I am trying to create a new finding-based detection to group findings together when the risk score exceeds a threshold, similar to the RBA concept. However, I am encountering an issue: when the finding (notable) is created, no Entity appears in the Incident Review dashboard, even though the fields risk_object, normalized_risk_object, and risk_object_type have values. Has anyone experienced the same issue?
... View more
What is it you are trying to achieve here? I would just like to know the impact in case I encounter a KV Store status failure. How can I identify which apps, such as ES, might be affected If I remove or clear kvstore data?
... View more
I’m trying to understand Splunk KV Store to determine what happens when it fails to start or shows a "failure to restore" status. I’ve found two possible solutions, but I'm not sure whether either command will delete all data in the KV Store? Solution1: - ./splunk stop - mv $SPLUNK_HOME/var/lib/splunk/kvstore/mongo /path/to/copy/kvstore/mongo_old -./splunk start Solution2: - ./splunk stop - ./splunk clean kvstore --local -./splunk start
... View more
From Step No.3 Install new Indexer nodes Please correct me if I'm wrong, The overall step that you mention are 1. Add all new Indexers to the same cluster. 2. Increase the replicate data between Indexer. #CM
[clustering]
max_peer_build_load = 20 (default 2)
max_peer_rep_load = 50 (default 5) 3. Rebalance the data to reduce the bucket size on the old indexer and make copies of the data to the new indexer. 4. Put one of the old indexers in manual detention to prevent data replication to the old indexer !!Do this one by one
splunk edit cluster-config -manual_detention on 5. Use the splunk offline --enforce-counts command to stop the indexer and force the Cluster Master to copy the remaining primary buckets to the new indexer. !!Do this one by one
splunk offline --enforce-counts 6. Remove the old indexer from cluster. !!Do this one by one
splunk remove cluster-peers -peers <peer_id>
... View more