Activity Feed
- Got Karma for Re: Deployment Server clients have wrong apps. 04-25-2024 12:21 PM
- Karma Deployment Server clients have wrong apps for tlmayes. 04-25-2024 06:28 AM
- Posted Re: Deployment Server clients have wrong apps on Splunk Enterprise. 04-25-2024 05:47 AM
- Posted Re: Deployment Server clients have wrong apps on Splunk Enterprise. 04-25-2024 02:45 AM
- Karma Re: Deployment Server clients have wrong apps for tlmayes. 04-25-2024 02:44 AM
- Karma Re: add Deployer to existing search head cluster for gcusello. 11-27-2023 03:44 PM
- Karma Re: Smartstore Buckets Immutability for richgalloway. 09-26-2023 03:17 PM
- Posted Re: SSL certificate error: Couldn't find "distributed_tracer" in server.conf. on Splunk Enterprise. 11-23-2021 07:55 AM
- Got Karma for Re: Splunk app ingesting excess data. 02-10-2021 09:15 AM
- Karma Re: Can Splunk Web be Hosted on its own Server? for richgalloway. 01-08-2021 07:32 AM
- Karma Re: Does splunk support running a standalone search head next to a search head cluster? for cpetterborg. 01-08-2021 07:31 AM
- Karma Re: Apps pushed thro deployment server not with root user for richgalloway. 01-08-2021 07:30 AM
- Karma Re: how to see if event didnt occur after 15 min from other event for richgalloway. 01-04-2021 08:52 AM
- Posted Re: Splunk app ingesting excess data on All Apps and Add-ons. 01-04-2021 08:42 AM
- Karma Generate hashes for buckets that were created before data integrity control was enabled for jniedrauer. 01-04-2021 08:27 AM
- Posted Re: Generate hashes for buckets that were created before data integrity control was enabled on Splunk Enterprise. 01-04-2021 08:01 AM
- Karma Re: Restart activity for richgalloway. 01-04-2021 07:42 AM
- Posted Re: Universal Forwarder for FreeBSD on Splunk Search. 01-04-2021 07:37 AM
- Karma Re: Is this a suitable use case for the Splunk Machine Learning Toolkit? for Yolan. 01-04-2021 07:12 AM
- Posted Is this a suitable use case for the Splunk Machine Learning Toolkit? on Splunk Search. 01-04-2021 06:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 2 |
04-25-2024
02:45 AM
1 Karma
I have nothing to add, except to say that I have observed the same bug, where the server classes that use machine filtering display the incorrect clients in the UI. The bug remains in version v.9.2.1
... View more
11-23-2021
07:55 AM
Check if you were getting this error before configuring SSL. I get this error on all hosts, and I don't believe that it's related to SSL. In short, I think that you can ignore this.
... View more
01-04-2021
08:42 AM
1 Karma
Where you have a [default] stanza in each inputs.conf, those stanzas are not scoped to the inputs.conf file. Instead all the inputs.conf files are aggregated, and only one of the [default] stanzas "wins". (Configuration file order precedence is documented here) I would expect your inputs.confs to look like: [script://./bin/vmstat.sh]
index = os
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1 and [monitor:///sysnet/openempi/openempi-3.5.7/logs]
index = oempi
whitelist=(\.log|\.out|\.txt)
disabled = 0
[monitor:///sysnet/openempi/openempi-3.5.7/openempi-entity-3.5.7/logs]
index = oempi
whitelist=(\.log)
disabled = 0
... View more
01-04-2021
08:01 AM
It's many years since I had to deal with the details of enableDataIntegrityControl, and the detail in the documentation misses some of the detail that I'm sure I learned years ago. My memory is that when you enable data integrity control the hashes of the data are written with each slice in the data (this isn't mentioned in the documentation), and a copy of the hashes are stored in files in the raw data for the bucket (this is mentioned in the documentation). When you run the check-integrity command the hashes from within the data are verified against the hash files. When you run the generate-hash-files command it will generate the hash files from the hashes stored in each slice. It won't create the hashes against each slice. That is only done when a slice is written. As I say, it was many years since I had to deal with the detail of this, so things may have changed, or I may have misremembered, but that would explain why you don't get the results you're hoping for.
