Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About Hemnaath
Hemnaath
Motivator
Member since:
03-15-2015
11-20-2025
Community Statistics
| Posts | 903 |
| Solutions | 12 |
| Karma Given | 1 |
| Karma Received | 55 |
| Member Since | 03-15-2015 |
Activity Feed
- Posted Re: How to create heatmap visualization in dashboard studio? on Dashboards & Visualizations. 11-20-2025 09:06 PM
- Posted How to create heatmap visualization in dashboard studio? on Dashboards & Visualizations. 11-20-2025 03:56 AM
- Got Karma for How to troubleshoot and fix the website input 504 Gateway Timeout Error while configuring an input ?. 01-12-2024 02:44 PM
- Posted Re: Where I can get the Splunk Add-on for AWS 6.0.0 version documentation details on All Apps and Add-ons. 08-29-2023 03:34 AM
- Posted Where I can get the Splunk Add-on for AWS 6.0.0 version documentation details on All Apps and Add-ons. 08-28-2023 04:58 AM
- Tagged Where I can get the Splunk Add-on for AWS 6.0.0 version documentation details on All Apps and Add-ons. 08-28-2023 04:58 AM
- Got Karma for Re: Splunk has found 1 orphaned searches owned by 1 unique disabled users.Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches.. 06-13-2023 04:41 AM
- Posted What splunk precedence rules should be followed to upgrade splunk clustered environment ? on Splunk Enterprise. 01-26-2023 01:29 AM
- Got Karma for Unable to break the multi-line events into single event from kinesis log?. 11-07-2022 02:14 AM
- Posted Re: How to write a Splunk query to find the Splunk UF version for specific set of hosts in Splunk Enterprise on Splunk Enterprise. 10-31-2022 11:13 PM
- Posted How to write a Splunk query to find the Splunk UF version for specific set of hosts in Splunk Enterprise on Splunk Enterprise. 10-31-2022 06:44 AM
- Got Karma for Re: ERROR: kvstore port [8191] - port is already bound. Splunk needs to use this port.. 10-13-2022 02:16 PM
- Posted Where can I get the release notes for Splunk enterprise v8.2.6.1 release notes ? on Splunk Enterprise. 07-26-2022 11:17 PM
- Posted How to fix this error: could not use the strptime to parse timestamp from “2022-26-05T11:29:57”? on Getting Data In. 05-26-2022 09:01 AM
- Posted Re: How to write a monitoring stanza to monitor the windows Event Viewer logs on Getting Data In. 05-12-2022 08:59 AM
- Posted Re: How to write a monitoring stanza to monitor the windows Event Viewer logs on Getting Data In. 05-12-2022 06:14 AM
- Posted How to write a monitoring stanza to monitor the windows Event Viewer logs? on Getting Data In. 04-29-2022 03:13 AM
- Posted Re: How to write time format for 2022-04-07 20:40:03.360 -06:00 [XXX] XXXXX? on Splunk Enterprise. 04-16-2022 07:18 PM
- Posted How to write time format for 2022-04-07 20:40:03.360 -06:00 [XXX] XXXXX? on Splunk Enterprise. 04-14-2022 09:17 AM
- Posted Why is Splunk ingesting additional information from the source, when there is no actual data present in the source ? on Splunk Enterprise. 04-13-2022 05:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-20-2019
02:22 AM
Hi All, Can anyone kindly guide me on this.
... View more
05-19-2019
02:22 AM
1 Karma
Hi All,
Good Morning, I have requirement to create a dashboard to display the total number of concurrent running builds in Jenkins and team city. Need 4 panels to display total number of builds with time chart and single value visualization. Already we have 9 panels to display Build count, Build duration and Queue Time by Day in place.
