Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About edoardo_vicendo
edoardo_vicendo
Communicator
Member since:
09-19-2016
Thursday
Community Statistics
| Posts | 75 |
| Solutions | 5 |
| Karma Given | 53 |
| Karma Received | 11 |
| Member Since | 09-19-2016 |
Activity Feed
- Karma Re: Setting useACK in outputs.conf in a Distributed Environment (Universal Forwarder + Heavy Forwarder + Indexer) for richgalloway. Thursday
- Posted Setting useACK in outputs.conf in a Distributed Environment (Universal Forwarder + Heavy Forwarder + Indexer) on Splunk Enterprise. Wednesday
- Posted Match records based on a WHERE condition defined in a lookup table on Splunk Search. 2 weeks ago
- Tagged Match records based on a WHERE condition defined in a lookup table on Splunk Search. 2 weeks ago
- Tagged Match records based on a WHERE condition defined in a lookup table on Splunk Search. 2 weeks ago
- Karma Re: Unable to view thawed data for Prakash493. 2 weeks ago
- Karma Re: Unable to view thawed data for realsplunk. 2 weeks ago
- Posted Re: Unable to view thawed data on Splunk Search. 2 weeks ago
- Posted Re: Install ES on an Indexers Cluster on Splunk Enterprise Security. 4 weeks ago
- Posted Re: list all datamodels with the feeds (index, sourcetype) on Archive. 02-24-2021 09:04 AM
- Posted Re: Splunk Indexer - how many IOPS expect with this configuration on Splunk Enterprise. 02-15-2021 03:11 AM
- Karma Re: Splunk Indexer - how many IOPS expect with this configuration for richgalloway. 02-15-2021 03:11 AM
- Posted Splunk Indexer - how many IOPS expect with this configuration on Splunk Enterprise. 02-12-2021 09:37 AM
- Tagged Splunk Indexer - how many IOPS expect with this configuration on Splunk Enterprise. 02-12-2021 09:37 AM
- Posted Re: New Splunk 8.1.1 feature - Enhanced TSIDX compression is related to tsidxWritingLevel ? on Splunk Enterprise. 12-16-2020 12:58 AM
- Karma Re: New Splunk 8.1.1 feature - Enhanced TSIDX compression is related to tsidxWritingLevel ? for richgalloway. 12-16-2020 12:56 AM
- Karma Re: New Splunk 8.1.1 feature - Enhanced TSIDX compression is related to tsidxWritingLevel ? for s2_splunk. 12-16-2020 12:55 AM
- Posted New Splunk 8.1.1 feature - Enhanced TSIDX compression is related to tsidxWritingLevel ? on Splunk Enterprise. 12-15-2020 07:25 AM
- Karma Re: How to improve index replication speed? for beatus. 12-03-2020 08:28 AM
- Posted Re: How to improve index replication speed? on Deployment Architecture. 12-03-2020 08:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
Wednesday
Hello, In a distributed environment with Universal Forwarder, Heavy Forwarder and Indexers, like this one: UF --> HF --> IDX How do you set useACK=true in outputs.conf ? Is it needed to be enabled both on Universal Forwarder and Heavy Forwarder? We currently have it enabled only on the Heavy Forwarder. Thanks a lot, Edoardo
... View more
Labels
- Labels:
-
administration
-
configuration
2 weeks ago
Hello, Suppose I have raw records like this: user=blabla,org_L1=12345,org_L2=777,department=7890
user=testtt,org_L1=34567,org_L2=999,department=8910
... And I would like to extract the records based on the rules defined in a lookup: where_condition,role
org_L1=12345 AND org_L2=777,superuser
org_L1=34567 OR org_L2=999,normaluser Is it feasible in some way to introduce into the SPL statement a "where condition" based on the where_condition field defined in the lookup? searchmatch command could be used but it does not accept fields, it only accepts strings. Thanks a lot, Edoardo
... View more
2 weeks ago
I confirm I had the same issue (using Splunk 8.0.5), after a restore thawed buckets were not searchable. Checking with the REST API call the flag frozen was equal to 1. I solved restarting the Master Node, even if the REST API call still give the frozen flag equal to 1 (but lot more information are showed after the restart), the thawed buckets are now searchable.
