About blanky

blanky · ‎06-25-2025

solved.

blanky · ‎06-25-2025

I Install UF 9.1.7 ARM file on Rocky 9. and i got an Error "tcp_conn_open_afux ossocket_connect failed with No such file or directory" when set deploy-poll is this Compatibility problem?

blanky · ‎04-15-2025

We are collecting the sourtype of the data we are currently receiving by changing it as follows. [A_syslog] TRANSFORMS-<class_A> = <TRANSFORMS_STANZA_NAME> [<TRANSFORMS_STANZA_NAME>] REGEX = \w+\s+\d+\s+\d([^\s+]*)\s+([^\s+]*)\s+([^\s+]*)\s+([^\s+]*)\s+([^\s+]*)\s+ DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::B_syslog WRITE_META = true I want to apply timestamp for B_syslog differently here, so I'm looking for sourcetype in props.conf but I can't see it. When I change the sourcetype in the same way as above, can I get a different timestamp value only for that data?

blanky · ‎04-15-2025

We are collecting various data from security equipment. The data is being stored in index=sec_A and received as sourtype=A_syslog. Here, in the props.conf setting, several data are filtered as follows, and the data is stored by dividing it into different source types and indexes. [A_syslog] TRANSFORMS-<class_A> = a, b, c, d TRANSFORMS-<class_B> = e, f, g Here, I want to add additional data to be filtered by b, but these data are different from the data currently being collected and timestamp REGEX, so I think I need to collect them in a different way. Is there a way to specify a different timestamp value only for the data being added while the data collection is continuing?

blanky · ‎03-19-2025

Thank you for your support. I found a error bucket in the bucket state, removed it directly from the CLI environment, and rebooted it to fix the problem. And the rf & sf met finally. Bucket with error was not created in folder form, but in file form.

blanky · ‎03-18-2025

bucket status is "Waiting 'target_wait_time' before replicating buckt". but, i've been waiting for a week for replicating. but it doesn't changed.

blanky · ‎03-17-2025

There was a time when the indexer server shut down unexpectedly, And I've been struggle with indexer clustering rf & sf were doesn't meet. Every index are satisfied with rf & sf, but only one index doesn't meet sf & rf I have tried roll / resync / rolling restart in the Master node, but it doesn't work. I'm trying to find the error bucket and remove it from the CLI environment, and restart the cluster. Is it right solution to solve this problem?? Or Suggest me the better way to solve it. please

blanky · ‎03-12-2025

I'm planning to upgrade upgrade splunk environment now. 3 shcluster - 3 index cluster - 2 heavy forwarder - 1 master. i want to upgrade HF without data loss but i have to stop the splunk server during upgrade. is there any other way to upgrade HF without data loss??

blanky · ‎01-14-2025

i want to replicate search1's kvstore to search2. that two cluster is non-clustering and standalone. And i found option in server.conf [kvstore] stanza replication_host. Does this option only operated in clustering environment?

Posts	9
Solutions	1
Karma Given	3
Karma Received	0
Member Since	‎01-13-2025

Online Status	Offline
Date Last Visited	‎06-25-2025 07:25 PM

UF Compatibility with rocky

Routing Sourcetype

change timestamp for extra data

Does not meet: primacy & sf & rf

Upgraded Heavy fowarder wihout data loss

replicate kvstore with non-cluster sh

Re: UF Compatibility with rocky