db_1561999955_1558706749_5" (This is usually harmless as we may be racing with a rename in BucketMover or the S2SFileReceiver thread, which should be obvious in log file; the previous WARN message about this path can safely be ignored.) caller=getBucketManifestValues host = XXXXXX source = C:\Program Files\Splunk\var\log\splunk\splunkd.log sourcetype = splunkd ... View more

Re: Is there any way to post a URL to my Splunk Ce...

by in Training + Certification Discussions
‎05-13-2019 02:02 AM
‎05-13-2019 02:02 AM
I just successfully added my Splunk certifications on LinkedIn. There's a link to share the badge on the acclaim (link text) website. Normally after you pass your certification they get added to acclaim. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-02-2022 09:25 AM
Karma from
View All
Karma given to