... View more
4 weeks ago
I think that in an Indexer Cluster by default all the Splunk "internal" indexes should have repFactor=auto, at least under /opt/splunk/etc/master-apps/_cluster/default/indexes.conf I opened the following Splunk Idea to ask for the implementation: https://ideas.splunk.com/ideas/EID-I-898
... View more
02-24-2021
09:04 AM
Starting from @jaime_ramirez solution I have added a portion of SPL to check whether or not your sourcetypes are going into which datamodels: | datamodel
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\""
| search NOT modelName IN (Splunk_CIM_Validation)
| fields modelName
| table modelName
| map maxsearches=40 search="tstats summariesonly=true count from datamodel=$modelName$ by sourcetype | eval modelName=\"$modelName$\""
| append [| search index=_internal source=*license_usage.log type="Usage" pool="herePutYourLicensePool"
| eval sourcetype = st
| stats count by sourcetype
| eval modelName="removeit", count=0
| fields sourcetype modelName count]
| xyseries sourcetype modelName count | fillnull value="N"
| fields - removeit
... View more
02-15-2021
03:11 AM
@richgalloway thanks for your feedback We currently have (per site): HPE Bladesystem using VMware ESXi and RHEL OS 4 Blade Blade 1: 2 SH (2 VM with 20 physical CPU core + 64 GB RAM each) Blade 2: 1 Indexer ( dedicated VM with 2x20 physical core CPU + 96GB RAM each ) Blade 3: 1 Indexer ( dedicated VM with 2x20 physical core CPU + 96GB RAM each ) Blade 4: 1 Indexer ( dedicated VM with 2x20 physical core CPU + 96GB RAM each ) 2 x Fiber Channel Modules 8 ports (each port 16Gb/s) Blade 1-4 connect to 4 ports on Fiber Channel Modules 1 to SAN 1 Blade 1-4 connect to 4 ports on Fiber Channel Modules 2 to SAN 2 Each Fiber Channel Module is virtualized Storage SAN Hitachi G1000 (All Flash SSD) Each Indexer has a 13TB dedicated LUN (space already reserved) The LUN is mounted as a vmdk Thanks a lot, Edoardo
... View more
02-12-2021
09:37 AM
Hi All, I know this question is very generic, but I will try asking 🙂 We have 2 sites with this Indexing Tier configuration: Site 01 3 Indexers (dedicated VM with 2x20 physical core CPU Intel Xeon 6148 and 96GB RAM each) SF=2, RF=2 Site 02 3 Indexers (dedicated VM with 2x20 physical core CPU Intel Xeon 6148 and 96GB RAM each) SF=2, RF=2 Search Heads are configured with site affinity so searches go on both sites. Machines are quite new, supposing you don't have any limitation on the storage tier, how many IOPS are you expecting pushing them to the limit? Thanks a lot, Edoardo
... View more
Labels
- Labels:
-
configuration
12-16-2020
12:58 AM
@s2_splunk , @richgalloway thank you both for your answers, good to see they added additional information on the Release Note page and that my thought were right 😉
... View more
12-15-2020
07:25 AM
Hi, I have seen this new feature in Splunk 8.1.1 https://docs.splunk.com/Documentation/Splunk/8.1.1/ReleaseNotes/MeetSplunk Enhanced TSIDX compression Enhanced TSIDX compression for improved performance and up to 40% reduced storage. I was just wondering if this feature is related to the tsidxWritingLevel as mentioned here: https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/Reducetsidxdiskusage#The_tsidx_writing_level Splunk Enterprise Version The tsidxWritingLevel supported The supported tsidx level for searching 7.2.x 1, 2 1, 2 7.3.x 1, 2, 3 1, 2, 3 8.0.x 1, 2, 3 1, 2, 3 8.1.x 1, 2, 3, 4 1, 2, 3, 4 that can be set-up in indexes.conf as follow: tsidxWritingLevel = [1|2|3|4]
* Enables various performance and space-saving improvements for tsidx files.
* For deployments that do not have multi-site index clustering enabled,
set this to the highest value possible for all your indexes.
* For deployments that have multi-site index clustering, only set
this to the highest level possible AFTER all your indexers in the
cluster have been upgraded to the latest code level.
* Do not configure indexers with different values for 'tsidxWritingLevel'
as downlevel indexers cannot read tsidx files created from uplevel peers.
* The higher settings take advantage of newer tsidx file formats for
metrics and log events that decrease storage cost and increase performance
* Default: 1 Moreover, is there anyone having some (good) feedback after have enabled it? Thanks a lot, Edoardo
... View more
Labels
- Labels:
-
administration
-
configuration
12-03-2020
08:23 AM
That's a good suggestion, just wanted to add what we discovered. During the data migration we have found out that even increasing the following setting in the Master Node it was not speeding up the replication process. max_peer_build_load As written here: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Takeapeeroffline#:~:text=If%20the%20search%20factor%20is,remaining%20set%20of%20searchable%20copies. This is due for the following reason: The search factor. This determines how quickly the cluster can convert non-searchable copies to searchable. If the search factor is at least 2, the cluster can convert non-searchable copies to searchable by copying index files to the non-searchable copies from the remaining set of searchable copies. If the search factor is 1, however, the cluster must convert non-searchable copies by rebuilding the index files, a much slower process. (For information on the types of files in a bucket, see Data files.) The time required to rebuild the index files on a non-searchable bucket copy containing 4GB of rawdata depends on a number of factors such as the size of the resulting index files, but 30 minutes is a reasonable approximation to start with. Rebuilding index files is necessary if the search factor is 1, meaning that there are no copies of the index files available to stream. A non-searchable bucket copy consisting of 4GB rawdata can grow to a size approximating 10GB once the index files have been added. As described earlier, the actual size depends on numerous factors. Therefore copying tsidx files via network is much more faster than rebuilding them at the target peer. Saying that, increasing the max_peer_build_load could be bounded by your network bandwidth and so if you are already using all the available bandwidth (or you have intentionally limited it to avoid issues within your network infrastructure) you will not have any benefit. Instead, in a scenario in which with the default value (max_peer_build_load = 2) you are not sending data at the maximum available network speed, increasing that value can significantly improve the replication process.
