Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About vjdev
vjdev
Path Finder
Member since:
09-12-2025
01-04-2026
Community Statistics
| Posts | 14 |
| Solutions | 2 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 09-12-2025 |
Activity Feed
- Posted Re: Splunk Entreprise Max Upload issue on Splunk Enterprise. 10-20-2025 08:26 AM
- Posted Re: Kindly build this in single query. on Getting Data In. 10-19-2025 02:03 PM
- Posted Re: Modifying Splunk> Logo after login in header in 9.x ~ on Dashboards & Visualizations. 10-19-2025 01:37 PM
- Posted Re: How to enable clustering ? on Deployment Architecture. 10-19-2025 12:00 PM
- Posted Re: Does Splunk Enterprise Security (ES) require a separate license file? on Splunk Enterprise Security. 10-19-2025 11:11 AM
- Posted Re: cgroup error when Splunk Universal Forwarder v9.4.4 is installed on Splunk Enterprise. 09-28-2025 05:32 AM
- Posted Re: Log ingestion delay on Splunk Enterprise Security. 09-28-2025 05:06 AM
- Posted Re: Regex works but transforms.conf extracts only part of the last field on Getting Data In. 09-19-2025 10:43 PM
- Posted Re: Cannot get logs from specific source to seperate by line on Getting Data In. 09-14-2025 11:27 PM
- Posted Re: I wanna forward all data from a single hf to 2 diffenrent splunk instances on Getting Data In. 09-14-2025 07:17 AM
- Posted Re: Are there any ways to whitelist specific fields from json format logs during data-onboarding? on Getting Data In. 09-14-2025 07:02 AM
- Got Karma for Re: sc4s app_parsers don't seem to work. 09-14-2025 07:00 AM
- Got Karma for Re: Are there any ways to whitelist specific fields from json format logs during data-onboarding?. 09-14-2025 06:59 AM
- Posted Re: Are there any ways to whitelist specific fields from json format logs during data-onboarding? on Getting Data In. 09-14-2025 04:00 AM
- Posted Re: sc4s app_parsers don't seem to work on Getting Data In. 09-14-2025 12:25 AM
- Posted Re: How to ingest data from VMWare ESXI host on All Apps and Add-ons. 09-12-2025 10:46 AM
Topics I've Started
No posts to display.
10-20-2025
08:26 AM
Hello, 1. Verifiy the configuration web.conf [settings] max_upload_size = 2000 2. Restart Splunk 3. Verify configuration in the memory /opt/splunk/bin/splunk show config web | grep max_upload_size 4. Try upload the file Now. Thank you!
... View more
10-19-2025
02:03 PM
Hello, |makeresults format=csv data="student_id,student_name,class,school,subject,score 1,Alice,10A,School1,Math,85 2,Bob,10A,School1,Math,72 3,Charlie,10B,School1,Science,90 4,David,10A,School2,Math,65 5,Eva,10B,School2,Science,88" | top score class school | streamstats count as ClassLevel by class | streamstats count as SchoolLevel by school Thank You!
... View more
10-19-2025
01:37 PM
Hello, Try modify $SPLUNK_HOME/etc/apps/search/appserver/static/appLogo.png $SPLUNK_HOME/etc/apps/search/appserver/static/appLogo.gif Thank You!
... View more
10-19-2025
12:00 PM
Hello, +++++++++++++ Indexer Cluster + +++++++++++++ Via GUI ======== cluster-manager -------------- Settings -> Indexer Clustering -> Enable indexer clustering -> Manager node -> Replication Factor : 2 Search Factor : 2 Security Key :passkey123 Cluster Label : Cluster1 Click -> Enable Manger Node Peer Node ---------- Settings -> Indexer Clustering -> Enable indexer clustering -> Peer node Manager URI : https://managerip:8089 [Cluster manager] Peer replication port : 8080 Security key : passkey123 Click -> Enable Peer Node Search head node ---------------- Settings -> Indexer Clustering -> Enable indexer clustering -> Search head node Manager URI : https://managerip:8089 Security key : passkey123 Click -> Enable Search head Node Via Config File: ======== Manager: -------- server.conf [clustering] mode = manager replication_factor = 2 search_factor = 2 pass4SymmKey = passkey123 cluster_label = cluster1 Peer Node: ---------- server.conf [replication_port://8080] [clustering] manager_uri = https://managerip:8089 mode = peer pass4SymmKey = passkey123 Search Head: ------------ [clustering] manager_uri = https://managerip:8089 mode = searchhead pass4SymmKey = passkey123 Via Cli ======= Manager Node: -------------- ./splunk edit cluster-config -mode manager -replication_factor 2 -search_factor 2 -secret passkey123 -cluster_label cluster1 ./splunk restart Peer Node: ---------- ./splunk edit cluster-config -mode peer -manager_uri https://managerip:8089 -replication_port 8080 -secret passkey123 ./splunk restart Search Head: ------------ ./splunk edit cluster-config -mode searchhead -manager_uri https://managerip:8089 -secret passkey123 ./splunk restart ./splunk show cluster-status +++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++ Searh Head Cluster ++++++++++++++++++ Deployer ------------ server.conf [shclustering] pass4SymmKey = yoursecuritykey shcluster_label = shcluster1 SH --- /opt/splunk/bin/splunk init shcluster-config -auth admin:changed -mgmt_uri https://sh1.example.com:8089 -replication_port 8887 -replication_factor 2 -conf_deploy_fetch_url https://deployerip:8089 -secret yoursecuritykey -shcluster_label shcluster1 [Repeat On all SH only by changing mgmt_uri] Once done in All SH. Choose captain. /opt/splunk/bin/splunk bootstrap shcluster-captain -servers_list "https://sh1.example.com:8089,https://sh2.example.com:8089,https://sh3.example.com:8089,https://sh4.example.com:8089" -auth admin:changed Check Status /opt/splunk/bin/splunk show shcluster-status Thank You!
