Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About kamal_jagga
kamal_jagga
Contributor
Member since:
02-24-2015
09-10-2020
Community Statistics
| Posts | 125 |
| Solutions | 6 |
| Karma Given | 15 |
| Karma Received | 14 |
| Member Since | 02-24-2015 |
Activity Feed
- Got Karma for Re: Adding a column from a subsearch. 12-04-2020 04:23 AM
- Got Karma for Re: Error Message; The search for datamodel 'abc_123' failed to parse, cannot get indexes to search?. 09-27-2020 12:09 PM
- Got Karma for Re: How to count the number of times Splunk is restarted.. 06-15-2020 02:03 AM
- Karma Why am I getting an error when using the Send to Phantom alert action? for rplas. 06-05-2020 12:50 AM
- Karma Using same inputs.conf for multiple forwarders with different monitor paths for Jetj. 06-05-2020 12:49 AM
- Got Karma for Re: Why does /opt/splunk/var/run/searchpeers fill up?. 06-05-2020 12:49 AM
- Got Karma for Re: How to re-run a scheduled correlation search after planned downtime?. 06-05-2020 12:49 AM
- Got Karma for Re: Left join not working properly in Splunk Enterprise 6.6.2. 06-05-2020 12:49 AM
- Karma Re: Splunk Add-on for Check Point OPSEC LEA: Why am I unable to gather Check Point logs from LEA Server using OPSEC 4.1 for georgen_splunk. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Microsoft SQL Server: The lookup table 'sqlserver_host_dbserver_lookup' does not exist. for kmanson. 06-05-2020 12:48 AM
- Karma Re: Indexer's $SPLUNK_HOME /var/run/searchpeers/ excessive disk usage and bundles not being reaped for rphillips_splk. 06-05-2020 12:48 AM
- Karma Re: Modifying Correlation search - Substantial Increase in Port Activity (By Destination) for sduff_splunk. 06-05-2020 12:48 AM
- Got Karma for Re: Looking for an example generating custom script that execute OS command. 06-05-2020 12:48 AM
- Karma Creating a notable event from correlation search for shiftey. 06-05-2020 12:47 AM
- Karma Re: How to hide the password in the script when I use a curl command? for jkat54. 06-05-2020 12:47 AM
- Karma Re: How to only show the panel selected from a drop-down and keep the rest of the panels hidden? for gyslainlatsa. 06-05-2020 12:47 AM
- Karma After updating an app, why am I getting search error "The limit has been reached for log messages in info.csv"? for danieldu. 06-05-2020 12:47 AM
- Karma Re: How to get a list of sources that have not produced data for the last 24 hours for a particular index? for javiergn. 06-05-2020 12:47 AM
- Got Karma for Re: Creating a notable event from correlation search. 06-05-2020 12:47 AM
- Got Karma for How to count the number of times Splunk is restarted.. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-14-2019
02:13 PM
Any solution for this issue in production for single site clustered environment. Kindly advise.
... View more
06-14-2019
12:35 PM
Hi Guys,
My both the instances of Splunk forwarder are running but I am not able to set separate "host name" for the instances. I have done both the below mentioned changes but abc01-2 is only appearing in "instance name" field of Deployment Server but no changes happened for the "host name".
Updates made in etc/system/local files of both the instances of the forwarder.
1.Splunk1
Inputs.conf
host = abc01
server.conf
[general]
serverName = abc01
2.Splunk2
Inputs.conf
host = abc01-2
server.conf
[general]
serverName = abc01-2
Kindly advise.
... View more
06-14-2019
12:28 PM
Hi Guys,
I have done both the below mentioned changes but abc01-2 is only appearing in "instance name" field of Deployment Server but no changes happened for the "host name".
Updates made in etc/system/local files of both the instances of the forwarder.
1. Splunk1
Inputs.conf
host = abc01
server.conf
[general]
serverName = abc01
Splunk2
Inputs.conf
host = abc01-2
server.conf
[general]
serverName = abc01-2
Kindly advise.
... View more
02-01-2019
12:08 PM
Thanks for the reply. I had already checked for these things but wasn't of any help.
... View more
01-30-2019
11:39 AM
Hello,
I keep getting warning messages that my dispatch directory is full (5GB) even though the dispatch dir size is less than 1 GB. And also, my queries stop running, hence I have to clean up the dispatch dir to make Splunk run again.
Kindly advise.
... View more
01-06-2019
01:43 PM
I hadn't named the Drill-down search while creating the notable. Once it was updated, the contributing events started showing up as expected.
... View more
01-06-2019
01:41 PM
Go in to the app which is having maximum searches or least useful. In its local directory, make a limits.conf and update the ttl value.
ttl =
* The time to live (ttl), in seconds, of the cache for the results of a given
subsearch.
* Do not set this below 120 seconds.
* See the definition in the [search] stanza under the “TTL” section for more
details on how the ttl is computed.
* Default: 300 (5 minutes)
https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Limitsconf
... View more
11-22-2018
08:50 AM
1 Karma
I created the notable events in the Configure==> Incident events as well. Still unable to see the contributing events in incidents.
... View more
11-21-2018
12:43 PM
Ideally the process is
Steps:
1. In ES ==> ES ==> Configure ==> Content Mgmt ==> Create New Content ==> Correlation Searches ==> New Correlation search.
