Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About chicodeme
chicodeme
Communicator
Member since:
05-25-2010
06-05-2020
Community Statistics
| Posts | 49 |
| Solutions | 2 |
| Karma Given | 82 |
| Karma Received | 10 |
| Member Since | 05-25-2010 |
Activity Feed
- Karma Re: Issue with livestatus - splunk.Intersplunk.getOrganizedResults() never returns a value for lukeh. 06-05-2020 12:46 AM
- Karma DeploymentClient - Unable to send handshake message for mfeeny1. 06-05-2020 12:46 AM
- Karma Serverclass using machineTypes that excludes one server for imacdonald2. 06-05-2020 12:46 AM
- Karma Re: Serverclass using machineTypes that excludes one server for gkanapathy. 06-05-2020 12:46 AM
- Karma license expired after upgrade to 4.2 for deyeo. 06-05-2020 12:46 AM
- Karma Re: Serverclass using machineTypes that excludes one server for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: host override from a forwarder for Lowell. 06-05-2020 12:46 AM
- Karma Show source not available for this event for craigmunro. 06-05-2020 12:46 AM
- Karma Issue with livestatus - splunk.Intersplunk.getOrganizedResults() never returns a value for kuramanga. 06-05-2020 12:46 AM
- Karma Re: Issue with livestatus - splunk.Intersplunk.getOrganizedResults() never returns a value for lukeh. 06-05-2020 12:46 AM
- Karma Re: Issue with livestatus - splunk.Intersplunk.getOrganizedResults() never returns a value for lukeh. 06-05-2020 12:46 AM
- Karma Re: Issue with livestatus - splunk.Intersplunk.getOrganizedResults() never returns a value for lukeh. 06-05-2020 12:46 AM
- Got Karma for Re: license expired after upgrade to 4.2. 06-05-2020 12:46 AM
- Karma Re: Does Splunk for *nix App support HPUX? for maverick. 06-05-2020 12:45 AM
- Karma Re: Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1283184202 for RNB. 06-05-2020 12:45 AM
- Karma Re: Force deployment to clients? for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: Generic Host search only uses "all time" for briang67. 06-05-2020 12:45 AM
- Karma Re: What is Splunk database engine? for simuvid. 06-05-2020 12:45 AM
- Karma Re: What is the recipe for creating new SSL certs for forwarding with no auth? for ziegfried. 06-05-2020 12:45 AM
- Karma Re: What does "splunk enable boot-start" actually do? for gkanapathy. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 |
07-06-2012
07:55 AM
I was looking more for a setting from a Splunk config. Managing Acls is along the same lines as having to manage permissions. Also, I have SunOS, AIX, & Linux to manage. I should have been more specific in my question. Thanks for the feedback though.
... View more
04-23-2012
02:07 PM
Typically you need a default group for that:
Add this to your outputs.conf
[tcpout]
defaultGroup=nothing
disabled = false
indexAndForward = true
http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Forwarddatatothird-partysystemsd
"Note: If you want to forward only the data specifically identified in props.conf and transforms.conf, set defaultGroup=nothing."
... View more
10-21-2011
02:13 PM
how about these parameters?
./bonnie++ -n 0 -u 0 -r free -m | grep 'Mem:' | awk '{print $2}' -s $(echo "scale=0; free -m | grep 'Mem:' | awk '{print $2}' *2" | bc -l) -f -b -d /tmp
... View more
10-20-2011
09:12 AM
What did it end up being?
... View more
10-20-2011
09:11 AM
What did it end up being?
... View more
09-07-2011
08:59 AM
add to server.conf seems like a solution.. if using a forwarder.
[license]
active_group = Forwarder
... View more
09-07-2011
08:57 AM
1 Karma
add to server.conf seems like a solution..
[license]
active_group = Forwarder
or use the gui in 4.2 to switch to free license:
login the UI, go to manager > licensing
change the license group to "free license"
restart
... View more
09-07-2011
08:57 AM
add to server.conf seems like a solution..
[license]
active_group = Forwarder
... View more
09-07-2011
08:56 AM
worked for me on 4.2.2 ... added to splunklightforwarder app that is deployed out..
... View more
09-07-2011
08:52 AM
1 Karma
4.2.3 is out.. what is cmdline option?
... View more
09-07-2011
08:46 AM
In 4.2 to switch to free license:
login the UI, go to manager > licensing
change the license group to "free license"
restart
I'm looking for cmdline way to do it still..
... View more
09-07-2011
08:44 AM
Anyway at cmdline to change it? especially when using LWF/forwarders and gui is not running?
... View more
07-21-2011
01:19 PM
1 Karma
Splunk runs as root so it has access to monitor anything on the system without managing those permissions.
I ran this
find /opt/splunk/ -type d -exec chmod g+s {} \;
The files get created:
-rw------- 1 root splunk filename
I want to have it
-rw-rw---- 1 root splunk filename
Any ideas besides change the root user default umask?
... View more
- Tags:
- umask
03-30-2011
06:08 PM
sunos-* works as well..
... View more
03-14-2011
05:01 PM
After I got everything cleaned up from above and my *nix app deployment. I was able to get rid of the recover-padding entries after working with support.
I had to stop Splunk and delete *.data, .*manifest file(s) from /opt/splunk/var/lib/splunk/os/db
Then start Splunk..
I didn't have any .*manifest files but that cleared them up for me.
Also note it is NOT *.manifest.. It is .*manifest.
I validated that by looking in some of my other db dirs.
After the restart it rebuilt the *.data files.
They said if the above didn't work then I should
"run recover-metadata on all of your os index and identify the bad index"
But only if the above didn't work.
... View more
03-10-2011
05:24 PM
I found the recover-padding entries in here:
/opt/splunk/var/lib/splunk/os/db/Hosts.data
Can i just delete them and restart?
... View more
03-10-2011
05:19 PM
i upgraded the indexer to 4.1.7. didn't make the recover-padding go away
... View more
03-10-2011
05:04 PM
I think it might have happened because when I added ps.sh & top.sh to /opt/splunk/etc/deployment-apps/unix/local/inputs.conf I forgot to add them to /opt/splunk/etc/deployment-apps/unix/default/inputs.conf
I had removed the entries I didn't want at first. Anyways I put them back and deployed, but the recover-padding entries still didn't go away. Now i'm back to no ps.sh & top.sh but those darn recover-padding entries are all over even after a restart.
... View more
03-09-2011
02:43 PM
Will they go away after they do their recovery thing? They are most annoying visually..
... View more
03-08-2011
08:50 PM
2 Karma
In using the *nix app, I had cpu.sh/iostat.sh/vmstat.sh and all was working fine across 300 rhel4/5 boxes.
I added in ps.sh & top.sh and now I have 219 recover-padding=# host entries.
recover-padding-[1-5] as sources & sourcetypes.
Why did this happen and how can I make them go away?
I noticed this question but I couldn't find a Hosts.metadata file.
http://answers.splunk.com/questions/10032/wierd-hosts-recover-padding-listed
... View more
03-03-2011
05:06 PM
I didn't know of that option. Thanks I will try it out.
... View more
03-03-2011
05:06 PM
I didn't know of that option. Thanks I will try it out.
... View more
