×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ashwinve1385
Explorer
Member since: ‎02-16-2022
‎07-02-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎02-16-2022
Activity Feed
View All

Re: KV store usage on splunk cloud

by in Splunk Cloud Platform
‎06-18-2024 10:50 AM
‎06-18-2024 10:50 AM
Thanks @gcusello  Does that mean, TA and App are installed on SH for Splunk Cloud Victoria? If that's the case, then it should work as is, isnt it? And for Splunk Cloud Classic, it seems like kv store approach does not work, is that right? ... View more

Re: KV store usage on splunk cloud

by in Splunk Cloud Platform
‎06-17-2024 10:48 AM
‎06-17-2024 10:48 AM
In fact from https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/ it states that,  "In a distributed deployment, the location where a user installs a custom data input depends on their Splunk Cloud Platform Experience (Classic or Victoria). In Classic Experience, custom data inputs run on the the Inputs Data Manager (IDM). If you deploy an app with a custom data input to the search head or indexer, the input does not run on these components. In Victoria Experience, custom data inputs run on the search head and don’t require the IDM."   ... View more

Re: KV store usage on splunk cloud

by in Splunk Cloud Platform
‎06-17-2024 10:08 AM
‎06-17-2024 10:08 AM
Thanks @gcusello for your response.  From the doc, I read that for Splunk Classic experience, it is recommended to install TA on IDM. Whereas in case of Splunk Victoria, it is recommended to install TA on search head. I like the second approach, might as well, strip out the KV store logic out of the TA and place it in App such that whether it is on-prem or cloud, there shouldnt be an issue in updating kvstore data since app is installed on search head and that would take care of updating kv store. Does this sound reasonable?   ... View more

KV store usage on splunk cloud

by in Splunk Cloud Platform
‎06-14-2024 02:05 PM
‎06-14-2024 02:05 PM
I have 2 different splunk apps, one is a TA and the other is an app.  TA : uses modular input to connect with a data source. There are some logs and metadata that are pulled from the data source. Logs are pulled via syslog by providing a tcp input and metadata via api key and secret. The metadata is stored in kv stores.  App: is supposed to be installed on search heads and they support dashboards/reports that make use of the logs and metadata sent by HF. For splunk enterprise, the above approach works when HF has the context of search heads, because HF takes care of uploading the kv stores to the search heads via scheduled search. This ensures that the app residing on SH has the data to work with. However, on splunk cloud, once TA is installed , how to ensure that SH nodes have metadata to work with? Can we find out what are the search head fqdns so that kv stores can be copied there via scheduled search? ... View more

How to trigger a query when an alert is triggered

by in Alerting
‎02-16-2022 09:46 PM
‎02-16-2022 09:46 PM
My requirement is to get the rate of change of a certain parameter if its corresponding alert gets triggered. To add more details, we have a log file that logs the backlog of database. Once the backlog crosses a certain threshold we trigger an alert, however it could be a false positive since the system may be undergoing maintenance and hence backlog grows. So I want the alert to trigger another query that captures rate of growth over the last 'x' hours. This will give more context about what is happening in the system. How to achieve this in splunk? Please share your ideas ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-02-2024 07:51 PM
Karma given to
View All