Activity Feed
- Tagged Re: ITSI not supporting earliest and latest in KPI searches? on Splunk ITSI. 07-29-2024 01:49 AM
- Tagged Re: ITSI not supporting earliest and latest in KPI searches? on Splunk ITSI. 07-29-2024 01:49 AM
- Tagged Re: ITSI not supporting earliest and latest in KPI searches? on Splunk ITSI. 07-29-2024 01:49 AM
- Tagged Re: ITSI not supporting earliest and latest in KPI searches? on Splunk ITSI. 07-29-2024 01:48 AM
- Posted Re: ITSI not supporting earliest and latest in KPI searches? on Splunk ITSI. 07-29-2024 01:47 AM
- Karma ITSI not supporting earliest and latest in KPI searches? for meleperuma. 07-29-2024 01:47 AM
- Tagged Re: ITSI not supporting earliest and latest in KPI searches? on Splunk ITSI. 07-29-2024 01:47 AM
- Posted Re: Splunk Add-on for AWS : How to Fetch Cloudwatch Metrics with NO Dimensions? on Splunk Enterprise. 08-25-2023 06:12 AM
- Posted Splunk Add-on for AWS : How to Fetch Cloudwatch Metrics with NO Dimensions? on Splunk Enterprise. 08-22-2023 04:57 AM
- Tagged Splunk Add-on for AWS : How to Fetch Cloudwatch Metrics with NO Dimensions? on Splunk Enterprise. 08-22-2023 04:57 AM
- Tagged Splunk Add-on for AWS : How to Fetch Cloudwatch Metrics with NO Dimensions? on Splunk Enterprise. 08-22-2023 04:57 AM
- Tagged Splunk Add-on for AWS : How to Fetch Cloudwatch Metrics with NO Dimensions? on Splunk Enterprise. 08-22-2023 04:57 AM
- Posted Re: Forward/Route data from one Splunk Enterprise Instance to other Splunk Enterprise Instance. on Splunk Enterprise. 11-09-2022 10:04 AM
- Posted Forward/Route data from one Splunk Enterprise Instance to other Splunk Enterprise Instance? on Splunk Enterprise. 11-07-2022 10:36 PM
- Tagged Forward/Route data from one Splunk Enterprise Instance to other Splunk Enterprise Instance? on Splunk Enterprise. 11-07-2022 10:36 PM
- Tagged Forward/Route data from one Splunk Enterprise Instance to other Splunk Enterprise Instance? on Splunk Enterprise. 11-07-2022 10:36 PM
- Posted Re: Excluding/Including last day of every month from a saved search alert. on Alerting. 10-03-2022 05:35 AM
- Karma Re: Excluding/Including last day of every month from a saved search alert. for gcusello. 10-03-2022 05:34 AM
- Karma Re: Dual Forwarder Configuration for gcusello. 03-21-2022 01:24 AM
- Posted How to exclude/include last day of every month from a saved search alert? on Alerting. 03-21-2022 01:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-29-2024
01:47 AM
Perfect, just to fast-track the process of getting service KPI ids we can use "service_kpi_lookup" to find kpi_id and directly search using that id in saved searches to spot KPI base search. | inputlookup service_kpi_lookup | search title="your_service_name"
... View more
08-25-2023
06:12 AM
Special Thanks to Giriraj Shah from Splunk Support. We had some combinations tested and the working one is - [{}]
... View more
08-22-2023
04:57 AM
Hi Splunker's
I am using "Splunk Add-on for AWS" and trying to fetch metrics from CloudWatch. Currently stuck on an implementation where the metric I want to pull doesn't have any Dimension to it (Metrics with no dimensions as what its termed on CloudWatch)
As in the image above when I put Dimensions block as empty it doesn't allow to save the entry. I tried other combination as well "[{}]" which would mean blank data but even this didn't work Would really appreciate some help on how I can fetch these metrics with no dimensions or if it is really possible to fetch this data at all over Splunk using Add-on.