... View more
01-04-2021
07:37 AM
According to the system requirements FreeBSD is supported for the Universal Forwarder, but there doesn't appear to be a v8.1 package for it. The latest FreeBSD Universal Forwarder package is currently 8.06, which can be found on the Older Splunk Universal Forwarder Releases page. https://www.splunk.com/en_us/download/previous-releases/universalforwarder.html#tabs/freebsd
... View more
01-04-2021
06:04 AM
Suppose I have two sets of data: Workers, who have attributes such as location, pay grade, role, department, skills. Roles, which have attributes such as location, pay grade, role, department. If I also have a mapping of which workers have been assigned which roles in the past, including an attribute of whether the assignment was considered a success or a failure, could I use the past data to train a model and assign some predicted success/failure score to each possible worker/role combination? Note that it wouldn't be necessary for a worker and role to have attributes which are exact matches, but I might expect a model to identify combinations which have been successful in the past (E.g. a worker was in the IT department, and was successfully matched with a role in the Security department), and learn from that. I have looked at the documentation for the MLTK Showcase Examples and I'm not sure that any of the examples closely match what I would like to achieve. Does this sound feasible? Thanks.
... View more
05-20-2020
03:10 AM
Upvoted for including the "untable" command, which turned out to be exactly the function I needed.
... View more
05-20-2020
02:52 AM
Upvoted for the approach
... View more
05-20-2020
02:51 AM
I'm answering my own question here, but I'm posting it to show how simple the answer is when you can find the right Splunk function to use!
untable "converts results from a tabular format to a format similar to stats output"
So in my case I just needed to append to my search:
| untable Department month_name value
| rename Department as department_name
Thanks to Kamlesh for the inspiration, and to4kawa for putting that command in his answer.
... View more
05-19-2020
12:19 AM
Thanks Kamlesh, I can see the approach you are taking, but when I run the search, I get errors "Failed to parse templatized search for field..." for each FY field.
... View more
05-18-2020
05:35 AM
I have a lookup file, which is of the format:
"Department", "Jan FY20", "Feb FY20", "Mar FY20", "Apr FY20"
"Sales", "12", "15", "18", "17"
"HR", "7", "5", "6", "11"
Over time, the number of columns will increase, and their names may change, but they will always contain "FY".
What I want to do is return the data in the form:
department_name, month_name, value
I.e.
Sales, Jan FY20, 12
Sales, Feb FY20, 15
Sales, Mar FY20, 18
Sales, Apr FY20, 17
HR, Jan FY20, 7
HR, Feb FY20, 5
HR, Mar FY20, 6
HR, Apr FY20, 11
I'm sure that there's a simple function to do this (at search time), but I can't work it out.
What is the best way to do this?
... View more
02-03-2020
07:49 AM
Yes, you can take as long as you need for the rolling upgrade, you just accept that you can't do any other cluster maintenance (including bundle pushes) during the upgrade.
I would personally keep the cluster master in rolling upgrade mode overnight. I don't know what the implications of taking it out of that mode while the indexers are mixed versions would be though.
... View more
02-03-2020
06:51 AM
1 Karma
From the error, if the indexer did restart without manual intervention, I would guess that the restart of the indexer took longer than the restart_timeout defined in the cluster master's server.conf. By default this is set to 60 seconds, and I have seen indexers take much longer than this to restart.
Can you see from splunkd.log on the indexer how long the restart actually took? If it's longer than 60 seconds, then you might want to extend your restart_timeout (https://docs.splunk.com/Documentation/Splunk/7.3.3/Indexer/Userollingrestart#Handle_slow_restarts)
... View more
06-07-2019
02:23 AM
I have a large lookup table which is periodically generated from indexed data by a saved search.
The saved search takes a considerable amount of time. The saved search rewrites the lookup each time (I.e. it doesn’t append).
The indexed data from which the lookup is generated is not updated continuously.
Every time the saved search is used to build the lookup runs, it uses a large amount of Splunk resources.
If there has been no new indexed data, this means that we rebuild the lookup, using all those resources,
when we could have simply done nothing instead.
Is there an elegant way to modify the saved search so that if the latest indexed data is newer than a field in the lookup, we rebuild the lookup, but if not, the saved search ends without changing the lookup?
... View more
06-21-2018
07:41 AM
1 Karma
I see from the release notes that the current version of the Splunk Add-on for RSA SecurID is compatible with version 8.1 of RSA Authentication Manager.
Can anyone confirm that it is also compatible with version 8.3 of RSA Authentication Manager?
... View more
04-12-2017
04:52 AM
The Troubleshooting Manual has a specific section on event indexing delays, which includes identifying the cause.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Troubleshooting/Troubleshootingeventsindexingdelay
... View more
02-27-2012
07:51 AM
2 Karma
I have been using Splunk for a few months, and now have a number of eventtypes defined. However, they've all got private permissions (the default), and we've now discovered that they should be shared within the search app for our needs.
I know I can change the permissions on each eventtype individually, but is there a quicker way to change the permissions for multiple objects?
... View more
