Activity Feed
- Karma Re: Why am I getting "ConfReplicationThread - Error pulling configurations from captain" in my search head cluster? for bgaignon. 06-05-2020 12:47 AM
- Karma How do I get syslog from an F5 BIG-IP? for Dan. 06-05-2020 12:45 AM
- Karma Re: How do I get syslog from an F5 BIG-IP? for Dan. 06-05-2020 12:45 AM
- Karma Re: Can I run SplunkWeb on port 80 on Linux without running as root? for Johnvey. 06-05-2020 12:45 AM
- Karma Re: How do I delete all references of a host so it stops showing up on the host list? for the_wolverine. 06-05-2020 12:45 AM
- Karma sourcetype precedence for yzubarev. 06-05-2020 12:45 AM
- Karma Re: sourcetype precedence for Lowell. 06-05-2020 12:45 AM
- Karma How does Splunk work with Virtual Center (vSphere 4) for dcroteau. 06-05-2020 12:45 AM
- Karma Re: How does Splunk work with Virtual Center (vSphere 4) for dcroteau. 06-05-2020 12:45 AM
- Karma Re: How can I re-index all the data in my environment? for Genti. 06-05-2020 12:45 AM
- Karma Re: Can one scheduled saved search trigger another saved search? for Lowell. 06-05-2020 12:45 AM
- Karma Re: How to determine time of day when web requests are slowest for sideview. 06-05-2020 12:45 AM
- Karma Can Index on Satellite stay In sync with Index on Planet Earth? for mzorzi. 06-05-2020 12:45 AM
- Got Karma for How can I re-index all the data in my environment?. 06-05-2020 12:45 AM
- Got Karma for Re: How can I re-index all the data in my environment?. 06-05-2020 12:45 AM
- Got Karma for Re: How can I re-index all the data in my environment?. 06-05-2020 12:45 AM
- Got Karma for Re: How can I re-index all the data in my environment?. 06-05-2020 12:45 AM
- Got Karma for Re: How can I re-index all the data in my environment?. 06-05-2020 12:45 AM
- Got Karma for Re: How can I re-index all the data in my environment?. 06-05-2020 12:45 AM
- Got Karma for Re: How can I re-index all the data in my environment?. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 5 | |||
| 0 | |||
| 4 | |||
| 3 |
10-15-2010
04:44 AM
Are you running the 32bit version of Splunk? 64bit? What about other network interfaces? What is your /sbin/ifconfig output? Is this a VM or physical hardware? Lastly, are you able to install and run say Apache without issue?
I ask because I've tried this several times locally and I can't replicate it... and I like a good problem so you have my attention 🙂
... View more
07-08-2010
03:37 PM
Are you having issues with scripts not being runnable after deployed by the Deployment Server? Or are you having issues with the Deploy Server not updating the apps on the client properly?
... View more
05-25-2010
08:47 PM
6 Karma
Do the following steps:
1) Disable the applications on the servers with Forwarders using the Deployment manager (or manually do so using the GUI)
2) On the Index server, stop Splunk and clean all event data for a given index:
/opt/splunk/bin/splunk stop
/opt/splunk/bin/splunk clean eventdata dev_tools
3) On the servers with Splunk Forwarders, stop and clean all:
/opt/splunk/bin/splunk stop
/opt/splunk/bin/splunk clean all
4) Start the Splunk Indexer
/opt/splunk/bin/splunk start
5) Verify the index you just cleared is empty and is staying empty before proceeding. If it isn't staying empty ensure you've disabled the applications on the servers with Splunk Forwarders and make sure you didn't overlook any servers.
6) Start the Splunk forwarder servers:
/opt/splunk/bin/splunk start
6) Re-enable the applications via the Deployment Manager or manually using the Agents GUI.
Note: Be aware, if you "clean all" on the forwarders you will also clear out the pointers for all indexes and applications so this process is only good to completely re-index an environment environment or set of indexes a set of servers and indexer may contain.
Note 2: Don't do this unless your license (and hardware) can handle the spike as you will most certainly index a lot of legacy data if your inputs are setup with wildcard inputs.
... View more
05-25-2010
08:44 PM
5 Karma
I have a datacenter with a single Splunk server indexing data from all the local servers. I just updated all the sourcetypes for the data and would like to reindex the data so the sourcetypes are properly set this time. How can I accomplish this?
... View more
04-26-2010
06:52 PM
Currently, all agents installed on hosts default to 'changeme' and this credential is still used when the forwarder is in Lightweight mode. I am looking for a way to automate the update of this password using the Deployment Manager for Linux, Solaris and Windows agents.
... View more
04-21-2010
03:54 PM
Looks as if I asked too soon!
I still had an input active on another host that was forcing itself to report as the host I wanted removed. Once I resolved that issue (issued an update via the Deployment Manager) and then did a clean on eventdata + globaldata I was able to start over again with the host missing.
I am still open to ideas on how to remove a host completely from Splunk for future use as I'm sure it will happen
... View more
04-21-2010
03:35 PM
4 Karma
I've already deleted all references to the host in question in the internal indexes using the "| delete" search command. Additionally, I tried running the "clean" CLI command for both eventdata and globaldata and the host in question is still showing up!
I've confirmed the host is not sending any additional data to Splunk and would like to remove it completely. Is this possible without doing a "clean all" ?
... View more
04-20-2010
05:48 PM
Yeah I've already implemented a proxy in the past so I'm well aware that it's a viable solution but I am trying to minimize dependencies for Splunkweb being accessible.
I definitely need to check into setcap as that is new to me and from that thread it appears that's the solution I am looking for.
... View more
04-20-2010
04:16 PM
3 Karma
I've seen the other questions regarding this topic and only the Solaris question & answer get close.
I am looking to change the default port Splunkweb runs on from 8000 to 80 for obvious usability reasons. I start Splunk as user "splunk" so naturally the user can't start processes on port 80.
Is there a work around for this outside of using a server/device to translate 8000 to 80 (ie> Apache)?
Note: Having the server start up as root is out of the question due to security concerns.
... View more