Details about the Panels Type and Query:
1) TC Build Duration Per day
Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | time chart span =1h sum(duration)
2) TC Build count & Duration:
Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | time chart span =1h count (duration)
3) Jenkins Build & Queue Time By Day:
Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | time chart span = 1h sum(Job_duration) sum(Queue_time)
4) Jenkins Build Count & Duration & Queue Time:
Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | time chart span = 1h sum(Job_duration) sum(Queue_time) count
5) TC Build Count: Single Value Visualization:
Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | stats count
6) TC Build Count in seconds: Single Value Visualization:
Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | sum (duration)
7) Jenkins Build Count: Single Value Visualization:
Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | stats count
😎 Jenkins Build Duration in seconds : Single Value Visualization
Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | stats sum (Job_duration)
9) Jenkins Queue Time in seconds:
Index =JK-App sourcetype=* event_tag
=”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | stats sum (queue_time)
Now need to create additional panels to display the concurrent running build Jobs in Jenkins and Team city. Kindly guide me how to do that.
... View more
10-24-2018
09:48 PM
Hi Velsankar, no I did not find any solution for this error, so dropped configuring it.
... View more
10-24-2018
09:47 PM
Hi Nikgoyal, Yes we were able to resolve this issue, by configuring all the LDAP group in the indexer instance same as search head instances.
... View more
09-24-2018
10:49 AM
Hi Guys can any one update me on this ?
Regarding streaming and non-streaming commands, got the below detail on how the commands are executed.
Streaming commands - operates on each event as it is returned by a search. Think of applying "function/transformation" to each event and then writing out the result of that operation. An example of such a command might be a command that adds a field to each event.
Non-streaming commands - Expects to have all the data before it operates on it. An example of a non-streaming command is the stats command, which will collect all the data before it can calculate the statistics.
Similarly for the below question let me know whether answer to the question is correct or not!
1) How to list the indexes details available in splunk search heads?
We can the indexes configured in splunk searched by login into splunk web portal --> settings --> indexes.
By executing the splunk btool command from the search head instances to find the list of indexes available in splunk search head.
./splunk btool indexes list --debug | less
... View more
09-23-2018
07:16 AM
Hi richgalloway, Its an interview question, which I was unable to answer it, so could guide me on the proper answer to this question.
thanks.
... View more
09-21-2018
06:18 AM
Hi All,
I had two question's on splunk.
1) How to list the indexes details available in splunk search heads?
2) What is streaming and non-streaming commands and how are they executed (in which scenario's it is used)
thanks in advance.
... View more
08-24-2018
02:58 AM
hey dchapin, i had an different issue all together and had fixed it after validating that there were two apps with the same input configuration, executing the lastlog.sh script.
Example : one app with ( Bin and script ) folder and another app was with out bin folder, was taking precedence and as the bin folder was not present there was no data in the indexer and the /splunk inputs status resulted with the script exited with code 1
thanks.
... View more
No it did not cause any issues.
... View more
08-06-2018
04:28 AM
Hi All, When troubleshooting this issue with the help of splunker from splunk.answers.com , I had narrow down the issue and fixed it.
In this case the indexer and search head instances the LDAP configuration are different, in indexer instance only Splunk_Admin ldap group was configured, where as in search head we had other LDAP groups configured due to this when ever any user mapped apart from splunk_admin groups performs search activities it was throwing an error in splunkd.log due to the configuration conflict.
Problem Detail:
ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"
Solution: Configured all the LDAP group in the indexer instance same as search head instances.
... View more
08-02-2018
04:19 AM
Hi Nittala, I have seen some Jobs being executed by some users and those user details are getting popped in the splunkd.log as an Error, to validated I had followed above direction as mentioned on your comment and found those user Jobs where either completed or running stage in Activity-Jobs. But when checked with user on the same found that he did not execute any real-time search and he had checking data related past 7 days. So what will be the next step to this issue.
... View more
08-01-2018
05:40 AM
hey we are using 7.0.4 splunk version, but how did you fix the issue ? If you can share the knowledge it would be helpful as I could see some 2000 errors in splunkd.log related to this.
... View more
07-31-2018
09:37 AM
Hi Thambisetty, thanks for your support, I think I have tried to this but it did not work out, yes we have HF for parsing the data before indexing the data.
