cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rene_splunk
Explorer
Member since: ‎01-08-2024
‎04-26-2024
Community Statistics
Posts 8
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎01-08-2024
Activity Feed
View All

Re: Need help ingesting /var/log/mail.log.1

by in Getting Data In
‎02-27-2024 03:24 AM
‎02-27-2024 03:24 AM
Thanks Giuseppe, I don't see any historical data in my index as yet, this is what's in the splunkd.log file   ... View more

Need help ingesting /var/log/mail.log.1

by in Getting Data In
‎02-27-2024 02:37 AM
‎02-27-2024 02:37 AM
I have a number of log-rotated files for mail.log in the /var/log folder on a unix system. The /var/log/mail.log file gets ingested just fine, so I know permissions aren't an issue. However, I'd like to also ingest the older data that was log-rotated, but for the purpose of ingesting, those files were untarred again, so I have mail.log.1 to mail.log.4 I have tried numerous stanzas and regexes in the whitelist, but none lead to the older data getting ingested.  The one I currently have in place is: [monitor:///var/log/] index = postfix sourcetype = postfix_syslog whitelist = (mail\.log$|mail\.log\.\d+) Thanks for any suggestions in advance.   ... View more

Re: Splunk cluster master migration

by in Splunk Enterprise
‎01-25-2024 11:46 PM
‎01-25-2024 11:46 PM
Yes, that was the documentation I was going on as well. As soon as I switched the old host to Standalone mode and configured Distributed mode on the new host, the indexers appeared, so that's the first part of the migration done anyway. ... View more

Re: Splunk cluster master migration

by in Splunk Enterprise
‎01-25-2024 07:04 AM
‎01-25-2024 07:04 AM
That's interesting, because I added all the Search heads to the new MC, plus the current cluster master and I don't see the indexers listed on the distributed mode. I guess it may come after I've completed the setup of distributed mode, but I need to make the new instance a search head first according to the documentation, so I'll start there. ... View more

Re: Splunk cluster master migration

by in Splunk Enterprise
‎01-24-2024 08:18 AM
‎01-24-2024 08:18 AM
I'm planning to move the MC role to the new server, however it needs to be configured as a search head to a multisite indexer cluster first. As far as I can gather from the documentation, https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/MultisiteCLI#Configure_the_search_heads I just need to run the CLI command mentioned there on the new host, changing the master URI to my current master. However, after doing this and restarting Splunk on the new host, do I actually to go into my old host and set the MC mode to standalone before restarting or will that automatically be done when I continue setting up Distributed mode on the new host? And finally, when do the clustered indexers get picked up as search peers in the MC, given I don't add them manually?   ... View more

Re: Splunk cluster master migration

by in Splunk Enterprise
‎01-12-2024 04:20 AM
‎01-12-2024 04:20 AM
The thing is, we've had this existing setup for years and never had any issues. Therefore, I had hoped to do a like for like swap to the new host, to prevent any further complications of building out more machines and making sure all hosts can connect, etc. However, I appreciate the replies and will try and implement some of these recommendations at least. ... View more

Re: Splunk cluster master migration

by in Splunk Enterprise
‎01-08-2024 11:58 PM
‎01-08-2024 11:58 PM
Correct, this is what is listed in the Monitoring Console as having all these roles. Our setup is as follows: 2 sites 9 Search Heads, clustered (5 in 1 site, 4 in the other) 8 indexers, clustered (split evenly) 2 heavy forwarders (site 1 only) 1 cluster master I believe documentation mentions somewhere that in order to have a cluster master orchestrate clusters, it needs to take on the role of the cluster it's trying to orchestrate, ie search head or indexer. It doesn't actually fulfil those roles. ... View more

Splunk cluster master migration

by in Splunk Enterprise
‎01-08-2024 07:47 AM
‎01-08-2024 07:47 AM
I need to migrate our cluster master to a new machine. It currently has these roles: Cluster Master Deployment Server Indexer License Master Search Head SHC Deployer I already migrated the License master role to the new server and it's working fine. I've been trying to follow the documentation here: https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Handlemanagernodefailure From what I gather, I need to copy all the files in /opt/splunk/etc/deployment-apps, /opt/splunk/etc/shcluster and /opt/splunk/etc/master-apps, plus anything that's in /opt/splunk/etc/system/local. Then add the passwords in plain text to the server.conf in the  local folder, restart Splunk on the new host and point all peers and search heads to the new master in their respective local server.conf files.  Is there anything else that needs done or would this take care of switching the cluster master entirely? And is there a specific order in which to do things? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-26-2024 01:55 AM
Karma given to
View All