Hello dear community Can you please advise me. My team is complaining that not all data comes from the HEC token from Kubernetes. I don't see any errors in _internal at this index. But I noticed something interesting in the index="_introspection" there are breaks in the data. Could this be related? And how to fix it?   ... View more

Hello dear community Could you please tell me how to find the reason. I am using HTTP Event Collector for Kubernetes. I have a configured data token coming into the index. But the team I'm helping assures me that the data in the index gets lost and it's not all sent to Splunk. Maybe someone has already encountered such a problem and perhaps the limits for data transfer are to blame? but I don't know how to check it. I tried to do a search in _internal on the index for which there are complaints. But perhaps you have a better way. Also, an application is installed on my HF, where all the indices and tokens for them are registered there, I found a file with limits. How can I see how much data is coming in for a token and if the values ​​are stuck? ... View more

Hello Community. Can you please advise me. Where in the configuration can I find out which SMTP mail server my Splunk uses to send notifications to employees? My configuration uses Search Head Cluster. I'm trying to find the configuration file where my company's SMTP is listed through which it can send alerts within our domain. I went to one of the Search Head and wanted to see the configuration at Settings/Server settings/Email settings. But there are no settings listed there. But this Search Head is sending alerts. Thank you for your feedback ... View more

Hello Community. Can you please tell me how to fix this, I don't understand why this is happening. I have explored various topics but have not been able to find a solution. I have an application which is configured by Splunk_TA_nix on remote servers. But not all servers are getting the CPU=all field I first encountered this when a team with their dashboard contacted me. They had 2 lonely servers. On one of them the CPU field was extracted and the dashboard worked. On the other one it didn't work anymore. I have set up a new server to forward the logs. But there was no CPU field on that one either. I even installed the sysstat utility. But I can't figure it out yet. Thus I am asking for help. Regards to everyone ... View more

Hello. Community help please. I can't figure out the problem with the data transfer to splunk. I have an index and data sources from servers. The problem is that some of the data is lost during transfers. There are files on the server that are updated with a new name after a certain time. For example there are files N2-1.out01324, N2-1.out01325 they are searchable and Splunk can see them. But then files are updated with new name for example N2-1.out01326, N2-1.out01327 and these files are not available Splunk can't see them. Then the list is updated and files N2-1.out01328-1329 are visible again ... View more