Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ridwanahmed
ridwanahmed
Path Finder
Member since:
09-21-2017
10-12-2021
Community Statistics
| Posts | 35 |
| Solutions | 1 |
| Karma Given | 34 |
| Karma Received | 2 |
| Member Since | 09-21-2017 |
Activity Feed
- Posted Re: Http Event Collector ignores JSON timestamp on Getting Data In. 10-12-2021 12:22 PM
- Posted Re: How does the DMC calculate load average on Monitoring Splunk. 10-04-2021 07:57 AM
- Got Karma for Re: Spunk 8 Show Source Advanced XML OOPS. 09-23-2021 07:48 AM
- Karma Re: How do I Secure SplunkWeb on a Search Head Cluster for horsefez. 04-07-2021 09:04 AM
- Karma Re: inflight file clean up for huynha. 03-18-2021 11:44 AM
- Posted Re: Why does the Splunk Forwarder for Linux randomly stop sending and monitoring files? on Getting Data In. 11-30-2020 06:04 AM
- Karma Re: Why set maxHotBuckets > 1 in indexes.conf? for araitz. 09-18-2020 07:25 AM
- Posted Re: Issues with search head members pushing configs to captain on Deployment Architecture. 08-31-2020 10:09 AM
- Tagged Re: Issues with search head members pushing configs to captain on Deployment Architecture. 08-31-2020 10:09 AM
- Karma Re: Is it possible to disable another user's scheduled PDF report of a dashboard? for kenth213. 08-31-2020 09:43 AM
- Posted Re: Why am I getting Splunk installation failure in Windows 10 64 bit? on Getting Data In. 08-28-2020 06:56 AM
- Posted Re: Where did the download links for wget go on splunk.com?! on Installation. 08-05-2020 06:27 AM
- Tagged Re: Where did the download links for wget go on splunk.com?! on Installation. 08-05-2020 06:27 AM
- Karma Re: Spunk 8 Show Source Advanced XML OOPS for kornkid42. 06-05-2020 12:51 AM
- Karma Re: Why can't I get the deployer to push apps to search head cluster members after a new Splunk installation? for joesrepsolc. 06-05-2020 12:50 AM
- Karma Re: Why is the scheduled report showing 0 results but running the same search run manually and yielding events? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: add icon to app for niketn. 06-05-2020 12:49 AM
- Karma Re: Why am I receiving this error "No SSL Cert Validation can be performed since no CA File has been provided" in KV Store? for varunCarbyne. 06-05-2020 12:49 AM
- Karma Re: Why is the "Enable summary indexing" option no longer available in 6.6.0? for Lowell. 06-05-2020 12:48 AM
- Karma Re: Licensed Splunk Enterprise 6.5.0: How do I prevent "New maintenance" and "New version available" messages in Splunk Web? for masonmorales. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
10-12-2021
12:22 PM
if I must hit the event endpoint, what is the "time" field it expects? I am currently sending something called "time" and getting ignored, similar to OP.
... View more
10-04-2021
07:57 AM
buehler?
... View more
11-30-2020
06:04 AM
what was your solution in this case, @gymmynzl --just better logging setup, or something else?
... View more
08-31-2020
10:09 AM
did you ever figure this out?
... View more
- Tags:
- shc
08-28-2020
06:56 AM
An obvious thing to note: if you are installing as a domain account, and not local user, make sure it's in the form of : `domain\userAccount`
... View more
08-05-2020
06:27 AM
These links only DL the file directly for me; but as of August/2020, you see the wget link on the "thank you" page, after you've downloaded. This link may work directly, or you may need to choose a version and start downloading first, to see the wget link https://www.splunk.com/en_us/download/universal-forwarder/thank-you-universalforwarder.html
... View more
- Tags:
- wget
05-20-2020
07:10 PM
if I'm going to http://mySplunk:8000/en-US/debug/refresh?entity=/data/ui/view, suggestions on where to look next? I've checked all the files in /etc/apps/search/.../views/manager are have 644 permissions, owned by splunk.
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<response>
<link type="text/css" id="dark-mode" rel="stylesheet" href=""/>
<style type="text/css" id="dark-mode-custom-style"/>
<messages>
<msg type="ERROR">Forbidden</msg>
</messages>
</response>
... View more
05-14-2020
05:30 AM
Permission for [views] set to "export=system" in /search app?
-->Can you see the "show source" page from any other app, or is it missing from just one?
... View more
05-08-2020
11:25 AM
If you have customizations, they should be in /local...if not, perhaps you can move them there?
You could try just cp-ing off the default folder to a tmp folder, and see how that goes?
... View more
05-07-2020
08:33 PM
1 Karma
The "show source" links calls up a dashboard view that lives in /app/search/default/data/ui/views/show_source.xml
If you created your app as a copy of the native "search" app, and didn't remove the "default" directory-- then Splunk can't find the original show_source.xml
Removing the "default" directory (specifically /data/ui/views-- but you should also not have the other stuff from Search app in there), let's splunk find the correct file, which has system-wide visibility (so every app can use it).
Edit: that bit about the "advanced XML error"
Thanks to @nick for pointing out--the show_source.xml view has been updated in more recent versions of Splunk, but copying it explicitly from an older version as I had is why specifically that error shows up.
... View more
05-07-2020
12:56 PM
were you able to sort this out?
... View more
04-20-2020
02:51 PM
I didn't think apps were replicated--can you explain?
I understand the search artifacts are replicated, but I also understand I should keep SHC apps consistent. So, to deploy this on all the SHs from the Deployer, or no?
... View more
03-09-2020
01:46 PM
From docs link text
However, searching for TERM(127.0.0.1) fails for data that looks like this:
ip=127.0.0.1 - user=admin
This is because the equal symbol ( = ) is a minor breaker, not a major breaker. Additionally, the IP address portion of the event is indexed as: ip, 127, 0, 1, and ip=127.0.0.1. You are looking for 127.0.0.1, which is not an indexed term.
... View more
02-26-2020
07:39 AM
did you ever figure out the issue?
I've confirmed https, pass4symmkey is correct, cleaned all my SHC instances, still this.
... View more
02-25-2020
09:39 AM
Found much of this answer reading @lguinn 's comment on https://answers.splunk.com/answers/454262/how-do-i-fix-splunk-resync-shcluster-replicated-co.html
... View more
02-25-2020
08:04 AM
Can someone please explain why this is an issue/ why deleting var/run is the best solution?
... View more
12-13-2019
09:26 PM
Is there a reason (beyond the obvious complaint in the log) to use parsingQueue instead of:
[queue]
maxSize = 2MB
... View more
11-18-2019
01:34 PM
Seconding this question above-- is there a parameter we can get rid of, to get rid of these messages?
... View more
11-11-2019
10:33 AM
Is this the same for if an indexer has full disk?
... View more
09-19-2019
08:57 AM
1 Karma
For someone else with this issue-- the sourcetype of "syslog" has a specific transform set up to pull out the hostname from the logs. It doesn't use the inputs.conf or server.conf name
See this answer:
https://answers.splunk.com/answers/55751/host-field-getting-overwritten-in-syslog-processing.html
... View more
