Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About Namdev
Namdev
Loves-to-Learn Lots
Member since:
06-02-2023
02-20-2026
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 06-02-2023 |
Activity Feed
- Posted Re: Splunk ITSI Glass table data visualization issue on Dashboards & Visualizations. 02-20-2026 01:44 AM
- Posted Splunk ITSI Glass table data visualization issue on Dashboards & Visualizations. 02-18-2026 10:24 PM
- Tagged Splunk ITSI Glass table data visualization issue on Dashboards & Visualizations. 02-18-2026 10:24 PM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 08:57 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 05:48 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 03:22 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 02:39 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-04-2025 11:54 PM
- Posted SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-04-2025 09:34 AM
- Posted Re: Parsing issue in distributed Environment on Getting Data In. 03-03-2025 07:37 AM
- Posted Re: Parsing issue in distributed Environment on Getting Data In. 02-23-2025 10:58 PM
- Posted Parsing issue in distributed Environment on Getting Data In. 02-23-2025 09:50 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
02-20-2026
01:44 AM
what's the search you used in the Glass table? >>> I have not create any additional search query , I have created few services along with KPI.. and simple used Data source in Line chart. Expecting data should directly visible. When I tried to display the ITSI data in a dashboard I built a lookup with the service decomposition and I used it to associate the kpi data from itsi_summary index to the services. >> Can you elaborate this process. Let me explain my scenario : I am working on a use-case development task where I have created a network hierarchy. At the base level, I added Mumbai router, Mumbai core, Bangalore router, and Bangalore core devices with KPIs such as CPU and memory usage. Then I created separate Mumbai and Bangalore services — the Mumbai service is associated only with Mumbai devices, and the Bangalore service only with Bangalore devices — pulling the service health score. Finally, I created a main network service at the top level that is associated with the location services. Now I want to showcase the separate health status along with the KPIs and also display the cumulative health score at the top level
... View more
02-18-2026
10:24 PM
I have set up a distributed Splunk environment consisting of: 2 Forwarders 3 Indexers 1 Indexer Manager (Cluster Manager) 1 Deployment Server / License Manager / Monitoring Console 1 Search Head I installed Splunk ITSI following the distributed deployment guidelines. For testing purposes, I am ingesting data directly into the Search Head using HEC. The data is successfully indexed and visible in ITSI. I have created several services and KPIs, and the KPI values are displaying correctly within ITSI. However, when I create a Glass Table and map those KPIs to the visualization, no data appears on the Glass Table. What could be causing the Glass Table to not display KPI data even though the KPIs themselves are populated?
... View more
Labels
- Labels:
-
other
-
single value
03-05-2025
08:57 AM
Cooked:tcp : tcp Raw:tcp : tcp TailingProcessor:FileStatus : $SPLUNK_HOME/etc/apps/sample_app/logs type = missing $SPLUNK_HOME/etc/splunk.version file position = 70 file size = 70 percent = 100.00 type = finished reading $SPLUNK_HOME/var/log/splunk type = directory $SPLUNK_HOME/var/log/splunk/configuration_change.log type = directory $SPLUNK_HOME/var/log/splunk/license_usage_summary.log type = directory $SPLUNK_HOME/var/log/splunk/metrics.log type = directory $SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log* type = directory $SPLUNK_HOME/var/log/splunk/splunkd.log type = directory $SPLUNK_HOME/var/log/watchdog/watchdog.log* type = directory $SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json type = directory $SPLUNK_HOME/var/spool/splunk/tracker.log* type = directory /opt/log/ type = directory /opt/log/cisco_ironport_web.log file position = 207575 file size = 207575 parent = /opt/log/ percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/audit.log file position = 159471 file size = 159471 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/btool.log file position = 192268 file size = 192268 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/conf.log file position = 9044 file size = 9044 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/configuration_change.log file position = 3353479 file size = 3353479 parent = $SPLUNK_HOME/var/log/splunk/configuration_change.log percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/first_install.log file position = 70 file size = 70 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/health.log file position = 785728 file size = 785728 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/license_usage.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/license_usage_summary.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk/license_usage_summary.log percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/mergebuckets.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log file position = 21630761 file size = 21630761 parent = $SPLUNK_HOME/var/log/splunk/metrics.log percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log.1 file position = 25000026 file size = 25000026 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log.2 file position = 25000081 file size = 25000081 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/mongod.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/remote_searches.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/scheduler.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/search_messages.