Hello. I recently updgraded from 9.3.6 to 9.3.9 all SPLUNK machines. With 9.3.6 i did not notice nothing wrong. Now in 9.3.9 i found many timeouts in WebIF, and many 502/503 errors from UI, taking to the terrific horse page... i need to raise in web.conf all timeout configs, the "horse" went away, but UI is extremely slow, sometimes i need to refresh blank pages (F5) to arrive to target destination 😣       Log example, ERROR [699e902bc17fd574134fa0] decorators:421 - Splunkd daemon is not responding: ('Error connecting to /services/apps/local: The read operation timed out',) Traceback (most recent call last): File "/opt/splunk/lib/python3.9/site-packages/splunk/rest/__init__.py", line 609, in simpleRequest serverResponse, serverContent = h.request(uri, method, headers=headers, body=payload) File "/opt/splunk/lib/python3.9/site-packages/httplib2/__init__.py", line 1709, in request Mostra tutte le 47 righe host = myhost source = /opt/splunk/var/log/splunk/web_service.log sourcetype = splunk_web_service ERROR [699e902bc17fd574134fa0] __init__:620 - Socket error communicating with splunkd (error=The read operation timed out), path = /services/apps/local host = myhost source = /opt/splunk/var/log/splunk/web_service.log sourcetype = splunk_web_service   Before, 1 click and in 1 second i went to my target UI page, now i need to wait also 60 seconds, and need F5 frequently to update a blank page... What's wrong? 😤 Running on Linux Red Hat 8.10 (Ootpa) witj kernel 4.18. Thanks. ... View more

Hello. Recently a critical vulnerability was found in ZLIB of MongoDB. https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/vulnerability-in-mongodb-product-mongodb-server-leak Is there a way resolve this internal issue? Thanks. ... View more

Hi. QUESTION #1: search peer login credentials In previous versions, i'm talking about v7 and/or v8, in my memory, login credential to search peers were stored into filesystem, inside /var/... in some files named search_peer#1.something, search_peer#2.something etc.. Now i upgraded to 9.4 version, and can't find them anymore. Where are credentials stored? In KVSTORE? I ask this question since today i need to untar a 9.4 version over a same 9.4 version to take some files a user deleted for error🤦‍♂️and after doing it, it was a searchpeer/indexer, on the SearchHead and Deployer (Management Console) the peer was DOWN, i needed to reinsert the login credential again as first time to make it UP & Healthy again. Is it for security or is it a bug? I remember i need to do it also months ago when we upgraded 9.3 to 9.4!!! After upgrading, all peer credentials was gone. I thought it was a temporary bug, but now it seems to be the normal behaviour: reinstalling an instance, over the same, removes all previous registered credentials for searchpeers? QUESTION #2: Splunk upgrading removes all $SPLUNK_HOME/bin/scripts/ And, also, after upgrading, all out custom scripts in $SPLUNK_HOME/bin/scripts/ was totally deleted, SPLUNK UPGRADER remove all of them, i found only the "readme.txt", we had something like 50 custom scripts, all gone 🙄 obviously we have a backup!!! But is it normal??? Thanks. ... View more

Hi. OK, this question is totally theory, but i came in case of pratical issue on such problem. So, let's think i have an App that writes the new log file every 00:00 and writes, I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. 12/02/2025 00:30:00 log #1 12/02/2025 00:30:01 log #2 12/02/2025 00:30:02 log #3   PREMISE: every day, at 00:00 the log is totally rewritten from 0 byte with same headers.   So, Splunk UF the first day should take the first 256 bytes for CRC and should take the log entry since it's new for it and send to indexers. Next day it should block it, thinking it's the same as the day before, since the 256b CRC it's the same, so i should find something like in UF log, File will not be read, is too small to match seekptr checksum [...]   And find only the entries of yesterday. Now i force an "initCrcLen = 1024", and now i should start on indexing since the file has, for example, I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. 12/02/2025 00:30:00 log #1 12/02/2025 00:30:01 log #2 12/02/2025 00:30:02 log #3   The next day, initCrcLen to 1024 bytes wil be the same, UF tags the log as already sent yesterday and blocks it again. OK, now i force a new "crcSalt = <SOURCE>" to the input. But in few days both initCrcLen = 1024 [same header size] crcSalt = <SOURCE> [same file path] will calculate a same identical CRC, so the UF will think the log is still the same and it will be blocked! Am i wrong? I know the question is an old and always discussed question. But it's interesting to know if it's possibile to tell UF: "read the file without thinking about it's CRC, if i have still indexed it, read it, do anything other, and send to indexers!" 😉😉😉 ... View more