We are seeing a large discrepancy in field extraction counts between our Prod and Dev environments for sourcetype=xxx. In Prod, a search returns ~600+ fields. In Dev, the same search returns ~100 fields. We confirmed that KV_MODE=auto is set on both environments, but Dev still does not extract as many fields. Raw events in Dev do contain certain keys (e.g., PreStore), but these fields do not consistently appear in the sidebar unless explicitly searched. Prod has ~58 field extractions defined for this sourcetype, while Dev only has ~6. A large number of the extractions in Prod appear as Private in the UI. We are unclear whether these “Private” extractions are also being applied to other users, or only to the owners. Questions How do “Private” field extractions behave — are they ever applied to users other than the owner, or should they only affect the owner’s searches? Could differences in data verbosity (more key=value pairs in Prod logs) be compounding the discrepancy, even with the same KV_MODE setting? What is the best way to identify all active field extractions (including private/app-scoped) that are being applied to a sourcetype, so we can reconcile between environments? How can we ensure consistent field discovery behavior between Dev and Prod?   Steps taken so far   Checked props.conf and transforms.conf on the search app in both environments — only a few extractions found in Dev vs many in Prod. Verified KV_MODE settings using REST and btool. Confirmed Prod SH shows auto, Dev was updated to auto, but discrepancy remains. Compared number of field extractions and in PROD it is 58 for sourcetype and in Dev it is 6.   ... View more

Hi Folks, We have thousands of universal forwarders that are currently running on old version (7.0.2). We are planning to upgrade universal forwarders to most recent version but before we do that we would like to reduce the overall footprint of universal forwarders by uninstalling them from the servers that are no longer sending logs.  Logs for few applications and infrastructure are migrated to Azure so they are no longer sending it to splunk. Need to find a list of such servers so i can uninstall them before i do mass upgrade. Is there a query that can give me the list of hostname along with timestamp of last log that it sent. Thanks in advance ... View more

Hi Folks, We have a complaint from stakeholders that they are seeing duplicate events in Splunk. they shared few examples where same events were indexed hundreds of times, sometimes in thousands. I can confirm that there are no duplicate stanzas to monitor log files in inputs.conf. I checked the actual log files and could see some events were duplicated in source file itself. count of it was 12 however in splunk same event was indexed 524 times. We see there are lot of inconsistencies in how the logs are being written at source. we see timestamps are either missing or partial. could that be the reason splunk is kind of going in bad state and re reading the log files?  This is how my inputs.conf is configured.  [monitor://\\hostname\log] recursive = false disabled = false followTail = 0 host = host_regex = ^.*\d-(.+?)-\d+-\d{8}_?\d*\. ignoreOlderThan = 8d index = index sourcetype = sourcetype whitelist = \.log|\.out time_before_close = 1 initCrcLength = 4096 ... View more

Hi Folks, We have a Splunk instance which comprises of 1 SH, 2 Indexers in cluster (Replication enabled), 1 Cluster Master and 1 Heavy forwarder.   We need to migrate these servers to a new set of servers. I would like to know the steps involved in migrating the already indexed clustered data. I am little newbie in Splunk Administration so would appreciate if someone can help me with detailed steps and points that i need to take care of while migrating the data. Thanks in advance. ... View more