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/searchhistory.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunk_instrumentation_cloud.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log* percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd-utility.log file position = 69012 file size = 69012 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd.log file position = 12378562 file size = 12378562 parent = $SPLUNK_HOME/var/log/splunk/splunkd.log percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/splunkd_access.log file position = 44571 file size = 44571 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/splunkd_stderr.log file position = 200 file size = 200 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd_stdout.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd_ui_access.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/wlm_monitor.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/watchdog/watchdog.log file position = 12202 file size = 12202 parent = $SPLUNK_HOME/var/log/watchdog/watchdog.log* percent = 100.00 type = finished reading tcp_cooked:listenerports : 8089
... View more
03-05-2025
05:48 AM
I checked by using this command but no luck , kindly find my logs root@hf2:/opt# ps aux | grep /opt/log/ root 3152 0.0 0.0 9276 2304 pts/2 S+ 13:17 0:00 grep --color=auto /opt/log/ root@hf2:/opt# ls -l /opt/log/ total 204 -rw-r-xr--+ 1 root root 207575 Feb 19 11:12 cisco_ironport_web.log root@hf2:/opt# SplunkD Logs for your refernecne : 03-04-2025 22:23:55.770 +0530 INFO TailingProcessor [32908 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:29:34.873 +0530 INFO TailingProcessor [33197 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:39:22.449 +0530 INFO TailingProcessor [33712 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 13:07:00.440 +0530 INFO TailingProcessor [2920 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:16:28.483 +0530 INFO TailingProcessor [3132 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:18:26.876 +0530 INFO TailingProcessor [3339 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. root@hf2:/opt#
... View more
03-05-2025
03:22 AM
I am using Splunk trial license, I have checked permissions and it is not a permission issue
... View more
03-05-2025
02:39 AM
NO logs on Search head
... View more
03-04-2025
11:54 PM
Hey Buddy , No luck with your command, kindly find logs below : root@hf2:/opt# ps aux | grep /opt/log/ root 3152 0.0 0.0 9276 2304 pts/2 S+ 13:17 0:00 grep --color=auto /opt/log/ root@hf2:/opt# ls -l /opt/log/ total 204 -rw-r-xr--+ 1 root root 207575 Feb 19 11:12 cisco_ironport_web.log root@hf2:/opt# SplunkD Logs for your refernecne : 03-04-2025 22:23:55.770 +0530 INFO TailingProcessor [32908 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:29:34.873 +0530 INFO TailingProcessor [33197 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:39:22.449 +0530 INFO TailingProcessor [33712 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 13:07:00.440 +0530 INFO TailingProcessor [2920 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:16:28.483 +0530 INFO TailingProcessor [3132 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:18:26.876 +0530 INFO TailingProcessor [3339 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. root@hf2:/opt#
... View more
03-04-2025
09:34 AM
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues. Distributed environment consists of below components with Splunk free licences - 4 Indexers (part of an Indexer Cluster) - 1 Cluster Manager (for managing the indexer cluster) - 2 Universal Forwarders (UFs) sending data - 1 DS/LM/MC (Deployment Server + License Manager + Monitoring Console combined on one server) - 1 Search Head (for searching and dashboards) I am facing an issue to enable Splunk monitoring for /opt/log directory. I have checked that /var/log can be monitored successfully whereas Splunk forwarder is failed to monitor /opt/log directory. I have checked permission issue other things but no luck
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
03-03-2025
07:37 AM
I have tried this option, no luck. Can we have a call to discuss this ?
... View more
02-23-2025
10:58 PM
Yes, I tried using the app option also checked with the _cluster option where I placed the props.conf and transforms.conf files, and distributed them among the peers.
... View more
02-23-2025
09:50 PM
Hello Team,parsing issue I have built a distributed Splunk lab using a trial license. The lab consists of three indexers, one cluster manager, one search head, one instance serving as the Monitoring Console (MC), Deployment Server (DS), and License Manager (LM), along with two Universal Forwarders. The forwarder is monitoring the /opt/log/routerlog directory, where I have placed two log files: cisco_ironport_web.log and cisco_ironport_mail.log. The logs are successfully forwarded to the indexers and then to the search head. However, log parsing is not happening as expected. I have applied the same configuration of props.conf and transforms.conf on both the indexer cluster and the search head. props.conf and transforms.conf file paths : indexer path : /opt/splunk/etc/peer-apps/_cluster/local Search head path : /opt/splunk/etc/apps/search/local configuration of props.conf and transforms.conf : transforms.conf : [extract_fields] REGEX = ^(?P<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\s+(?P<src_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<email>\S+@\S+)\s+(?P<domain>\S+)\s+(?P<url>\S+) FORMAT = timestamp::$1 src_ip::$2 email::$3 domain::$4 url::$5 props.conf : [custom_logs] SHOULD_LINEMERGE = false TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 TRANSFORMS-extract_fields = extract_fields
... View more
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-20-2026
01:25 AM
|
