Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About danielbb
danielbb
Motivator
Member since:
07-24-2019
Online
Community Statistics
| Posts | 562 |
| Solutions | 3 |
| Karma Given | 341 |
| Karma Received | 30 |
| Member Since | 07-24-2019 |
Activity Feed
- Karma Re: How do I minimize the stored data of _introspection in a tiny cluster? for richgalloway. 11 hours ago
- Posted How do I minimize the stored data of _introspection in a tiny cluster? on Deployment Architecture. 12 hours ago
- Karma Re: How can we show events prior to the one that matches the criteria? for gcusello. yesterday
- Karma Re: How can we show events prior to the one that matches the criteria? for bowesmana. yesterday
- Karma Re: How can we show events prior to the one that matches the criteria? for PickleRick. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for gcusello. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for gcusello. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for gcusello. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for isoutamo. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for gcusello. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for PickleRick. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for isoutamo. yesterday
- Karma Re: How do I configure the HF to produce raw data and forward it to the indexer? for PickleRick. yesterday
- Posted Re: How do I configure the HF to produce raw data and forward it to the indexer? on Deployment Architecture. Friday
- Posted Re: How do I configure the HF to produce raw data and forward it to the indexer? on Deployment Architecture. Friday
- Posted Re: How do I configure the HF to produce raw data and forward it to the indexer? on Deployment Architecture. Friday
- Posted How do I configure the HF to produce raw data and forward it to the indexer? on Deployment Architecture. Friday
- Posted How can we show events prior to the one that matches the criteria? on Splunk Search. Friday
- Tagged How can we show events prior to the one that matches the criteria? on Splunk Search. Friday
- Karma Re: How do I configure a small installation? for kiran_panchavat. Wednesday
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
by
PickleRick
| ||
| 0 |
by
PickleRick
| ||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12 hours ago
At the moment, our tiny indexer has very little disk space and _introspection consumes roughly GB of storage a day, is there a way to minimize the space consumed by the index besides making the retention very short?
... View more
- Tags:
- _introspection
Labels
- Labels:
-
Linux
Friday
I got it, however, I'm setting these three machines and I would like the HF to send cooked data while the SH should send uncooked data to the indexer. Based on what you're saying, it appears that whenever we forward the data, it is already cooked, is it right?
... View more
Friday
It's not clear to me how indexAndForward works, the documentation says - "Set to 'true' to index all data locally, in addition to forwarding it." Does it mean that the data is being indexed in two places? if so, what should we do to produce cooked data AND forward it to the indexer?
... View more
- Tags:
- indexandforward
Labels
- Labels:
-
distributed search
Friday
We have a case where we can search and find events that match the search criteria. The client would like to see the events that are prior in time to the one that we matched via the SPL. Can we do that?
... View more
a week ago
We see the following on the server via the ss -tulpn tcp LISTEN 0 128 0.0.0.0:8089 0.0.0.0:* users:(("splunkd",pid=392724,fd=4)) However, the browser at http://<Indexer>:8089 returns ERR_CONNECTION_RESET. What can it be? while http://<Indexer>:8000 works as expected.
... View more
- Tags:
- port 8089
Labels
- Labels:
-
indexer
a week ago
That's gorgeous @gcusello, I see the process running - syslog 930 1 0 Jan03 ? 00:00:01 /usr/sbin/rsyslogd -n -iNONE Thank you very much! Where is the default configuration/data mount point?
... View more
a week ago
I have an indexer, a search head, and a heavy forwarder for a small installation. How do I configure them to communicate correctly?
... View more
- Tags:
- configuration
a week ago
I'm in the process of creating a small Splunk installation and I would like to know from where I would download the syslog-ng Linux Ubuntu installation for version 20.x.
... View more
Labels
- Labels:
-
heavy forwarder
-
Linux
3 weeks ago
Thanks @kiran_panchavat, About the ulimits, what are the minimal ulimits requirements?
... View more
3 weeks ago
We are creating an installation of one indexer, one search head, and one universal forwarder with syslog, and I wonder what the minimal OS requirements are--such as disabling transparent huge pages on the indexer, file descriptors, etc. we are speaking about a bare minimum installation.
... View more
Labels
- Labels:
-
Linux
3 weeks ago
We are about to create new VMs with the Ubuntu OS. Which version of Ubuntu is supported and recommended?
... View more
- Tags:
- Ubuntu's version
Labels
- Labels:
-
Linux
12-18-2024
09:25 AM
I'm under the impression that HEC ingestion directly to the indexers is supported natively on cloud. I wonder whether the HEC ingestion on-prem to the indexers is supported in the same way?
... View more
Labels
- Labels:
-
indexer clustering
12-18-2024
09:12 AM
We have a case in which each email message is stored on the file system as a distinct file. Is there a way to ingest each file as a distinct Splunk event? I assume that UF is the right way but I might be wrong.
... View more
Labels
- Labels:
-
universal forwarder
12-16-2024
07:47 AM
Thank you all, since I have already the HEC cluster and it is with HFs, wouldn't it be better to have UFs since my understanding is that data flows quicker through UFs? and we don't process the data at all at this HEC cluster level.
... View more
12-13-2024
01:25 PM
I see - $ ps -ef | grep splunk
splunk 2802446 2802413 0 Dec08 ? 00:00:08 [splunkd pid=2802413] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] Meaning, the user splunk runs on the host and when I sudo to be the splunk user, I don't have access the these logs files, even though they are being ingested.
... View more
12-13-2024
01:20 PM
I love of the idea of the - HEC inputs directly on indexers (and have an LB in front of them) !
... View more
12-13-2024
10:59 AM
We fail again and again these days when we have major spikes in ingestion, primarily with HEC. What would be a good and efficient way to detect major up/down spikes in data ingestion.
... View more
Labels
- Labels:
-
Other
12-13-2024
10:49 AM
On Splunk cloud, we can receive HEC ingestion directly to the cloud whereas on-prem we install distinct subclusters for HEC and struggle to scale them up with multiple down-times cases. I wonder whether it's possible for an on-prem installation to send HEC data directly to the indexers.
... View more
Labels
- Labels:
-
indexer clustering
12-13-2024
10:43 AM
We have a case where the data resides under /usr/feith/log/*.log and the Splunk process can read these files however, when I log in to the unix server I cannot navigate into this directory as the Splunk user. What's going on? bash-4.4$ whoami
splunk
bash-4.4$ pwd
/usr/feith
bash-4.4$ \ls -tlr
total 388
...
drwxr-xr-x. 2 feith feith 4096 Dec 12 12:17 lib
drwx------. 19 feith feith 4096 Dec 13 01:00 log
bash-4.4$ cd log/
bash: cd: log/: Permission denied
... View more
- Tags:
- Permission issue
Labels
- Labels:
-
Linux
11-29-2024
12:14 PM
We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Microsoft Azure. They created an indexer, a search head, and a license server/cluster master. We do need to ingest syslog data from Meraki devices, so I wonder whether we need a heavy forwarder. Any thoughts?
... View more
Labels
11-29-2024
12:05 PM
I want to use HTML on multiple panels in order to create a custom layout of my Splunk Dashboard. I want to use this layout where each rectangle is a panel - Please advise. Is this possible to implement in a Splunk Dashboard?
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
Friday
|
Karma from
Karma given to
