cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Silek
Explorer
Member since: ‎06-30-2020
‎11-17-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎06-30-2020
View All

Re: Upgrade Splunk All-in-one - Loss of logs on Un...

by in Getting Data In
‎11-17-2020 12:39 AM
‎11-17-2020 12:39 AM
Thank you for your reply @gcusello ,   Indeed, stoping the indexer is a good idea. Yes, I performed the Splunk Upgrade readiness app and according to the result, I do not have any blocking apps, only warnings. I will spend some time to upgrade all my apps but it is not blocking for the upgrade itself. ... View more

Upgrade Splunk All-in-one - Loss of logs on Univer...

by in Getting Data In
‎11-13-2020 08:53 AM
‎11-13-2020 08:53 AM
Hello everyone, I am planning to upgrade my all-in-one Splunk which is on version 7.2.4 to 8.1. According to the documentation about the upgrade, I am able to perform this upgrade. However, I have a little question: Actually I am using a deployment-server and I am collecting logs from universal forwarders only. According to the documentation, I do not have to stop my indexer during the upgrade. In this case, I will not lose any logs during the upgrade. If we are following the documentation, upgrade sounds very easy but we never know what can happen during the upgrade. My All-in-one Splunk is installed on a virtualized machine and I will perform a snapshot. I will rollback if any problem happens during the upgrade. During the upgrade my UFs will keep sending logs to my indexer but if I rollback, every log that my UFs sent to my indexer will be lost. What can I do to prevent this loss of logs?   Thank you for your replies. ... View more
Labels

Error while upgrading Splunk Enterprise 7.2.4.2 to...

by in Installation
‎08-05-2020 08:06 AM
‎08-05-2020 08:06 AM
Hello everyone, I am trying to upgrade my all-in-one Splunk Enterprise which is actually in version 7.2.4.2 to the latest version 8.0.5. According to the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.5/Installation/HowtoupgradeSplunk I can do it without any mid upgrade. I tried to upgrade according to this documentation: https://docs.splunk.com/Documentation/Splunk/8.0.5/installation/UpgradeonWindows I checked with the App "Splunk Platform Upgrade Readiness App", I do not have any critical points. Only warning which I can handle right after updating. Here now what I am doing in order to upgrade my Splunk Enterprise. I downloaded the latest version on https://splunk.com/downloads and then stop the entire Splunk with the command : "$SPLUNK_HOME$/bin/splunk stop" to be sure that nothing can create a conflict during the upgrade (according to the official documentation it is not mandatory contrary to a Linux server). My Splunk is installed on an attached drive which is located in "S:\", I modified my props.conf in order to change the environment variable $SPLUNK_HOME$. Through both method (GUI and CLI) it is returning these screens: I read on other posts to run as admin the CLI and used this command: msiexec.exe /i splunk-8.0.5-a1a6394cc5ae-x64-release.msi /l*v S:\TEMP\Splunkinstall.log INSTALL_DIR="S:\Splunk" I am trying to upgrade with the same local admin account that I used on my first installation. I guess the wizard detected that a Splunk is already installed because I only have these 2 screens: And here is this pop-up error which is displaying 3 times in a row: Then it starting to "Copying new files" in the C:\ hard drive (where my OS is installed) The log file generated through the installation is very verbose but I did not find anything interesting in it when the pop-up "installation failed" happened. Do I need to overwrite my "S:\Splunk" folder with the "C:\Program Files\Splunk"? I guess that this installer is made in order to avoid this messy upgrade. What can I do in order to upgrade my Splunk installed in my "S:\" hard drive? ... View more
Labels

Microsoft IIS - Remove 0#.w| with transforms.conf ...

by in Getting Data In
‎06-30-2020 12:37 AM
‎06-30-2020 12:37 AM
Hello everyone, I am trying to remove this string "0#.w|" with a transforms.conf file. To be sure that my regex is working I tried it with the rex command : | rex field=cs_username "(^[^|]+\|(?<cs_username>[^|]+)$)" I just want to overwrite the field "cs_username" without this string. It works! Now I want to put this regex on a transforms.conf and in props.conf I am not sure that I can do this but here is what I am trying to do : Transforms.conf [username] SOURCE_KEY = cs_username REGEX = ^[^|]+\|(?<cs_username>[^|]+)$ REPEAT_MATCH = true MV_ADD = true Props.conf TRANFORMS-mynewusername = username I reload in the indexer by using the command: | extract reload=true But apparently it is not working that is why I am asking if it is possible to use a field as I did through the rex command in the GUI in the transforms.conf file? Thank you for your answers, ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-17-2020 05:56 AM
Karma given to
View All