... View more
10-19-2025
11:11 AM
Hello, Only one License file you will get for Splunk Enterprise. Splunk ES can be downloaded via Splunk Base if your organization have purchased Splunk ES [Only with mapped account with the organization.] Thannk You!
... View more
09-28-2025
05:32 AM
Hello, Try restart, if you have not done [SELINUX settings to apply]> [/usr/lib/systemd/system/SplunkForwarder.service] OR [/etc/systemd/system/SplunkForwarder.service] [Service] MemoryLimit=16542720000 [16 GB In Byte | modify as per your system memory ] sudo systemctl daemon-reload sudo systemctl restart SplunkForwarder Thank You!
... View more
09-28-2025
05:06 AM
Hello, Confirm the below, 1. No issues with Network bandwidth [QOS] 2. Splunk Syslog/Syslog-NG/rsyslog which one are you using? 3. View the data with packet capturing, monitor the timestamp in the data.
... View more
09-19-2025
10:43 PM
Hello, Did you make the entry for the srv and ver fields in fields.conf? Thank You!
... View more
09-14-2025
11:27 PM
Hello, TRY BELOW: INDEXED_EXTRACTIONS=JSON KV_MODE=none SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TIME_PREFIX=\"time\"\:\" TIME_FORMAT=%Y-%m-%dT%T MAX_TIMESTAMP_LOOKAHEAD=21 Thank You!
... View more
09-14-2025
07:17 AM
Hello, Try Ingest action, if you want to process [mask/filter] the data. Use Route to Destination Rule. Else go with multiple target in outputs.conf [tcpout] defaultGroup=cloned_group1,cloned_group2 [tcpout:cloned_group1] server=10.10.10.1:9997, 10.10.10.2:9997, 10.10.10.3:9997 [tcpout:cloned_group2] server=10.1.1.197:9997, 10.1.1.198:9997, 10.1.1.199:9997, 10.1.1.200:9997 Thank You!
... View more
09-14-2025
07:02 AM
Hello, Mask using regex , Filter using regex and EVAL can be achievable. This can help you lot. https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/getting-data-in-forwarding-and-preprocessing/ingest-actions-for-splunk-platform Mask, redact, remove, or otherwise change raw data before indexing Tag, add, lookup, or otherwise augment raw data before indexing Thank You!
... View more
09-14-2025
04:00 AM
1 Karma
Hello, Hope below example help for you! 1st Option Transform. [session-anonymizer] REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$ FORMAT = $1SessionId=########$2 DEST_KEY = _raw 2nd option is Ingest actions. If both not helpful, explain more about the requirement . Thank you!
... View more
09-14-2025
12:25 AM
1 Karma
Hello, I have another option. If you can... try this one. https://splunkbase.splunk.com/app/7404 Thank You!
... View more
09-12-2025
10:46 AM
Hello maheshnc, If you use HF to receive syslog, it will receive the log, process it, and store it in the indexers. It wouldn't store in HF. To archive it, Settings → Data Inputs. Find the TCP and/or UDP input options under Network data. Add new for TCP or UDP. Choose the port you want to use. Assign a sourcetype. Choose or define the index. Optionally set host settings. Else, if you want to use UF, set up syslog-ng and store the logs in files and read them using UF by setting up inputs.conf. Difference: UF does not do full parsing, routing based on event content. Transformation/filters that require deep processing. It usually has minimal functionality.It is a lightweight component. HF is a full Splunk Enterprise install that is used as a forwarder. Indexing is typically disabled (or you configure it so it doesn’t index locally) when being used as HF. It can parse, filter, route, transform and mask/anonymize events before forwarding. Thank you!
... View more
