Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About mikefg
mikefg
Communicator
Member since:
07-24-2019
09-10-2025
Community Statistics
| Posts | 91 |
| Solutions | 6 |
| Karma Given | 6 |
| Karma Received | 7 |
| Member Since | 07-24-2019 |
Activity Feed
- Posted Re: Restore frozen to splunk cloud on Splunk Cloud Platform. 09-10-2025 01:36 PM
- Posted Re: Restore frozen to splunk cloud on Splunk Cloud Platform. 09-10-2025 11:30 AM
- Posted Re: Restore frozen to splunk cloud on Splunk Cloud Platform. 09-09-2025 12:01 PM
- Posted Re: Restore frozen to splunk cloud on Splunk Cloud Platform. 09-09-2025 11:18 AM
- Posted Restore frozen to splunk cloud on Splunk Cloud Platform. 09-09-2025 07:08 AM
- Karma Re: Thaw from frozen to existing cluster or new cluster or single indexer for livehybrid. 06-04-2025 12:46 PM
- Karma Re: Thaw from frozen to existing cluster or new cluster or single indexer for richgalloway. 06-04-2025 12:46 PM
- Posted Re: Thaw from frozen to existing cluster or new cluster or single indexer on Splunk Enterprise. 06-04-2025 12:37 PM
- Posted Re: Thaw from frozen to existing cluster or new cluster or single indexer on Splunk Enterprise. 06-04-2025 11:36 AM
- Posted Thaw from frozen to existing cluster or new cluster or single indexer on Splunk Enterprise. 06-04-2025 09:07 AM
- Tagged Thaw from frozen to existing cluster or new cluster or single indexer on Splunk Enterprise. 06-04-2025 09:07 AM
- Tagged Thaw from frozen to existing cluster or new cluster or single indexer on Splunk Enterprise. 06-04-2025 09:07 AM
- Posted Re: TypeError when using on All Apps and Add-ons. 03-13-2025 07:21 AM
- Posted Re: TypeError when using on All Apps and Add-ons. 03-12-2025 11:47 AM
- Posted TypeError when using on All Apps and Add-ons. 03-12-2025 08:41 AM
- Posted Re: CentOS migration to Ubuntu on Installation. 04-26-2024 08:31 AM
- Posted Re: CentOS migration to Ubuntu on Installation. 04-25-2024 07:49 AM
- Posted Re: How to edit my WinRegMon configuration to filter out certain Windows registry events? on Getting Data In. 03-15-2024 09:17 AM
- Karma Re: CentOS migration to Ubuntu for isoutamo. 02-08-2024 12:38 PM
- Posted Re: CentOS migration to Ubuntu on Installation. 02-08-2024 12:37 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-10-2025
01:36 PM
Thank you for your help! Will proceed with this approach and see how it goes.
... View more
09-10-2025
11:30 AM
Currently frozen files are stored on a series of servers. Does the frozen data need to stay in the same location where it was frozen to? (series of servers) Or can the files be moved to a file share or storage repo? Is this approach valid? Move all the frozen files from the servers they are on to a storage repo, download/store a current/same Splunk version, and current/same version of the OS. Then, if necessary in the future, build new VMs using the archived OS, install archived version of Splunk, thaw data from the repo.
... View more
09-09-2025
12:01 PM
So would a better option be to archive all the splunk VMs (servers) and restore if necessary in the future?
... View more
09-09-2025
11:18 AM
Are you saying that PS can migrate frozen data if I only have db and rb files? e.g. folder_2020 | frozen data files db, rb folder_2021 | frozen data files db, rb folder_2022 | frozen data files db, rb Or are you saying the frozen data migration has to happen while I have my current environment still active?
... View more
09-09-2025
07:08 AM
Hello all. I need to archive several years of frozen splunk data (db, rb files). The data has already been frozen and is just sitting on archive servers. We don't want to archive the entire splunk environment (search head, indexers, etc.), just the data. If the data is needed in the future what is the possibility of using splunk cloud as a target to thaw the data into and search? There won't be infrastructure to restore servers to, and relying on Azure, AWS, etc. to be suitable targets for old VMs is risky. If this is possible, what else might be needed besides the files? indexes.conf for a list of indexes?
... View more
Labels
- Labels:
-
other
06-04-2025
12:37 PM
Good to know, thank you! I'll start working on this and we'll see how it goes.
... View more
06-04-2025
11:36 AM
Thanks for the replies. I will clarify. Management wants me to test thawing old data so it is searchable (near term) or can be moved to cloud possibly later this year. DDSS and DDAA will be part of the discussion a bit down the road, but for now I need to test/verify thawing from frozen. We are going to retire our on-prem infrastructure at some point. The thawed data does not have to be to our production cluster, so a standalone splunk single server would work. If I stand up a new single instance server, is there any licensing I need to worry about if I'm just using it to thaw frozen data?
... View more
06-04-2025
09:07 AM
This project is to test for a potential on-prem to cloud migration. I need to thaw several terabytes of frozen splunk data. It has been frozen over the past several years from an indexer cluster to offline repos. The storage array where my existing indexer cluster resides doesn't have enough disk space to bring it all back. I have a secondary storage array that I can use that has plenty of space, but I can't move my existing cluster. I need help understanding/deciding: Should I build new indexers on the secondary array, add them to the existing cluster and thaw data to them. Should I build a new cluster with new indexers on the secondary array and thaw the data there. Maybe it's easiest to just build one new standalone indexer on the secondary array and thaw all data to this one new standalone indexer? The data will need to be searchable/exportable, I have only one search head (no search head cluster).
