Activity Feed
- Posted Why can't I see all data is received in HEC? on Getting Data In. 01-16-2023 01:20 AM
- Tagged Why can't I see all data is received in HEC? on Getting Data In. 01-16-2023 01:20 AM
- Posted What is the reason for an incomplete data HTTP event collector? on Getting Data In. 12-12-2022 08:39 PM
- Tagged What is the reason for an incomplete data HTTP event collector? on Getting Data In. 12-12-2022 08:39 PM
- Posted How to find out the SMTP Splunk server? on Alerting. 09-20-2022 01:08 AM
- Tagged How to find out the SMTP Splunk server? on Alerting. 09-20-2022 01:08 AM
- Posted Re: The CPU=all Unix field is not retrieved on All Apps and Add-ons. 08-07-2022 10:11 PM
- Posted Re: The CPU=all Unix field is not retrieved on All Apps and Add-ons. 08-07-2022 10:09 PM
- Tagged Re: The CPU=all Unix field is not retrieved on All Apps and Add-ons. 08-07-2022 10:09 PM
- Posted How to fix CPU=all Unix field not being retrieved? on All Apps and Add-ons. 08-05-2022 03:05 AM
- Tagged How to fix CPU=all Unix field not being retrieved? on All Apps and Add-ons. 08-05-2022 03:05 AM
- Posted Re: Splunk App for Unix and Linux is not listing all the fields for index=os sourcetype=cpu on search head on Splunk Enterprise. 08-04-2022 03:38 AM
- Posted Why am I losing data during transmission to Splunk on Getting Data In. 05-15-2022 10:45 PM
- Tagged Why am I losing data during transmission to Splunk on Getting Data In. 05-15-2022 10:45 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-16-2023
01:20 AM
Hello dear community
Can you please advise me. My team is complaining that not all data comes from the HEC token from Kubernetes.
I don't see any errors in _internal at this index.
But I noticed something interesting in the index="_introspection" there are breaks in the data. Could this be related? And how to fix it?
... View more
- Tags:
- data
Labels
- Labels:
-
HTTP Event Collector
12-12-2022
08:39 PM
Hello dear community
Could you please tell me how to find the reason.
I am using HTTP Event Collector for Kubernetes. I have a configured data token coming into the index. But the team I'm helping assures me that the data in the index gets lost and it's not all sent to Splunk. Maybe someone has already encountered such a problem and perhaps the limits for data transfer are to blame? but I don't know how to check it. I tried to do a search in _internal on the index for which there are complaints. But perhaps you have a better way. Also, an application is installed on my HF, where all the indices and tokens for them are registered there, I found a file with limits. How can I see how much data is coming in for a token and if the values are stuck?
... View more
- Tags:
- Incomplete data
Labels
- Labels:
-
HTTP Event Collector
09-20-2022
01:08 AM
Hello Community.
Can you please advise me. Where in the configuration can I find out which SMTP mail server my Splunk uses to send notifications to employees? My configuration uses Search Head Cluster. I'm trying to find the configuration file where my company's SMTP is listed through which it can send alerts within our domain. I went to one of the Search Head and wanted to see the configuration at Settings/Server settings/Email settings. But there are no settings listed there. But this Search Head is sending alerts. Thank you for your feedback
... View more
Labels
- Labels:
-
alert action
08-07-2022
10:11 PM
Thank you for responding to my question. I checked the parameters of the inputs.conf file They are configured like this on both servers # Shows stats per CPU (useful for SMP machines) [script://./bin/cpu.sh] sourcecetype = cpu source = cpu interval = 300 index = os disabled = 0
... View more
08-07-2022
10:09 PM
Thank you for responding to my question. I checked the Splunk_TA_nix version. On the working server and on the new one where it doesn't work - they are the same. In the inputs.conf settings the same parameters are included. But I noticed a difference in the versions of the Universal Forwarder agent On the working server, version 7.3.3 is used I installed 8.2.6 There is also a difference in operating system versions. The working one uses Oracle Linux. And I do the setup on Ubuntu server 20.04.
... View more
- Tags:
- fields
08-05-2022
03:05 AM
Hello Community. Can you please tell me how to fix this, I don't understand why this is happening. I have explored various topics but have not been able to find a solution. I have an application which is configured by Splunk_TA_nix on remote servers. But not all servers are getting the CPU=all field I first encountered this when a team with their dashboard contacted me. They had 2 lonely servers. On one of them the CPU field was extracted and the dashboard worked. On the other one it didn't work anymore. I have set up a new server to forward the logs. But there was no CPU field on that one either. I even installed the sysstat utility. But I can't figure it out yet. Thus I am asking for help. Regards to everyone
... View more
- Tags:
- fields
Labels
- Labels:
-
search
08-04-2022
03:38 AM
Hello Were you able to solve this problem? I have the same problem. On some hosts the CPU=all field is available and on some hosts it is not
... View more
05-15-2022
10:45 PM
Hello. Community help please. I can't figure out the problem with the data transfer to splunk. I have an index and data sources from servers. The problem is that some of the data is lost during transfers. There are files on the server that are updated with a new name after a certain time. For example there are files N2-1.out01324, N2-1.out01325 they are searchable and Splunk can see them. But then files are updated with new name for example N2-1.out01326, N2-1.out01327 and these files are not available Splunk can't see them. Then the list is updated and files N2-1.out01328-1329 are visible again
... View more
- Tags:
- data
