As @sylim_splunk already stated. Its managed by the OS. If your memory usage however is minimal and swap is completely used, it is usually no problem. Especially on modern Servers with NVMe SSD storage. If you really dont want the system to swap you can disable swap via: sudo swapoff -a Keep in mind in case the system uses all RAM and swap is off, the OOM-Killer in Linux might kill your splunk processes, which can lead to loss of searches/searchresults. ... View more

Thats correct. Hence its important to secure your Splunk environment properly. Use MFA and SAML in example. For more: https://docs.splunk.com/Documentation/Splunk/latest/Security/WhatyoucansecurewithSplunk ... View more

list_storage_passwords is a capability. That means users with a role providing this capability will be able to show credentials in the credential-store for any app, where the have read-access to the credential-store. In example. If the app has this metadata/default.meta: [] access = read : [*], write : [admin] Anyone can read the passwords/credentials in this app, if the user has the "list_storage_passwords" capability. If an app has this default.meta [] access = read : [*], write : [admin] [passwords] access = read : [ trustworthy_role, admin ], write [admin] Only users with the trustworthy role can see the credentials. Make sure you restrict app-access to the people which need the access. That way you can give list_storage_credentials to roles with the risk of having people access credentials, which they are not supposed to access.  You can also set the read/write access more granulary with [passwords/credential%3Arealmname%3Ausername%3A] Read more here: https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/secretstorage/secretstoragerbac   ... View more

This can happen, when both systems have diverting License-Master/Licenses. You should set the licensemaster to the same master_uri/same license pool. On the License-Slave: splunk edit licenser-localslave -master_uri https://<license-master>:8089 Or via server.conf: [license] master_uri = https://<licensemaster>:8089 However HTTP 400 Response is a very ambiguous message. Splunk should implement a proper Error-Message for this case. ... View more

This can happen, when both systems have diverting License-Master/Licenses. You should set the licensemaster to the same master_uri/same license pool. On the License-Slave: splunk edit licenser-localslave -master_uri https://<license-master>:8089 Or via server.conf: [license] master_uri = https://<licensemaster>:8089 However HTTP 400 Response is a very ambiguous message. Splunk should implement a proper Error-Message for this case. ... View more

Hey guys, how have you been able to fix this? I have the same issue with | rest splunk_server=local /services/search/jobs Can't find a safe way to find the malicious characters, although splunk is stating its this: Entity: line 305799: parser: Input is not proper UTF-8, indicate encoding !\nBytes: 0xC3 0x20 0x2E 0x2E ... View more

It basically was the way Splunk handles LDAP-Requests in Combination with 40ms more delay per request. Having Splunk doing 1000 requests per minute isn't expensive, when the delay is under a ms. But over the internet it becomes significant and draws lots of CPU Time. ... View more

@tkw03 No. I got told by Splunks Docs Team to raise a support ticket so they can get the Info from Devs with priority. I haven't had time yet to do so. Feel free to raise a support ticket to extend this part of the docs: http://docs.splunk.com/Documentation/Splunk/7.3.1/Troubleshooting/CommandlinetoolsforusewithSupport ... View more

If you dont know how to actually get to know, whats space-consuming inside the bundle, then go to your searchhead: tar -vtf <path to bundle> | awk '{print $3" "$4" "$5" "$6}' | sort -h This prints the biggest files in the bundle on the bottom. ... View more

Awesome. That resolved the issue for me. (Have a server in german Locale) ... View more

If you are not successful using gunzip, try 7z. Someone had this problem. https://answers.splunk.com/answers/755426/trying-to-fix-the-corrupted-bucket-error-journalsl.html ... View more

Isn't that exactly what is suggested in the link I posted? ... View more

Hi, i just tested: index="_internal" | timechart avg(executes) as a_executes avg(cumulative_hits) as a_hits and index="_internal" | stats avg(executes) as a_executes avg(cumulative_hits) as a_hits by _time Both draw 2 lines with time as a X-axes. If you use timechart you will always have time on the x-axes. With stats by you can haven your grouping on the x-axes. ... View more

This exception indicates a connectivity issue to your F5 ... View more

Depending on how your networking is set up and if the Splunk Instance on your machine is bind to your "external" IP. However, it is not recommended to send data unsecured/unencrypted over the internet. ... View more

What Splunk Version and App are you using? ... View more

May be that this helps. Although it sounds like you tried these steps already? https://answers.splunk.com/answers/389363/getting-error-streamed-search-execute-failed-becau.html ... View more

Usually you would use timechart like this and it will give it automatically to you: <your-search>| timechart span=1h average(your_field) as your_field_average Let me know, if it was helpful. ... View more

I downvoted this post because i downvoted this post because i can't remove all data to fix my data issue ... View more

I'm not really sure what you want to accomplish directly. But if you use mstats like this: | mstats latest(_value) AS last_value WHERE index="my_metrics" metric_name="*" by custom_dimension, metric_name You are able to use metric_name as well as the custom_dimension field after this command. As well as metric_name and the values of all the metrics. hope that helps. ... View more

Exactly what i already built. Very useful. You can also recycle some stuff of the original datetime.xml ... View more

In Addition to the capabilities, you need to make the manager endpoints readable in the metadata of the search-app: [manager] access = read : [ splunk_developer, admin, splunk_analyst ], write : [ splunk_admin, admin] export = system [manager/accesscontrols] access = read : [ splunk_admin, admin ], write : [ splunk_admin, admin ] ... View more