cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sbhale
Explorer
Member since: ‎10-06-2013
‎06-05-2020
Community Statistics
Posts 7
Solutions 1
Karma Given 0
Karma Received 5
Member Since ‎10-06-2013
Activity Feed
View All

Re: Bucket replication queue full causing random i...

by in Getting Data In
‎02-04-2019 12:17 PM
1 Karma
‎02-04-2019 12:17 PM
1 Karma
Answering my own question so others will find it useful. The presense of the above messages with the same peer guid was ruled to be the problem. One of our peer nodes was acting up and slowing down any nodes replicating to it just a little bit but enough that it was a propagating and causing queues to get backed up. The solution was putting the node in manual detention to be either re-built or retired. ... View more

Bucket replication queue full causing random index...

by in Getting Data In
‎02-04-2019 12:16 PM
1 Karma
‎02-04-2019 12:16 PM
1 Karma
Had a weird issue where my queues would fill up on random nodes and rove around within the cluster. Had a case opened with support and Was working through and making all sorts of adjustments and ruling out all sorts of issues to no vail. Finally had a breakthrough when I noticed that we were seeing INFO BucketReplicator - replication queue for peer=<guid> bid=<bid> is full . Followed almost immediately by INFO BucketReplicator - replication queue for peer=<guid> bid=<bid> has room now. over and over again. The gap between those two messages was only a few milliseconds. No other obvious ERROR pointing to the cause. ... View more

Re: What is scheduler log event status=Continued ?

by in Splunk Search
‎01-18-2019 10:00 AM
‎01-18-2019 10:00 AM
status=Continued means that splunk was unable to run your search as scheduled, But it will catch up and run it for the time period it was supposed to run. For example your search looking at data from 00:15 - 00:30 was supposed to run at 00:30. But it got the above status. What splunk will do is run the search for the timeframe 00:15-00:30 at say 00:40. So the results will(mostly) be the same. I say mostly because you can have data show up later and the results may differ because of that. Splunk will choose to continue searches that are meant to fill summary data etc which can be more flexible than say alerts. ... View more

Storage calculations for clustered indexers

by in All Apps and Add-ons
‎05-14-2018 05:56 PM
‎05-14-2018 05:56 PM
When I installed this app in a clustered environment. The numbers for storage used do not match that shown by DMC(monitoring console). This app only seems to be showing disk usage numbers from a single indexer. So storage cost is way off. Or am i missing something? ... View more

Link srtemp to dashboard or search

by in Splunk Search
‎05-04-2018 03:21 PM
2 Karma
‎05-04-2018 03:21 PM
2 Karma
I get some occurrences of directories in srtemp which are a few hundred gigs in size. Is there a way to link those directories to their source? As in which dashboard is resulting in those. I want to see which dashboards are doing this and maybe find a way to make them more efficient. Those directories are transient but cause people to see "not enough free space in dispatch" errors. ... View more

Does the Tesla Vehicle Modular Input query Tesla A...

by in All Apps and Add-ons
‎11-11-2015 09:53 AM
‎11-11-2015 09:53 AM
Does this Tesla Vehicle Modular Input query Tesla API in a way that they won't think is excessive and get your access blocked? I asked the same question before and it was deleted. What gives? ... View more

Re: Checking if the _meta data is actually indexed...

by in Splunk Search
‎07-23-2015 10:01 AM
1 Karma
‎07-23-2015 10:01 AM
1 Karma
I don't know if anyone still cares as this question was posted long ago but here is the answer: If you want to use the meta fields in search you have to make them indexed fields. To do this you need to make a change on the indexer. In fields.conf add the following: [environment] indexed=true [site] indexed=true After that you should be able to use 'environmnt=' in your search. And you should also see those two fields show up in the fields list. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from