×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Kamachi
Explorer
Member since: ‎10-29-2025
2 weeks ago
Community Statistics
Posts 5
Solutions 0
Karma Given 8
Karma Received 1
Member Since ‎10-29-2025
Activity Feed
View All

Re: Splunk TA for O365 – Message Trace input fails...

by in All Apps and Add-ons
3 weeks ago
3 weeks ago
Migrated to the new endpoint as soon as it was available. The problem occured before MS released the new MT endpoint. ... View more

Re: WEF - Universal Forwarder multiple Windows TA'...

by in Getting Data In
‎04-15-2026 05:21 AM
1 Karma
‎04-15-2026 05:21 AM
1 Karma
Hi, there, fixed it already. - on prem - WEC server with UF aggregating logs from a lot of win servers Applying the following inputs.conf caused the data flow from the WEC server to stop: [WinEventLog://ForwardedEvents] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = wineventlog [WinEventLog] persistentQueueSize = 30GB The Monitoring Console still showed data being sent to the indexer _internal logs (splunkd) confirmed that data was being forwarded However, no data appeared in the target index Removing the [WinEventLog] stanza restored data flow This suggested a configuration merge issue, where the index setting was lost or misconfigured during processing, resulting in data being dropped at the indexer level Explicitly defining the target index in the [WinEventLog] stanza resolved the issue. Data is now correctly buffered using the persistent queue and indexed as expected: [WinEventLog://ForwardedEvents] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = wineventlog [WinEventLog] persistentQueueSize = 30GB index = wineventlog   Anyway thanks for the feedback! Best regards. ... View more

Re: Incremental backups of warm/cold buckets

by SplunkTrust in Share a Tip
‎03-24-2026 02:32 PM
1 Karma
‎03-24-2026 02:32 PM
1 Karma
Hi @Kamachi  1/2. You should backup the entire bucket, not just the journal.zst file. The other files make up part of the metadata, signposting and other data which allows Splunk to quickly find the content within the data it needs. When a bucket becomes frozen the metadata files are dropped and you are left with the compressed zst file which contains the raw data. This can be thawed back into Splunk if required (although some potential caveats here but less-so with an AIO instance). This does mean that when buckets are frozen, if you want to keep the frozen buckets somewhere longer then you probably want to remove the metadata files from them. You might find rsync works well for replicating the live-like nature of the filesystem. Check out https://splunk.my.site.com/customer/s/article/Bucket-Life-Cycle-overview which might also help. 3. Place them back where they were backed up from. Your AIO instance of Splunk will find them again once it starts up with the same indexes.conf configuration. 4.  The existing backed up data will be accessible again without re-indexing - if you copy the data in whilst Splunk is already running then you will need to restart Splunk. If its done during the VM provisioning then when Splunk starts up you shouldnt need to do anything. I would always recommend trying these things out with, ie create a new VM and attempt the recovery steps to prove this all works correctly. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago
Karma from
View All
Karma given to