cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
darshan_singh01
Path Finder
Member since: ‎10-30-2013
‎06-05-2020
Community Statistics
Posts 14
Solutions 0
Karma Given 0
Karma Received 6
Member Since ‎10-30-2013
Activity Feed
View All

Re: Why are we getting "Replication factor not met...

by in Deployment Architecture
‎06-28-2015 11:46 PM
‎06-28-2015 11:46 PM
It worked 🙂 🙂 Thanks a Lot dxu_splunk & esix_splunk .. ... View more

Re: Why are we getting "Replication factor not met...

by in Deployment Architecture
‎06-27-2015 01:15 AM
‎06-27-2015 01:15 AM
thanks dxu_splunk ...Even I also feel that these are the pre multisite clustering buckets .. The replication of main index does not give any error however 4 buckets each of audit /_internal index are not replicating . As you responded we should keep replication factor=2 .But in that case if any disaster happens at site 1(say site 1 goes down) and if all the replicated buckets are only residing at site 1 since there are only two replicated buckets (site replication factor=2) then how would be the disaster recovery can happen ? your help would be appreciated .. ... View more

Re: Why are we getting "Replication factor not met...

by in Deployment Architecture
‎06-26-2015 06:56 AM
‎06-26-2015 06:56 AM
nopes ..same state ... ... View more

Why are we getting "Replication factor not met" in...

by in Deployment Architecture
‎06-26-2015 02:38 AM
‎06-26-2015 02:38 AM
We have configured multisite indexer clustering (2 peers at each site1/2 and one search head at site 1) with the below settings of server.conf of the master server and indexers . Master server.conf [general] pass4SymmKey = $1$xNRfsRamx/pN site = site1 [clustering] available_sites = site1,site2 mode = master multisite = true pass4SymmKey = $1$9MxSqh+o6q08TJov site_search_factor = origin:1,total:2 site_replication_factor = origin:2,total:3 ..................................... Indexers server.conf: [general] site = site1 [replication_port://7778] [clustering] master_uri = https://x.x.x.x:8089 mode = slave pass4SymmKey = whatever We are getting “Replication factor not met” error on the master server's dashboard and "Missing enough suitable candidates to create replicated copy in order to meet replication policy. Missing={ site2:1 } " error. Only 4 audit and 4 _internal index buckets are not replicating. All the rest and main index buckets are replicating ok .plz help ... View more

Re: How to configure a multisite indexer clusterin...

by in Deployment Architecture
‎06-01-2015 10:03 PM
‎06-01-2015 10:03 PM
Hi Mahamed , Thanks for your response . For forwarder switching should we go for auto load balancing then ? What would be the ideal output.conf config of the universal forwarder ? ... View more

How to configure a multisite indexer clustering en...

by in Deployment Architecture
‎06-01-2015 06:07 AM
1 Karma
‎06-01-2015 06:07 AM
1 Karma
Hi Friends , We have to create a multisite indexer clustering environment where Site 1 & Site 2 both will have 2 indexers at each site, overall 4 indexers. Overall 1 Search head will be there with a standby search head. Now I have two questions regarding the same. While Configuring outputs.conf of the universal forwarder, I want the logs of all the servers at site 1 must only go to site 1 indexers(in HA) and in case of both the indexers fails at site 1 logs should go to the 2 indexers of site 2 . What would be the configuration of site. If I use Auto load balancing and mention all 4 indexers in "server = indexer1:9997,indexer2:9997,Indexer3:9997,indexer4:9997" this will distribute logs in all of them. How could I use TCP_Routing in this scenario and what would be the outputs.conf file final configuration? To enable multisite clustering between Site1 & Site 2, what would be the server.conf file stanzas in the indexers of site1 & Site 2 ? Thanks in advance .. ... View more

Regex for filed extraction

by in Splunk Search
‎02-13-2014 08:12 PM
‎02-13-2014 08:12 PM
Feb 13 22:01:25 XXXINFQST03 sshd[9161]: Accepted password for admin from Above is the message I am getting from Linux logs from which I want to create fileds like Time:Feb 13 22:01:25 & User=admin Can anyone provide me the regex for this or any other way ?? Help apprecieted .. ... View more

Re: S3 App is not able to fetch logs

by in Getting Data In
‎02-06-2014 12:04 AM
‎02-06-2014 12:04 AM
thanks ... Could you confirm on which port S3 bucket will be connected ? ... View more

Re: S3 App is not able to fetch logs

by in Getting Data In
‎02-06-2014 12:04 AM
‎02-06-2014 12:04 AM
thanks ... Could you confirm on which port S3 bucket will be connected ? ... View more

S3 App is not able to fetch logs

by in Getting Data In
‎02-03-2014 06:20 PM
‎02-03-2014 06:20 PM
Hi , While integrating Splunk (via S3 app) with AWS S3 ,we are finding the below error . A connection attempt failed because connected party did not properly respond after a period of time or connected host has failed to respond”. We are not able to add the bucket info from Splunk Web and from config file .The environment we have is a cluster environment on Splunk 5.0.5 .Is it possible to have an issue related to Port blocking etc ?? Our environment is in AWS VPC . Early response would be really appreciable ... ... View more

Load balancing & failover between two heavy forwar...

by in Getting Data In
‎01-13-2014 11:47 PM
5 Karma
‎01-13-2014 11:47 PM
5 Karma
Hi , My Splunk architecture is like this I have two data centers (DC) and one each heavy forwarder in them .In each DC all the servers are forwarding the logs to heavy forwarder of the same DC via universal forwarders . both the respective heavy forwarders are sending logs further to indexers . Now I have the below query related to heavy forwarders ,load balancing . In case of failure of heavy forwarder of one data center ,I want all my universal forwarders directly starts polling to the other heavy forwarder . I am aware of that we can put the ip addresses of both the heavy forwarders in output.conf file of universal forwarder however how does it make sure that universal forwarder sends logs to the heavy forwarder of its own DC only in case of normal operation .Also how in case of failure of one Heavy forwarder it will send logs to the second heavy forwarder without making any config change ? ... View more

Re: Enterprise Security 2.4.0 and Splunk 6 don't w...

by in Splunk Enterprise Security
‎12-26-2013 11:00 PM
‎12-26-2013 11:00 PM
I think its released now ?? could you confirm please ... ... View more

has ES 3 app released for production ?

by in Splunk Enterprise Security
‎12-26-2013 10:52 PM
‎12-26-2013 10:52 PM
Can anyone confirm that ES 3 compatible with Splunk 6.0 has been released for production .Splunk websites shows ES 3 now . Early response will be appreciated .. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM