Hi @Esky73 , thank you for your insights. Can you provide details on the custom alert action that runs a batch job restart? Is the script being run from Splunk to Control M server? or the script is present on the Control M server, and Splunk have a way to trigger it externally? ... View more

There are at least three different ways of "integrating" ES with third-party solutions. Details of implementing each of them will greatly depend on particular use case and might involve some programming. 1) Use the external solution to search from your Splunk ES installation and retrieve notables. 2) Use the alert action (or adaptive response in case of ES) to push each notable separately to the external solution. 3) Use an additional alert to periodically export the list of new notables to the external solution. In cases 2 and 3 you need to have something developed (either use something already made if there is already an app for it or write something from scratch) to push the data from Splunk to the third-party service. ... View more

Hi @jaracan , for storage, you can use https://splunk-sizing.soclib.net/ for the resources, I hint to follow the Splunk Architecting Training. This link could be useful https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Sizing_your_Splunk_architecture  Ciao. Giuseppe ... View more

Hello, To check version of all apps and add-ons installed on Splunk via CLI? ./splunk list app && ./splunk list add-ons | sort AND try this one in GUI in Splunk search query and run this query: | rest /services/apps/local splunk_server=local | table title version ... View more

Hi @eliav2, This also works on Oracle Linux. Is this advisable if I want to deploy on a live environment? ... View more

It depends on what your infrastructure will look like. If you have one primary DS deploying to several secondary DS-es and only those secondary DS-es will be deploying to clients, you only need that on secondaries. But if you want to have one primary and one or more secondaries but all of them will be serving apps to the same clients, you need that on all DS-es. ... View more

Hi @jaracan ... the UF versions 7x are available on the link https://www.splunk.com/en_us/download/previous-releases-universal-forwarder.html?locale=en_us the Splunk enterprise versions 8x are available on this link: https://www.splunk.com/en_us/download/previous-releases.html     the upgrade docs link: https://docs.splunk.com/Documentation/Splunk/8.2.7/Installation/HowtoupgradeSplunk   Your upgrade path should be: 6.6.x ----> 7.2.x 7.2.x ----> 8.0.x or 8.1.x 8.0.x or 8.1.x ---> 8.2.x ... View more

Hi @jaracan    Please execute the commands in the terminal  ## Fix minimum free diskspace issue - only for lab environment not for production echo "[diskUsage]" >> /opt/splunk/etc/system/local/server.conf echo "minFreeSpace = 50" >> /opt/splunk/etc/system/local/server.conf After this restart the splunk service ... View more

Hi this is probably from previous year https://www.duanewaddle.com/wp-content/uploads/2014/10/Splunk-SSL-Presentation.pdf There are some other interesting documents too on this site. r. Ismo ... View more

Hi @jaracan, I didn't used the sourcetype=cpu, but I used the sourcetype=ps: index=os sourcetype=ps $host$ | multikv | table USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS but you can create the other following the same approach. But anyway, in the Splunk App for Linux and Unix you can find all the searches. Ciao. Giuseppe ... View more

Hi @jaracan  Splunk's universal forwarder does not support HEC, you have to use splunk HF. ... View more

When a queue is blocked it's usually because something downstream is unable to keep up with things.  Often that's either the network or the indexers.  In those cases, adding another pipeline to the UF will just make things worse. Use the Monitoring Console to check the health of the indexers.  Treat what you find. Increasing the maxKBps setting in the UF's limits.conf file may get things moving. To see numbers, this query may help: index=_internal component=Metrics group=queue ... View more

Hi, @jaracan, It's been a while since my deep VMware and Linux times... But IIRC, the lscpu will show the attribute bits which are visible, and because of "VT-x" you see "HT". But still only one thread per CPU.... maybe because of VMware doing things differently? No matter what... the information shown in Splunk is the important one for us.  And you can open a full can of worms using lscpu... https://unix.stackexchange.com/questions/33450/checking-if-hyperthreading-is-enabled-or-not#comment715791_230601 Greetings, Holger   ... View more

If hyperthreading is enabled then Splunk will use it, but I'm not sure Splunk is aware that HT is in use. ... View more

Here is a very detailed answer, which will tell exactly why Real time searches suck, what do they do to your environment, why should you removed them instantly and how to remove them. Special thanks to @woodcock for this amazing answer. https://community.splunk.com/t5/Splunk-Search/Why-are-realtime-searches-disliked-in-the-Splunk-world... Now, to get rid of All time, here's what you need to do. In the directory $SPLUNK_HOME/etc/system/local/times.conf [other] disabled = true . This will remove the "All Time" for all the users, including yourself. If you want to do this for particular users only, please put the above configurations under $SPLUNK_HOME/etc/users/user_name/local/times.conf. You'll have to do it for every user individually.  If it's for a set of users, then please select an app, make that app the default app for all of those users and implemented the above change under $SPLUNK_HOME/etc/apps/selected_app_name/local/times.conf. This would still allow them to use All time, if they use earliest and latest in their searches. To stop that you could do the following change under Authorize.conf srchTimeWin =<set a value in seconds.This is the earliest time that the users belonging to this role would be able to search any data>   I'd suggest to restrict Others for all users, and leverage earliest and latest from the search yourself. Would save you a lot of time and effort in the future as well. I've done the same. Please choose accordingly. Let me know if it helps. Thanks, S ** If this helps. Please mark this as an accepted answers, as it helps the future readers to find answers quickly. ** ... View more

Hi, You can run this command first on any SHC members: /opt/splunk/bin/splunk show shcluster-status Take note of the mgmt_uri of the SHC member you wanted. (if its IP address, use IP, if its FQDN, use FQDN) Transfer Captaincy /opt/splunk/bin/splunk transfer shcluster-captain -mgmt_uri https://<mgmt_uri>:8089 ... View more

Try going to Settings->Email settings and putting the load balancer's name in the "Link hostname" field.  Do it on all search heads. ... View more

Based on timestamps it’s probably your backup dir for some reason. I suppose that you could remove or move those to some other place. ... View more