... View more
10-15-2020
08:15 AM
@richgalloway Thanks a lot for your suggestion! Tested and it works perfectly, and you can even change it in the meanwhile: splunk edit cluster-config -max_nonhot_rep_kBps <value>
... View more
10-13-2020
09:11 AM
Hello, We are in a multi-site indexer cluster environment, and we are going to upgrade our infrastructure from 3 Indexer to 6 Indexer. Basically we will add 6 new indexers, and decommission the 3 old indexers. Do you know which is the speed in MBytes/s that will be reached once the data will start to be copied from the 3 old Indexers to the 6 new indexers? We did some test in our development environment, where we have simulated a similar scenario, and it seems it started copying very fast with 170 MBytes/s peak (we have checked it with an nmon session at the source Indexer machine). In order to start the copying process we had: added the new Indexers to the Master Node switched the Splunk HFs to forward data to the new Indexers run, one by one on each old Indexer, the command splunk offline --enforce-counts Before starting the test we have read the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Takeapeeroffline#Estimate_the_cluster_recovery_time_when_a_peer_gets_decommissioned In the official documentation it is mentioned: 10GB (rawdata and/or index files) from one peer to another across a LAN takes about 5-10 minutes therefore copying speed should go from 136 Mbit/s to 272 Mbit/s. If the speed we have observed is correct (more than 1Gbit/s), do you know if there is any way to limit the output bandwidth? Thanks a lot, Edoardo
... View more
10-13-2020
08:33 AM
@ thambisetty Thanks for your feedback. Basically there is no way to use host sourcetype and regex all together, unless you have the host: in the event itself (that is not our case) --> so that you can filter with the REGEX in the transforms.conf in the path name (that is not our case as well) --> so that you can directly filter in source stanza in props.conf
... View more
10-02-2020
09:06 AM
1 Karma
I also see that the solution is present 2 times. Would it be feasible to come back to the older layout (or something close to it)?
... View more
10-02-2020
08:54 AM
We have to forward some data from a Splunk Heavy Forwarder to a third party syslog server. This is possible as indicated here: https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Forwarddatatothird-partysystemsd The challenge is to select only some files from a particular host and forward only the logs that contain a particular string. Here is what we were able to achieve (basically 2 rules out of 3, so some files that contain a particular string), I don’t know if it is possible to add in some way a reference also for the host. Do you know if it is feasible? outputs.conf
[syslog:syslog_target]
type = udp
server = 111.222.333.444:514
props.conf
[source::/path/of/myfile/*filename.log]
TRANSFORMS-syslog_forward = syslog_forward_rule
transforms.conf
[syslog_forward_rule]
REGEX = www\.mywebsite\.com
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_target Thanks a lot, Edoardo
... View more
Labels
07-16-2020
06:26 AM
Here my answer on another thread to solve, once audit.log was ingested, the issue with merged events: https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarders-audit-logs-merged-audit-conf/m-p/507005/thread-id/86283/highlight/false#M86666
... View more
07-16-2020
06:23 AM
I have been able to solve this with Splunk support. So basically there are 2 options: OPTION 1 - enable UF audit.log monitoring + force local processing on UF This option increase a little bit the cpu consumption on UF because you have to parse the events directly on UF, but it will be enabled only for this specific sourcetype and usually few audit events per day on each UF are generated. On UF: myapp/local/inputs.conf # Specific configuration to enable monitoring Splunk Universal Forwarder audit logs
# by default they are sent to null queue
#*nix
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
index = _audit
sourcetype = audittrail
source = audittrail
#Windows
[monitor://$SPLUNK_HOME\var\log\splunk\audit.log]
index = _audit
sourcetype = audittrail
source = audittrail myapp/local/props.conf [audittrail]
SHOULD_LINEMERGE = false
force_local_processing = true OPTION 2 - enable UF audit.log monitoring + enable HF event parsing This has been tested only on *nix On UF (local/inputs.conf) [monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
index = _audit
sourcetype = ufw_audittrail
source = ufw_audittrail on HF (local/props.conf) [ufw_audittrail]
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
TIME_PREFIX = ^ Best Regards, Edoardo
... View more
07-02-2020
09:37 AM
2 Karma
Where is it possible to suggest for improvements on the new UI? Is this thread the correct place? Thanks a lot, Edoardo
... View more
07-02-2020
02:56 AM
In the meanwhile I found this, if executed from the Monitoring Console it reports all the Splunk Servers: | rest /services/server/status count=0 splunk_server=* | dedup splunk_server | table splunk_server Now need to check if the same REST call can be done from the Search Head to the Monitoring Console (that in my deployment is in a different server).
... View more
07-02-2020
02:46 AM
@soutamo Thank you, I know how to do a SPL REST call, the point is that I don't know which is (or which are) the REST calls to be done to list all the servers within a Splunk deployment
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
Karma from
Karma given to
