Activity Feed
- Karma Re: Segregating Indexer peers in Indexing Cluster for isoutamo. 08-22-2023 02:28 AM
- Posted How to segregate Indexer peers in Indexing Cluster? on Splunk Enterprise. 08-22-2023 01:35 AM
- Tagged How to segregate Indexer peers in Indexing Cluster? on Splunk Enterprise. 08-22-2023 01:35 AM
- Karma Re: Unable to correct the timestamp with microseconds for richgalloway. 06-22-2023 01:53 AM
- Posted Splunk OTEL Collector: Log Scarping Issue on Getting Data In. 06-22-2023 01:52 AM
- Posted Re: Unable to correct the timestamp with microseconds on Splunk Enterprise. 05-19-2023 02:00 AM
- Posted Why am I unable to correct the timestamp with microseconds? on Splunk Enterprise. 05-17-2023 03:16 AM
- Tagged Why am I unable to correct the timestamp with microseconds? on Splunk Enterprise. 05-17-2023 03:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-22-2023
01:35 AM
Dear Team,
Need your expert advice.
a. Indexer Cluster - Is it feasible to separate the replication of indexer peers among the peers themselves?
Illustration: Within the indexing cluster, the Master is associated with indexer peers A, B, C, and D. My aim is to ensure that the development data being forwarded to A is exclusively replicated with B. Likewise, the production logs should only be replicated among C and D. It's essential that the data between C and D, as well as A and B, remain non-replicated. Is this solution attainable?
Br,
Prasad V
... View more
Labels
- Labels:
-
using Splunk Enterprise
06-22-2023
01:52 AM
Dear Team, We have configured the Splunk OTEL collector to collect logs from OpenShift environment namespaces and Pods and send them to Splunk Enterprise using HEC (HTTP Event Collector). However, we are experiencing unusual behavior with the values.yaml configuration when it comes to collecting audit logs. logsCollection: extraFileLogs: filelog/audit-log-kube-apiserver: include: [/var/log/kube-apiserver/audit.log] start_at: beginning include_file_path: true include_file_name: false resource: com.splunk.source: /var/log/kube-apiserver/audit.log host.name: 'EXPR(env("K8S_NODE_NAME"))' com.splunk.sourcetype: kube:apiserver-audit I'm having an issue with the OTEL collector Pod. Whenever I restart it, it starts ingesting data from the beginning instead of resuming where it left off. I've tried modifying the "start_at" option by setting it to "current," but that didn't work. I also attempted removing the key-value pair, but it didn't solve the problem. I would greatly appreciate any assistance in resolving this matter.
... View more
Labels
- Labels:
-
HTTP Event Collector
05-19-2023
02:00 AM
thanks @richgalloway . No luck. Below is the raw event for your reference: {"resource":"*****"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-05-16T11:25:19.602483Z","stageTimestamp":"2023-05-16T11:25:19.603580Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"""}}
... View more
05-17-2023
03:16 AM
Dear Team,
Below is the raw log for your reference:
{"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z} I have created a props.conf with the respective sourcetype and below for your reference: [kube:apiserver-audit] LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_PREFIX = stageTimestamp\"\:\" TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N SHOULD_LINEMERGE=false MAX_TIMESTAMP_LOOKAHEAD=27 However, when I check in Splunk time stamp is not parsed correctly. Any help here would be much appreciated.
Br, Prasad V
... View more
- Tags:
- Timestamp error
Labels
- Labels:
-
configuration