... View more
Labels
- Labels:
-
administration
-
other
03-12-2025
11:47 AM
Getting a new error after trying your idea. New error: Expecting value: line 1 column 1 (char 0) my search string: index=network | ipextrainfo ip=src_ip | table src_ip country
... View more
03-12-2025
08:41 AM
I am not using an api key, just free tier. I get this error when used in search: External search command 'ipextrainfo' returned error code 1. Script output = "error_message=TypeError at "/opt/splunk/etc/apps/ip_extrainfo/bin/ipextrainfo.py", line 47 : 'Message' object is not subscriptable ".
... View more
Labels
- Labels:
-
troubleshooting
04-26-2024
08:31 AM
Thanks for clarifying. I have added the new Ubuntu servers to the cluster and will initiate the data rebalance today. Doing some reading on removing a peer and it looks like it's as simple as running the offline command on the peer, correct? Assuming the cluster is healthy, just run this wait for it to finish, and the server can be shut down. splunk offline --enforce-counts
... View more
04-25-2024
07:49 AM
@richgalloway wrote: I think you have right idea on all counts. Migrating the CM is similar to migrating a SH. Do migrate the CM before the indexers. Working on this project. I have the new CM stood up on Ubuntu 22 and it has replaced the Centos 7 CM which is now offline. The Indexers are still on Centos 7. I see in the docs that the CM and indexers need to be the same OS. Is this true? The cluster seems to be working fine so far and I'm working on the new Ubuntu indexers that will be added to the cluster. Still safe to proceed or will I run into issues adding the Ubuntu indexers to the cluster? Found under "Operating system requirements" "All indexer cluster nodes (manager node, peer nodes, and search heads) must run on the same operating system and version." System requirements and other deployment considerations for indexer clusters - Splunk Documentation
... View more
03-15-2024
09:17 AM
I've been working on an issue where I need to be able to filter out a registry entry as well, but this solution doesn't get me there. I need to filter out the languagelist entry, just can't get the regex to work. Anyone else have success filtering reg entries? I need to filter out this entry.
HKU\.default\software\classes\local settings\muicache\2c4\52c64b7e\languagelist
... View more
02-07-2024
01:52 PM
I am working on migrating from Centos 7 to Ubuntu 22. Single search head, indexer cluster (3 indexers), and a deployment server used just to manage clients (not Splunk servers). For the SH and DS is it just a straightforward install same version Splunk on new Ubuntu server, copy config over, check permissions, and start it up (same IP, same DNS)? For the IDX cluster, do a new CM first and copy config over or are there other things to consider? What's a good process for the indexers (only 3). Can I build new indexers on Ubuntu, add them to the cluster, and then remove the CentOS servers as new Ubuntu servers are added all the while letting clustering handle the data management?
... View more
Labels
- Labels:
-
Linux
10-05-2023
12:31 PM
Figured it out, just didn't enter anything into the optional Cloud App Security Token, Tenant Subdomain, or Tenant Data Center fields and that got it working again.
... View more
10-05-2023
09:42 AM
o365 addon has been running fine. Token expired on the Azure side, so I generated a new one. Updating the Splunk addon gives me the error "Only letters, numbers and underscores are supported." and highlights the Tenant Subdomain or Tenant Data Center fields (see attachment). I can't complete the update without values in these fields. Not sure what to do here.
... View more
09-25-2023
07:34 AM
1 Karma
Found another app that needs kvstore, but this one is a vendor TA. kvstore was not referenced in any documentation and I only found out after I stopped getting data. Fixed now, just keep an eye out for missing data after disabling kvstore on a HF.
... View more
09-22-2023
07:43 AM
Maybe not a common TA or app, but Splunk App for Stream uses kvstore. Found this out recently doing some troubleshooting. So on stream servers make sure in server.conf to set [kvstore] disabled = false
... View more
08-29-2023
11:39 AM
Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all. Where do I need it upgraded to wiredTiger and where can I disable it? Search heads - enabled and upgraded to wiredTiger Enterprise security search head - enabled and upgraded to wiredTiger Cluster master - mmapv1 Indexers - mmapv1 Deployment server - mmapv1 Heavy forwarders - enabled and upgraded to wiredTiger
... View more
Labels
- Labels:
-
KV Store
08-28-2023
01:56 PM
1 Karma
I got it working again. I had to recopy the coldtofrozenexample.py and edit for my environment. I was missing some sections from the script.
... View more
08-28-2023
11:35 AM
I posted my script in this thread and it's the sample script, just edited for my environment. It's been working fine for a long time until this issue arose.
... View more
08-28-2023
09:25 AM
I'm passing a bucket path and getting this error now. Replaced some path values to hide internal names and bucket name. bash-4.2$ /opt/splunk/bin/splunk cmd "/opt/splunk/bin/python" "/opt/splunk/etc/peer-apps/archive_app/coldToFrozen.py" "/opt/splunk/var/lib/splunk/indexname/db/db_string" Traceback (most recent call last): File "/opt/splunk/etc/peer-apps/archive_app/coldToFrozen.py", line 51, in <module> handleOldBucket(bucket, files) NameError: name 'handleOldBucket' is not defined
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-10-2025
11:29 AM
|
