Activity Feed
- Got Karma for Re: What is the difference between the current_size_kb vs current_size in metrics.log for a universal forwarder?. 08-16-2023 06:08 AM
- Karma Re: Is it possible to route data to idle indexers ? for sowings. 06-05-2020 12:48 AM
- Got Karma for Is it possible to route data to idle indexers ?. 06-05-2020 12:48 AM
- Got Karma for Re: Where do logs go when uploaded via Splunk Web's 'Add Data' -> Upload feature?. 06-05-2020 12:48 AM
- Got Karma for Re: What is the difference between the current_size_kb vs current_size in metrics.log for a universal forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: What is the difference between the current_size_kb vs current_size in metrics.log for a universal forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: What is the difference between the current_size_kb vs current_size in metrics.log for a universal forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Is our single 32 core search head the reason why both of our 8 core indexers are getting overloaded with searches?. 06-05-2020 12:48 AM
- Got Karma for Re: Is our single 32 core search head the reason why both of our 8 core indexers are getting overloaded with searches?. 06-05-2020 12:48 AM
- Got Karma for Re: Is our single 32 core search head the reason why both of our 8 core indexers are getting overloaded with searches?. 06-05-2020 12:48 AM
- Got Karma for Re: Installing Splunk into a non-default directory on Linux. 06-05-2020 12:48 AM
- Got Karma for Re: Installing Splunk into a non-default directory on Linux. 06-05-2020 12:48 AM
- Posted Re: Does cooked data from a HF forwarder automatically gets routed to the indexing queue --> indexing processor? on Deployment Architecture. 10-16-2016 02:05 PM
- Posted Does cooked data from a HF forwarder automatically gets routed to the indexing queue --> indexing processor? on Deployment Architecture. 10-16-2016 01:50 PM
- Tagged Does cooked data from a HF forwarder automatically gets routed to the indexing queue --> indexing processor? on Deployment Architecture. 10-16-2016 01:50 PM
- Tagged Does cooked data from a HF forwarder automatically gets routed to the indexing queue --> indexing processor? on Deployment Architecture. 10-16-2016 01:50 PM
- Posted Re: How to deploy configurations to a Splunk 6.3.2 Search Head Cluster when a cluster member is down? on Deployment Architecture. 09-06-2016 05:57 PM
- Posted Re: How to deploy configurations to a Splunk 6.3.2 Search Head Cluster when a cluster member is down? on Deployment Architecture. 09-02-2016 01:19 PM
- Posted How to deploy configurations to a Splunk 6.3.2 Search Head Cluster when a cluster member is down? on Deployment Architecture. 09-02-2016 12:51 PM
- Tagged How to deploy configurations to a Splunk 6.3.2 Search Head Cluster when a cluster member is down? on Deployment Architecture. 09-02-2016 12:51 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
10-16-2016
02:05 PM
Thanks a bunch!
... View more
10-16-2016
01:50 PM
OR does it first pass through the other three processing queues() after the input queue and get ignored by processing thread proceeding the the particular queue since it's fully cooked?
... View more
09-06-2016
05:57 PM
Unfortunately, if the first member is down, the splunk deployer will throw an error as I have seen. Per splunk support, this "fail fast" feature is in place to prevent configuration inconsistencies.
... View more
09-02-2016
01:19 PM
The target is a member that is not down. The deployer will still send to all cluster members regardless of the target. In this case, it's trying to send to the first member in the cluster that is down.
... View more
09-02-2016
12:51 PM
Hi,
I'm running a 4 node search head cluster where one search head is down due to hardware problems. When trying to deploy configurations to the SHC from the deployer, I get the following message:
Error while deploying apps to first member: ConfDeploymentException: Error while fetching apps baseline on target=https://host:port: Network-layer error: Connect Timeout.
The first member is the host that is down. Is there a fix for this? Why wouldn't the deployer be able to push to the other members that are up? exception handling? bug? Any workarounds?
... View more
07-01-2016
11:38 AM
Yes, very possible. You are able to deploy two search heads, make the indexers search peers to both search heads so that they will be searching over the same data, deploy Enterprise Security to one search head, deploy all other non-ES related apps to the other and ensure that you have the proper users and roles setup.
... View more
06-30-2016
09:36 PM
2 Karma
Nope, $SPLUNK_HOME is configurable meaning that you can install it any directory, really. Also, installing splunk as non-root is typically preferable and recommended. http://docs.splunk.com/Documentation/Splunk/latest/installation/RunSplunkasadifferentornon-rootuser
In your case $SPLUNK_HOME = srv/splunk/
Ensure that you have enough disk space.
Ensure that the designated non-root user owns $SPLUNK_HOME
Ensure that the user that owns the file can read and write to that directory. This is especially important for $SPLUNK_HOME/var/log/splunk.
... View more
06-30-2016
07:25 PM
Thanks MuS
... View more
06-30-2016
06:30 PM
Yes. What exactly are you trying to accomplish with multiple license masters? You could install the splunk license, for example on two hosts, and configure them both to be license masters BUT any license slaves that you configure would need to point to one or the other, not both. OR if you are looking for failover capabilities, you could try to put a load balancer in front of the two license masters (as an example). Depends on what your usecase is.
