cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
nromito_splunk
Splunk Employee
Member since: ‎09-19-2014
‎06-05-2020
Community Statistics
Posts 7
Solutions 2
Karma Given 3
Karma Received 4
Member Since ‎09-19-2014
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Add power user permissions to all private Admi...

by Splunk Employee in Security
‎03-30-2016 09:02 AM
2 Karma
‎03-30-2016 09:02 AM
2 Karma
The way you describe is exactly how you should handle moving the savedsearches.conf file if you want the owner to be "nobody"; however, if you want the searches to still be owned by admin, then you need to add owner = admin to your local.meta file stanza as well. There shouldn't be any side effects for this. You could always test this by moving a small number of savedsearches first to ensure that no dashboards or reports are breaking, and then move the rest over. This method should work for lookups as well. ... View more

Re: Indexing distributed data - distributed indexe...

by Splunk Employee in Getting Data In
‎03-18-2016 09:16 AM
‎03-18-2016 09:16 AM
You're welcome! 🙂 ... View more

Re: Why am I getting the error "You do not have th...

by Splunk Employee in #Random
‎03-18-2016 09:13 AM
‎03-18-2016 09:13 AM
Run splunk btool authorize list to check that the role you have still has the capabilities associated with adding data (edit_input_defaults, edit_monitor, indexes_edit, list_inputs, etc) Perhaps someone messed around with the capabilities given to default roles. ... View more

Re: Cluster Master and Forwarding?

by Splunk Employee in Deployment Architecture
‎03-18-2016 09:02 AM
‎03-18-2016 09:02 AM
Since the master is supposed to solely control the activities of the index cluster, it is recommended that you don't add extra work for the master to do. If you absolutely need to monitor these few files on the cluster master, I would recommend following this documentation (http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Forwardmasterdata). It is best practice to forward all of the master's logs to the peers, so the master does not have to be bogged down with any indexing itself. ... View more

Re: Indexing distributed data - distributed indexe...

by Splunk Employee in Getting Data In
‎03-18-2016 08:35 AM
1 Karma
‎03-18-2016 08:35 AM
1 Karma
The second method that you describe is the proper way to handle distributed search since it won't eat up the hard disk space of one indexer. The second method also will help with performance since the indexers won't have to perform extra work indexing and then forwarding the data on to another indexer. It is quite simple to enable as well. You can do this from the UI (easiest method) or using .conf files. Just create the index on each of your indexers. Once this has been done, go to the SH's UI. Click the Settings dropdown and find the Section with the title "DISTRIBUTED ENVIRONMENT". Under here, click the link for "Distributed Search". On this new page, go to Search Peers and add new ones (this is where you point your SH at each indexer). Just fill in the fields and click save. Do this for each indexer that you have. Once this is done, you should be able to write a search and that search will be distributed across all the indexers that you have specified in the distributed search page. If you care to read more about this, here are the docs: distsearch.conf: http://docs.splunk.com/Documentation/Splunk/6.3.3/admin/Distsearchconf About Distributed Search: http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/Whatisdistributedsearch ... View more

Re: How can I set the size of a Single Value Indic...

by Splunk Employee in Dashboards & Visualizations
‎03-17-2016 01:26 PM
1 Karma
‎03-17-2016 01:26 PM
1 Karma
Go to your dashboard and click on "Edit Source" in the Edit dropdown. You'll find the following kind of XML for the single value (the tag with single is the start of the single value). <dashboard> <label>test</label> <row> <panel> <single> <title>badfs</title> <search> <query>index=_internal | head 10 | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="height">500</option> </single> </panel> </row> </dashboard> Change the option name="height" tag value from whatever number you have there to 115 (this is the default size). This number represents the height in pixels. ... View more

Re: Why is kvstore update failing with code 115?

by Splunk Employee in Knowledge Management
‎03-16-2016 09:27 AM
‎03-16-2016 09:27 AM
The reason this message is displayed is because you're trying to write a multi-valued _key field to your KV Store. For example: I create a KV Store with the following values: '{"name":"indexer1","id":123,"address":{"street":"250 Brannan","city":"San Francisco"}}' '{"name":"indexer1","id":124,"address":{"street":"250 Brannan","city":"San Francisco"}}' I then write a search like this: index = _internal | head 1 | eval name = "indexer1"| lookup test_lookup name OUTPUT _key | outputlookup test_lookup append=true This means my one event from the search on _internal will match both of the KV Store entries, and we create a new field=_key for that event due to the OUTPUT of the lookup. Since we matched two entries in the KV Store, the _key field on the event will evaluate to something like "_key" : [ "56e30ef4af0001b2aa352761", "56e30f0baf0001b2aa352762" ]. Since Splunk's KV Store only allows a single, unique value for _key, the search fails with the cryptic message ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message '' tl;dr revise your search query, KV Store collection, or transforms.conf (max_matches=1) to ensure that you will not match an event to multiple KV Store entries when trying to write to the _key field. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All