×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
konka4
Splunk Employee
Member since: ‎02-05-2023
‎10-01-2025
Community Statistics
Posts 8
Solutions 1
Karma Given 0
Karma Received 1
Member Since ‎02-05-2023
Activity Feed
View All

Re: Search Head Crashing - BundleReplicatorThread

by Splunk Employee in Splunk Enterprise Security
‎10-01-2025 04:11 PM
1 Karma
‎10-01-2025 04:11 PM
1 Karma
An update to this.   It was Data Segment Size that had been set to 10GB and the instance needed at least 18GB, set it to unlimited and its humming along now for at least a week without crashing. This is what I now have in my ulimits, LimitDATA was set to 10GB, now its set to infinity.   [Service] Type=simple Restart=always ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd KillMode=mixed KillSignal=SIGINT TimeoutStopSec=360 LimitCORE=0 LimitNOFILE=65536 LimitNPROC=20480 LimitFSIZE=infinity LimitDATA=infinity KillMode=mixed KillSignal=SIGINT TimeoutStopSec=10min LimitRTPRIO=99 SuccessExitStatus=51 52 RestartPreventExitStatus=51 RestartForceExitStatus=52 User=splunk Group=splunk Delegate=true CPUWeight=100 #MemoryMax=33354076160 PermissionsStartOnly=true ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/system.slice/%n" ... View more

Re: How to resolve error's while installing Splunk...

by in Splunk SOAR
‎05-15-2024 02:01 PM
‎05-15-2024 02:01 PM
Hey I know this is old but did you ever figure this out i am getting the same errors. Thanks! ... View more

Re: Help Splitting Sourcetypes

by SplunkTrust in Getting Data In
‎08-18-2023 04:25 AM
1 Karma
‎08-18-2023 04:25 AM
1 Karma
First, rename sourcetype is search phase not ingest phase parameter. Those parameters haven't used when you are ingesting data into splunk. See more Sourcetype configuration. The only reason why those TIME* etc. are under pan:threat stanza is, that there are somewhere input which define that sourcetype directly. But as you can check from props.conf definition    [pan_threat] rename = pan:threat   cannot take those into use on ingest phase! You should remember that normally there are not separate props.conf for indexers and search head. Usually those are in same TA / package and quite often those contains also inputs.conf for UF/HF. This can be quite confusing time by time 😉 To see where each parameter is used you should check https://www.aplura.com/assets/pdf/where_to_put_props.pdf which told that little bit easier that Splunk's own documentation (e.g. https://docs.splunk.com/Documentation/Splunk/9.1.0/Deploy/Datapipeline and https://docs.splunk.com/Documentation/Splunk/9.1.0/Indexer/Indextimeversussearchtime). I hope that this helps you more than confusing? As I said earlier, you probably can set correct _time by INGEST_EVAL based on those final source types, but you need to add this under original sourcetype definition's TRANSFORM stanza. ... View more

Solarwinds Add-on For Splunk with SHC

by Splunk Employee in Splunk Enterprise
‎05-23-2023 12:18 AM
‎05-23-2023 12:18 AM
Hi all,   Hoping to get some clarity on the Solarwinds Add-on for Splunk.   I'm trying to install this onto my SHC (4SH's) with a deployer. Pushing from the deployer is all good. I then jump onto a search head and create the inputs and account to talk to solarwinds and the SH's replicate those local changes throughout the cluster.   After that I get absolutely no data, no errors as well to say what's not working. I've tested this app on a separate Indexer on one site, another indexer on another site (different subnets) and on my deployer and it works instantly. As soon as I put it on my SHC via the deployer, it does not work at all.   Is this app suppose to work with a SHC or am I doing something completely wrong?  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-01-2025 04:08 PM