2. Add your code in the search sections and fill up the rest of the fields.
3. Add notable action and save it.
... View more
11-20-2018
04:44 PM
Hi Luke,
I am also trying to create some custom correlation searches and notables from my daily reports.
Steps I followed to make this:
1. In ES ==> ES ==> Configure ==> Content Mgmt ==> Create New Content ==> Correlation Searches
2. While creating the correlation searches, I added the name of the new notable (assuming that this would create new notable) and scheduled and saved it.
The query runs fine and gives the output in tabular format. Its creating the notables but I am not able to see the contributing events/error event.
As you mentioned above, could you advise on the format needed to make an event in the notable index and have particular fields.
Also, I am unable to find Correlation Search Editor to make it (Configuration » Custom Searches)
Kindly advise.
... View more
10-23-2018
03:47 PM
Try naming the new field differently from _time to Date.
|inputlookup test.csv
|eval Date=strptime(_time, "%Y-%m-%dT%H:%M:%S").
... View more
10-23-2018
03:41 PM
Since we didn't had the backups, so we had to setup the environment again from scratch. Points have been awarded to Somesh.
Thanks.
... View more
10-23-2018
03:38 PM
1 Karma
I am facing the same issue in 7.0.2.
I have been doing the following things but this only seems to be temporary solution for a few days.
1. Stop splunkd and delete the bundles from searchpeer directory.
2. Data rebalance from Cluster Master.
Kindly advise, if anything else can be done.
... View more
10-02-2018
08:34 PM
I am also facing same issue ? Indexer is down for few days. A;ready tried dispatch cleanup. Not sure what to do
... View more
06-24-2018
01:15 PM
In the inputs.conf make the following entry to run it every 30 mins (30*60). default is 5 mins.
interval = 1800
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf
... View more
06-07-2018
10:05 PM
Would you be able to advise the directories/files whose permissions you changed. This happened on 3 out of 8 of my indexers with a fraction of minute.
... View more
05-02-2018
01:41 PM
Unfortunately, we don't have backups. Is there a way, we can revert to the last version.
Otherwise, its going to be big issue.
... View more
05-02-2018
12:01 PM
Thanks for replying Somesh.
I am thinking of doing the following things.
1. Restore the ES from the backup of ES Search-head.
2. Validate if it has all the changes (should have till the day the backup was taken).
3. Once confirmed, take that backup to ES Deployer and push the backup again from there. So that the deployer image of ES and search-head image of ES are also in sync.
Kindly advise.
... View more
05-02-2018
10:39 AM
Urgent Issue
We have a clustered environment and it seems that some changes were recently deployed but that deleted some of the changes previously made from UI in the ES app(ES clustered search heads). So, we need to revert the bundle of changes that were deployed recently.
Command used from Deployer to push changes:
splunk apply shcluster-bundle
I see some details given about the rollback from CLI in the documentation.
To rollback the configuration bundle, run this command from the master node:
splunk rollback cluster-bundle
You can use the splunk show cluster-bundle-status command to determine the current active bundle. You can use the cluster/master/info endpoint to get information about the current active and previous active bundles.
http://docs.splunk.com/Documentation/Splunk/7.1.0/Indexer/Updatepeerconfigurations
But this can be done from master node. But what would be master node for Search-head cluster. And can this be done from Indexer Cluster Master.
Kindly advise.
... View more
04-09-2018
10:37 AM
index=* | dedup sourcetype | table index sourcetype host _time. In the time picker, go to advanced options and put earliest time as now and apply.
... View more
03-23-2018
12:28 PM
Objective: Send the search result url to a central location whenever an alert is triggered.
Current Sol: Trigger alert action script whenever no of events>0
Current Shell Script :
read sessionKey
echo "'$SPLUNK_ARG_0' '$4' '$6' '$sessionKey'" >> \
"/opt/splunk/output.txt"
I know Splunk has given "Convert a script alert action to a custom alert action" option.
But its not that clear and I don't want to modify each search query to add the sendresults option.
Link: http://docs.splunk.com/Documentation/Splunk/7.0.2/AdvancedDev/CustomAlertConvertScripted
kindly advise.
... View more
03-19-2018
01:41 PM
Following should work.
Example:
Search 1
| table instance *
| appendcols
[|Search 2
| table instance PID
]
| table instance PID *
... View more
03-12-2018
02:09 PM
Its working with version 8 but not working with the latest version of JRE (9.0.4)released on January 16, 2018.
Is there a way to make it work with 9.0.4. Could you share the expected time line for releasing the update to support version 9.
Kindly advise.
... View more
03-12-2018
09:22 AM
It seems that jre version 9 is not compatible with the latest version of dbconnect (3.1.2). But it has not been stated Specifically.
Is there any documentation which states the compatibility of various jre versions with dbconnect. Need this for compliance.
Error with 9:
{"detail": "{'jre_need': 'Need Oracle Corporation JRE version 1.8', 'jre_using': 'Using Oracle Corporation JRE version 9, Java HotSpot(TM) 64-Bit Server VM', 'message': 'Unsupported JRE detected'}", "message": {"jre_need": "Need Oracle Corporation JRE version 1.8", "jre_using": "Using Oracle Corporation JRE version 9, Java HotSpot(TM) 64-Bit Server VM", "message": "Unsupported JRE detected"}, "code": 500}
Kindly advise.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-10-2020
05:21 PM
|
Karma from