... View more
06-30-2016
05:09 PM
Also, it depends on the use-case and the deployment.
... View more
06-30-2016
05:08 PM
A central license master isn't required. So you could install the same enterprise license on multiple machines. Unless that has changed? @MuS Each host would still be fall under that same license.
... View more
06-30-2016
04:52 PM
You could also try to put a load balancer in front of a "cluster" of license masters as well. It depends on your use case.
... View more
06-30-2016
04:42 PM
Yes, you have the ability to designate one splunk host as a license master and make other splunk hosts license slaves. The other alternative is to install the license on each host which can be a bit much in a larger deployment. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Configurealicensemaster
In theory, since you can install the same license on multiple machines, you could have multiple license masters but a license slave can only be the slave of one license master.
... View more
06-30-2016
01:04 PM
3 Karma
You should probably add more indexers to accommodate the heavy search load (more indexers = more cores). While the search heads and the resources on those host are used to handle user search requests and users in general, the indexers are actually performing the searches for the data(remember, the data resides on the indexer and that's also why IOPS are important for indexers: reads and writes). So every search executed will result in one core being used on the indexer as well as resources on the search head for the duration of the search job. See http://docs.splunk.com/Documentation/Splunk/6.4.1/Capacity/Accommodatemanysimultaneoussearches.
... View more
06-28-2016
10:31 AM
If you want to do cell highlighting, that would require some JS and CSS. I would use the code found in the splunk 6.x dashboard examples app: https://splunkbase.splunk.com/app/1603/. The app contains some neat dashboard customizations that are pretty cool. Typically, if you are using the drill-down feature in your table, specifically for that field, by default the URLS should already be blue: http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/Dynamicdrilldownindashboardsandforms. Finally, you could change the font-color, by doing an inspect element to find the id or class and overriding the default color with css.
... View more
06-28-2016
09:52 AM
This also works: | rest splunk_server= ENTER HOST /services/server/introspection/queues
... View more
06-28-2016
09:50 AM
So there are few different things to consider:
In terms of where the data gets indexed, by default $SPLUNK_HOME/var/log/splunk directory. See https://answers.splunk.com/answers/418636/where-do-logs-go-when-uploaded-via-splunk-webs-add.html#answer-417611
In terms of deleting the data: for the most part, it isn't recommended that you manually delete indexed data (buckets) because that could cause issues depending on your deployment setup. Splunk employs a retention policy where data is deleted by age (or size). The default is ~ 6 years, but this number is configurable on global and/or index basis. This will need to be configured in the indexes.conf, see : http://docs.splunk.com/Documentation/Splunk/6.0.3/Indexer/Setaretirementandarchivingpolicy. If you have the need to delete data, I recommend that you let the data retire, and re-index the data properly ( consider disk space and licensing.)
What index are you sending your data to? If it's a new index and the data is fairly recent, you could clean the index but keep in mind that ALL data in that index will be deleted. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk
... View more
06-27-2016
07:36 PM
It's the version. Looks like Parallel Data Pipelines are shown on the DMC for version 6.4.X. We are running version 6.3.2.
... View more
06-27-2016
06:05 PM
Thanks @MuS
... View more
06-27-2016
05:43 PM
Thanks for the comment. I do not see that when there are two or three Data Pipelines running in parallel.
"the pipelinesets setting in server.conf. When pipeline sets are used (that is, if pipelinesets is set to a value greater than 1), some panels in the DMC indexing performance dashboards will be blank." Is there a work around?
... View more
06-27-2016
03:39 PM
I'm planning to introduce index parallelization into our Splunk deployment given the additional resources we have on our indexers. In looking at the DMC, specifically under Indexing Performance, I don't see that it accounts for multiple data pipelines running in parallel. What is the best way to monitor multiple data pipelines running on one indexer.
... View more
06-22-2016
05:54 PM
Looks like the user-prefs app is missing. If you go to $SPLUNK_HOME/etc/apps, do you see a directory called user-prefs? If not, that's more than likely the issue. I would download another copy of Splunk Enterprise, whatever version you are running, and copy the user-prefs app from there to your current $SPLUNK_HOME/etc/apps. Or you could upgrade or reinstall.
... View more
06-22-2016
10:58 AM
You could edit the props.conf's following configs to handle that:
TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =
These can be edited under $SPLUNK_HOME/etc/system/local OR in an app under $SPLUNK_HOME/etc/apps depending on your setup.
... View more
06-22-2016
10:48 AM
1 Karma
The files get indexed into splunk. Splunk (by default...this is configurable) saves the transformed data to the $SPLUNK_HOME/var/log/splunk directory. You will find the compressed version of your data under a directory within $SPLUNK_HOME/var/log/splunk . The directory should have the same name as your index unless you made that index the default index. The data within the index directory will contain subdirectories organized by age, these are called buckets. Your data will be contained within these buckets.
... View more
06-22-2016
10:39 AM
You can change the permissions of the app by going to : Apps --> Manage Apps --> find the search app and select permissions--> Change the Read/Write permissions. You could also do this by editing the default.meta config file: http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Defaultmetaconf .
You could also change the default app that the user sees upon logging into splunk by role or user: Settings --> Access Controls --> Roles|Users--> select the desired role --> Select a default app from the drop-down list under Default app.
... View more
