we have our environment in google cloud platform where we have SH cluster with 3 SH. and earlier the issue was notable index data was getting stored locally in each search head to fix this we have created the notable index at indexer cluster and then forwarded the SH data toward the Indexer cluster using "indexer discovery" method, now the problem is the configuration (props.conf & transform.conf) which were responsible to redirect the data to notable index locally (each SH) are not taking effect to forward the data into notable index created in indexer cluster. however internal index data are forwarding now in the indexer cluster. ... View more

We have Search head cluster consisting of 3 Search heads. where Splunk enterprise security have notable index in the enterprise security app where all the notable logs are getting stored, now the problem is the notable index data is not replicating there data along with other 2 Search heads.  ... View more

we have a SH cluster with 3 SH which is collecting data with indexer cluster having 3 indexers. Now the problem is data present in the each indexer is not properly replicating in all 3 SH, example if we check for last 15 min _internal data on each SH then number of event is different by 1k to 5 k. And if I create dashboard in SH then this is getting replicated properly in between the SH. because of this issue in enterprise security notable is showing different in each SH. ... View more

We have SH cluster of 3 SH, where enterprise security notable are not same on all 3 SH enterprise security. And further when we check for last 15 min internal data that also vary with significant number (5 K to 10 k) than other 2 SH Member. ... View more

Getting below DB error in splunk, Please help to fix this issue.   ERROR ChunkedExternProcessor [11770 ChunkedExternProcessorStderrLogger] - stderr: BrokenPipeError: [Errno 32] Broken pipe ... View more

Hi, Getting below queue blocked and Errror in the HF.  don't know how to troubleshoot to fix this block queue issue.  can you help with the quick fix for this issue.      ... View more

| chart values(Date_Policy) BY Volume,WeekRange, in above command I wanted to add host as well in the BY section but not getting result for it. Can any help to fix this. | chart values(Date_Policy) BY Volume,WeekRange, host ... View more

data stopped coming from vcenter to splunk. not sure which DCN is used to configure those Vcenter, could you please help for troubleshooting like how to  check for the error (which cause data to stopped coming). as well as how I can find out the DCN which is using to collect the data from Vcenter.  ... View more

We got an issue where earlier someone created input on the HF and done the data onboarding but now data stopped coming to the Splunk. but we are unable to find out which HF was used earlier to create the Input. is there any way to find out the HF which was in use to send the data to the Splunk SH.   ... View more

app is unable to collect metric data  (metric_name="Memory.Page_Reads/sec" ) can any one help in the app script. operating system is linux.  ... View more