Props:
[yoursourcetype]
TRANSFORMS-set= setnull,setparsing
Transforms.conf :
Who
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
basically keeping anything that has header and at least one data row
[setparsing]
REGEX = ^(USERNAME).+[\r\n]+\w+
DEST_KEY = queue
FORMAT = indexQueue
Anyway let me try it once again.
... View more
07-31-2018
07:27 AM
hey renjith, thanks for your support on this, I am getting this error for only few users not all the users configured in the splunk via ldap. So as per Simon'S answer where/which location I should update the code, could you please guide me on that.
<code>groupMappingAttribute = uid
</code>
... View more
07-31-2018
06:00 AM
Hi Splunkers, I am seeing some 2023 event counts for the below mentioned error detail in splunkd.log in all the indexer instances, so can any one guide me how /where to start the investigation on fixing this issue.
ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"
Splunk Version : 7.0.4
... View more
- Tags:
- authentication
- ldap
07-31-2018
05:33 AM
Can anyone throw me some lights on this issues ?
... View more
07-30-2018
05:00 AM
2 Karma
Hi Splunkers, I got a requirement from the cyber security user to remove the events with header displaying empty and retain those events with header details having some values into it.
Header Details: USERNAME LINE HOSTNAME TIME
We are using Splunk Add-on for Unix and Linux version 5.2.4 to capture the UNIX details in splunk and the who.sh scripted input are used to capture the who logged on to the system details and both the Linux, Solaris OS details are successfully ingested into splunk via scripted inputs but there are many events with zero values in it and only Header details are shown as a event which we wanted to remove it.
Attached snap shot for your references.
. dirname $0 /common.sh
CMD='who -H'
HEADER='USERNAME LINE HOSTNAME TIME'
HEADERIZE='{NR == 1 && $0 = header}'
FORMAT='{length(hostname) || hostname=$NF; gsub("[)(]", "",hostname); time=$3; for (i=4; i<=lastTimeColumn; i++) time = time " " $i}'
PRINTF='{if (NR == 1) {print $0} else {printf "%-14s %-10s %-40.40s %-s\n", $1,$2,hostname,time}}'
if [ "x$KERNEL" = "xLinux" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 5) {hostname = " "; lastTimeColumn = NF}}'
elif [ "x$KERNEL" = "xSunOS" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = " "; lastTimeColumn = NF}}'
elif [ "x$KERNEL" = "xAIX" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = " "; lastTimeColumn = NF}}'
elif [ "x$KERNEL" = "xDarwin" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = " "; lastTimeColumn = NF}}'
elif [ "x$KERNEL" = "xFreeBSD" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = " "; lastTimeColumn = NF}}'
fi
assertHaveCommand $CMD
$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF' header=\"$HEADER\"" >> $TEE_DEST
Note: we have used Line_Breaker stanza in props.conf to break the multiple events into single events as per the requirement.
[who]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
Kindly guide us on how to do this customization.
... View more
07-27-2018
09:37 AM
Hi Woodcock, We had fixed this issue by following the below solution.
Problem details: Distributed Bundle Replication Manager: The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/C090FDA2-105E-4875-A110-3F13FF986151-1531313061-1531313166.bundle
Impact: Due to this, the size of the file systems was almost utilized 100 % and which in-turn caused the search failure and it was impacting all the user from searching the data.
Solution:
The below gave some idea to fix this issue.
link text
1) First we checked which csv file is consuming more space from the apps folder in the search head by using the below command we
/opt/splunk/etc/apps/
find . -name *.csv -exec du -sh {} \; | grep "M" | less
2) After narrowing down correct .csv file which was consuming 660MB in the /opt/splunk/etc/apps/servicenow/lookup/cmdb_ci_list_lookup.csv
3) On trouble shooting we found the lookup file was broken, the fields in the lookup table are data that is not relevant to ServiceNow, So we rectified the lookup fields details and uploaded the rectified csv file in the search head cluster master via deployer.
