cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
agilhomar
Explorer
Member since: ‎07-02-2023
‎07-06-2023
Community Statistics
Posts 6
Solutions 2
Karma Given 7
Karma Received 1
Member Since ‎07-02-2023
Activity Feed
View All

Re: Indexer stuck in Reassigning primaries status

by in Splunk Enterprise
‎07-05-2023 11:33 PM
1 Karma
‎07-05-2023 11:33 PM
1 Karma
I restarted only the indexer, because it was not found by the CM and it worked again. ... View more

Indexer stuck in Reassigning primaries status

by in Splunk Enterprise
‎07-05-2023 10:26 AM
‎07-05-2023 10:26 AM
After a searchable rolling restart that got stuck, I've restarted the CM in order to get out of the rolling restart. What was the solution recommended in the following question: Rolling restart hung on "Reassigning primaries"- H... - Splunk Community My indexer is still stuck in the status. How can I get the indexer back to status Up? ... View more
Labels

Re: Date Format is not recognized

by in Getting Data In
‎07-04-2023 02:00 AM
‎07-04-2023 02:00 AM
Solved: props.conf was in the wrong directory deployed. That is why it had no effect to change it. ... View more

Re: Date Format is not recognized

by in Getting Data In
‎07-03-2023 12:59 AM
‎07-03-2023 12:59 AM
Hi Giuseppe, The logs are like this (2 events): 23.06.27 09:19:30 [id:1234567]ERROR: Fail to attach shared memory:[RULE] 23.06.27 09:19:30 [id:1234567]ALERT-:condition[AppBase] Thank you very much for your quick response! Agil ... View more

Re: Date Format is not recognized

by in Getting Data In
‎07-03-2023 12:41 AM
‎07-03-2023 12:41 AM
Fisrst of all thank you very much for the quick response. I will try to clarify every aspect that you mention.  1. The logs are created in the DMZ and sent to a HFW there. Then they are sent from the HFW to the index cluster. The HFW acts as a forwarder manager for the DMZ Hosts. 2. In this HFW under deploying-apps I have the Forwarder Apps. There for every specific app, I have the inputs.conf and the props.conf both of them are in the following path $ForwarderAppName/default. In inputs.conf I set the monitor stanzas and in props.conf I set the sourcetypes config. I have also Serverclasses that bound my Forwarder Apps with the Host I want to get the logs of. 3 In the Config file I used the valid one: DATETIME_CONFIG ... View more

Date Format is not recognized

by in Getting Data In
‎07-03-2023 12:12 AM
‎07-03-2023 12:12 AM
The Logs I am tring to onboard in Splunk have the following time format,  "YY.MM.DD HH:MM:SS" so I made a props.conf accordingly:  [sourcetype name] DATETIME_CONFIG = TIME_FORMAT = %y.%m.%d %H:%M:%S TIME_PREFIX = ^ BREAK_ONLY_BEFORE_DATE = true MAX_TIMESTAMP_LOOKAHEAD = 20 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false this config was the one created by splunk when I parsed the Logs as an Upload, there were the dates properl readen. When I deploy this in production the sourctype name exists but does nothing to parse it.   Also, the year, month and day are read 2 times meaning that the hour in the logs is the date. For example, today all the logs are writen in the 23:07:03 hour. I also tried to chande datime_config to current but is also not working. Nothnig that I change in props file is taken into acount in prod. For gaining further commpreension of this case the Logs are Created in the DMZ and sent to the index throug a Deployer in the DMZ. Where could be the problem? Why is it props.conf working on the logs when uploaded and not when sent through a UFW? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-06-2023 04:00 AM
Karma from
View All
Karma given to