Cheers!
... View more
Labels
- Labels:
-
splunk-assist
11-09-2022
10:04 AM
Hi @richgalloway , Thanks for extending a hand of help on this. Earlier I had added only [tcpout:PT01] stanza with server details in outputs.conf which ended up sending all the data to PT01 and nothing was indexed locally on TEST01 (Expected). To counter this I went ahead and tried configs like this Filter and route event data to target groups editing props, transforms & outputs which added some absurd behavior, like when trying to restart it was timing out trying to stop and I had to start manually. On exploring more about routing I found Perform selective indexing and forwarding was the exact kind of behavior I was looking up to implement. So I edited the inputs & outputs files on TEST01 as below. ---------- inputs.conf ---------- [default]
host=test01
[batch:///opt/splunk/data/Test]
index=main
sourcetype=testing-kvp
move_policy=sinkhole
_INDEX_AND_FORWARD_ROUTING=local
[batch:///opt/splunk/data/Test2PT]
index=main
sourcetype=testing2pt-kvp
move_policy=sinkhole
_TCP_ROUTING=pt01 ---------- outputs.conf ---------- [tcpout]
defaultGroup=noforward
disabled=false
[indexAndForward]
index=true
selectiveIndexing=true
[tcpout:pt01]
server=PT01:9997 This move solved my requirement, that is indexed data locally on TEST01 and forward some data to PT01 as well but raised a new set of problems. As mentioned our TEST01 is a standalone Splunk Enterprise installation, it has data being forwarded to it from UF on other hosts, scripted inputs, rest endpoints, etc. data inputs are configured which gets indexed daily over it. After adding this configuration all other data inputs apart from the one's mentioned in inputs.conf stopped indexing totally. Can I get some help to reach the end as on how I can index literally all the data on TEST01 locally and just monitor forward files from one folder, in this case "/opt/splunk/data/Test2PT" to PT01 ?
... View more
11-07-2022
10:36 PM
Hi Everyone,
Explaining the installation scenario & requirement first so that the question would make a better sense.
Installation - Standalone Splunk Enterprise installed on TEST01 server. Standalone Splunk Enterprise installed on PT01 server. Task - Forward/Route data from a specific folder on TEST01 to PT01. All the rest of data should reside on TEST01 only and should be searchable.
This is a business requirement with me. I tried adding [tcpout:PT01] to outputs.conf and _TCP_ROUTING to a [monitor] stanza for that folder on our TEST01 but that ended up sending all the data from TEST01 to PT01 instead of sending just that specific data. To try a different approach I worked to add transforms, props & outputs .conf files according to this doc - Route and filter data but that didn't helped and apparently induced some instability on TEST01 Splunk Enterprise Installation as it was not able to stop and start correctly.
Any guidance on how I can achieve this would be very much helpful ❤️
... View more
- Tags:
- forwarding
- routing
Labels
- Labels:
-
configuration
-
splunk-assist
10-03-2022
05:35 AM
Thank you @gcusello! that helped a lot.
... View more
03-21-2022
01:23 AM
Hi Everyone,
I have a base search at hand which is setup as an alert with a threshold value for it to trigger. I want to exclude this alert from running on last day of every month as threshold values expected are higher and setup and new cloned alert on it's place that runs on just the last day of the month.
Is there anyway in which we can do this ? I tried thinking about CRON schedule but managing 30/31 days doesn't seem to be possible with it and February(28/29) completely gets excluded.
Thanks in advance for any kind of help 😊
... View more
Labels
- Labels:
-
alert action
-
alert condition
-
cron
12-14-2021
09:52 PM
Hi @gcusello I was looking for how I can configure One UF to send data to Two Indexer Groups which are setup in different environment.
... View more
12-14-2021
07:35 AM
Hi Everyone, I am trying to figure out how can I do dual forwarder configuration for universal forwarders. Can someone please guide me in getting some idea for it or point out to splunk-docs/articles that can be helpful.
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