4) On uploading rectified csv file with the size of 49 MB and it fixed the issue.
Note: Since this cmdb_ci_list_lookup.csv was configured in the props.conf and defined as Global this lookup file is needed in the indexer, so we did not use the replicationBlacklist stanza in distsearch.conf as mentioned in the link.
... View more
07-27-2018
05:34 AM
Hi Carsonza, thanks for your inputs, I had found the issue we had a .csv with size of 661MB and along with other knowledge bundles and it was causing the replication issue. When checked the lookup file and found that it was broken, because the fields in the lookup table are data that is not relevant to ServiceNow. On fixing the lookup issue the .csv file size was reduce to 49 MB and it cleared the space issue.
... View more
07-18-2018
08:51 AM
Woodcock, I could see the below three look up are consuming some space and every five minutes we could see the message getting popped out with different .delta files. When the same was extracted using tar -xvf C090FDA2-105E-4875-A110-3F13FF986151-1531313061-1531313166.delta could see below three csv files are causing the replication problem.
-rw------- 1 splunk splunk 5.9M Jul 18 06:15 SEC-CND-INCIDENTS-SPLUNK.csv
-rw------- 1 splunk splunk 8.2M Jul 18 06:15 SEC-CND-INCIDENTS-SNOW.csv
-rw------- 1 splunk splunk 35K Jul 18 06:14 SEC-CND-INCIDENTS-SNOW-NOT-SECURITY.csv
When checked the location / app where these CSV files are residing, found in the search & reporting app under this path /opt/splunk/etc/apps/search/lookups/
These lookup files are defined as Private by the user.
Question:
1) How to fix this issue, based on the splunk document, should I need to configure the replicationBlacklist in the $SPLUNk_HOME/etc/system/local/distsearch.conf
link text
Kindly guide me on this.
... View more
07-17-2018
10:01 AM
size of the single .delta file size is around 1.6 GB. Can we still delete the .delta file of this size.
... View more
07-17-2018
09:08 AM
1 Karma
Hi All,
Currently we have an disk space issue in two of the splunk indexer instances and we have separate volume create for storing the indexed data. We found that /opt/splunk/var/run/search peers is consuming nearly 19 GB of disk space and /opt/splunk/var/lib/ is occupying some where around 15 GB most containing the splunk internal data.
Total disk space allotted for 47G 41G 4.1G 91% /opt
Question :
1) Is it safe to delete the .bundle files from this location for the indexer instances.
2) What will be the correct solution to prevent the disk crunch issue in future.
kindly guide me on this.
... View more
07-17-2018
05:48 AM
Hi Woodcock, I tried executing the above splunk query but still facing the same message from the job inspector. As advised I did CLI access to the search head under this location /opt/splunk/var/run/C090FDA2-105E-4875-A110-3F13FF986151-1531313061-1531313166.delta. and execute this command to check what are the lookup files present.
tar -tvf C090FDA2-105E-4875-A110-3F13FF986151-1531313061-1531313166.delta | grep -i .csv
Could see lots of CSV files but could not find the correct lookup file which is taking the space, so can guide me on this.
... View more
07-16-2018
10:36 AM
Hi Woodcock, Good Evening We started to receive this message again in the search head, but not sure how to find which look table is actually taking the space and when I tried to execute the above query from the XML file, did not get any output, when checked the Job inspector - Found the below message.
No Matching field exists
REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.
Error message:
Search peer searchhead01 has the following message: Distributed Bundle Replication Manager: The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/C090FDA2-105E-4875-A110-3F13FF986151-1531761965-1531762072.delta.7/16/2018, 1:28:25 PM
Search peer searchhead02 has the following message: Distributed Bundle Replication Manager: The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/C090FDA2-105E-4875-A110-3F13FF986151-1531334559-1531334668.delta.7/16/2018, 1:28:25 PM
Could you please guide me how to trouble shoot this issue.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-20-2025
08:58 PM
|
