Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Omar
Omar
Explorer
Member since:
01-25-2022
10-18-2023
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 01-25-2022 |
Activity Feed
- Posted Splunk DB Connect with HIVE on All Apps and Add-ons. 10-21-2023 09:38 PM
- Posted Re: Splunk DB Connect with HIVE integration on All Apps and Add-ons. 10-18-2023 11:33 PM
- Posted Re: Rebuild forwarder assets does not actually rebuild the assets table on Monitoring Splunk. 07-16-2023 04:34 AM
- Posted Rebuild forwarder assets does not actually rebuild the assets table on Monitoring Splunk. 07-15-2023 10:49 PM
- Karma Re: Splunk has found 1 orphaned searches owned by 1 unique disabled users.Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches. for Hemnaath. 06-13-2023 04:41 AM
- Posted Re: Deployment server push wrong owner when deploy apps on Deployment Architecture. 06-06-2023 12:49 AM
- Karma Re: Data age in splunk for MiniNenya. 05-20-2023 10:03 PM
- Karma Re: Data age in splunk for MiniNenya. 05-20-2023 10:03 PM
- Posted Why the Splunk App for Infrastructure is getting stuck when migrating? on All Apps and Add-ons. 11-19-2022 10:09 PM
- Karma Re: Is it possible to rebuild multiple buckets with this command in the thawed directory? for dantimola. 09-21-2022 11:51 AM
- Posted Is enabling maintenance mode required when Rebuilding Thawed buckets? on Deployment Architecture. 09-21-2022 04:02 AM
- Karma Re: Squashing host and source fields for gcusello. 08-15-2022 11:50 PM
- Posted Re: Squashing host and source fields on Getting Data In. 08-15-2022 11:43 PM
- Posted How to squash host and source fields? on Getting Data In. 08-15-2022 11:03 PM
- Karma Re: Data Inputs in a distributed environment (SHC) for gcusello. 08-09-2022 11:11 PM
- Posted Re: Data Inputs in a distributed environment (SHC) on Getting Data In. 08-09-2022 10:53 PM
- Karma Re: Data Inputs in a distributed environment (SHC) for gcusello. 08-09-2022 10:48 PM
- Posted What is the best approach to use Data Inputs in a distributed environment (SHC)? on Getting Data In. 08-09-2022 01:19 AM
- Karma Re: Can someone help me understand how protocols, permissions, and communication are configured for universal forwarders? for Jeremiah. 05-17-2022 09:22 PM
- Posted Forwarder Management - Why are there duplicated clients? on Splunk Enterprise. 05-17-2022 04:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-21-2023
09:38 PM
Hello, I tried setting up an HIVE connection using Splunk DB connect and got stuck with the Kerberos authentication. I have added Cloudera drivers for HIVE DB. But we get the below error: [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache: Unable to obtain Principal Name for authentication . Has anyone faced this issue before?
... View more
Labels
- Labels:
-
configuration
-
installation
-
other
07-16-2023
04:34 AM
Hi Giuseppe, Thanks for the replay. However, the issue is that it does not delete the old table, Splunk says: "The Monitoring Console deletes the existing table and uses input metrics from indexers to create a new table." I find many forwarders in the "dmc_forwarder_assets" lockup table which belongs to agents that last connected in the year 2022
... View more
07-15-2023
10:49 PM
Hello Splunkers, To remove the old decommissioned UFs and stop the annoying missing alert "DMC Alert - Missing forwarders" we need to Rebuild forwarder assets. The issue is even after doing so, the table still contains old decommissioned UFs, How do we solve this?
... View more
06-06-2023
12:49 AM
Thanks for the elaboration. What's the correct way to check which user is running Splunkd? as am using ps aux | grep splunk to check it
... View more
11-19-2022
10:09 PM
Hello Splunkers!
We are using Splunk App for Infrastructure version: 2.2.2 and have upgraded to the latest version: 2.2.5
However, the issue here is that after upgrading, the app got stuck when migrating at "SAI is currently migrating to a newer version, page will automatically reload when migration finishes" and has been in this state forever:
Has anyone encountered such a thing in the past and solved the issue?
... View more
Labels
- Labels:
-
dashboard
-
installation
-
upgrade
09-21-2022
04:02 AM
Dear Splunkers, Is enabling maintenance-mode for an indexers cluster needed when rebuilding frozen buckets?
... View more
Labels
- Labels:
-
indexer
-
indexer clustering
08-15-2022
11:43 PM
Hello @gcusello, Thank you for your response. Actually, yes, this could happen due to a process of squashing when a certain threshold is reached indexers drop (host, source) fields to avoid explosion in memory/processing overhead. what confuses me is I am unable to find those events, so I'm wondering if Splunk is dropping the entire events or just those fields. Bellow search shows if you have this issue or not. This only works with large indexes: index=_internal source=*license_usage.log* type="Usage" idx="my_index" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval st=if(len(st)=0 OR isnull(st),"(UNKNOWN)",st) | fields _time,b,h,st | bin _time span=1d | stats sum(b) AS volume by h, _time,st | stats avg(volume) AS avgVolume max(volume) AS maxVolume by h,st | eval avgVolumeGB=round(avgVolume/1024/1024/1024,3) | eval maxVolumeGB=round(maxVolume/1024/1024/1024,3) | fields h,st, avgVolumeGB, maxVolumeGB | rename avgVolumeGB AS "average" maxVolumeGB AS "peak",st AS "sourcetype", h AS "hostname" | sort - average | head 10
... View more
08-15-2022
11:03 PM
Dear Splunkers,
I am having an issue with the process of squashing fields. When searching for events with no hosts or source I don't get any results:
index=<my_index> | where isnull(source)
Does Splunk drop events after being squashed? Because logically, there should be events on my index that are missing the field host and source.
... View more
08-09-2022
10:53 PM
Thank you @gcusello, I would go with the HF as a solution, now is creating an HEC or a UDP input in one HF would replicate to the rest of HFs or does it have to be passed manually?
... View more
08-09-2022
01:19 AM
Dear Splunkers,
We are using Splunk in a distributed environment with an SHC; now, what is the best approach to use Data inputs?
For example: can I create a TCP or UDP connection in one of the SH? and can I make an HEC input in an SHC environment? is this going to replicate to the remaining SHs?
Your help is very appreciated.
... View more
Labels
- Labels:
-
HTTP Event Collector
-
syslog
05-17-2022
04:48 AM
Dear Splunkers, We are upgrading our UFs in our environment, and I noticed that the number of clients is increasing due to the upgrading process. Right now, I'm seeing the same clients with the same information except the GUIDs (Client Name) are different while the old one had not phoned home for a while, is this considered a problem? and how long will it be there until the Forwarder Manager drops it? thanks,
... View more
- Tags:
- duplicate
Labels
04-18-2022
01:03 AM
Hello, dears Splunkers, I'm facing a problem when trying to run a query on Splunk DB Connect to mssql database, I'm connecting to MS SQL server using a connection type: MS-SQL Server Using MS Generic Driver I get this Exception: com.microsoft.sqlserver.jdbc.SQLServerException: The "variant" data type is not supported. No results found. my Splunk DB Connect is on version: 3.8.0 & Splunk DBX Add-on for Microsoft SQL Server JDBC is on version: 1.1.0
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
