Activity Feed
- Posted Re: How does universal forwarder load balancing work? on Getting Data In. 09-28-2015 10:00 PM
- Posted How does universal forwarder load balancing work? on Getting Data In. 09-28-2015 08:39 PM
- Tagged How does universal forwarder load balancing work? on Getting Data In. 09-28-2015 08:39 PM
- Tagged How does universal forwarder load balancing work? on Getting Data In. 09-28-2015 08:39 PM
- Tagged How does universal forwarder load balancing work? on Getting Data In. 09-28-2015 08:39 PM
- Posted Re: Pros and Cons for Multiple Splunk Indexers on Getting Data In. 09-22-2015 02:35 AM
- Posted Re: Pros and Cons for Multiple Splunk Indexers on Getting Data In. 09-21-2015 07:04 PM
- Posted Pros and Cons for Multiple Splunk Indexers on Getting Data In. 09-20-2015 07:36 PM
- Tagged Pros and Cons for Multiple Splunk Indexers on Getting Data In. 09-20-2015 07:36 PM
- Tagged Pros and Cons for Multiple Splunk Indexers on Getting Data In. 09-20-2015 07:36 PM
- Tagged Pros and Cons for Multiple Splunk Indexers on Getting Data In. 09-20-2015 07:36 PM
- Posted Re: How to count number of instances when a forwarder is down? on Getting Data In. 08-12-2015 03:01 AM
- Posted Re: How to count number of instances when a forwarder is down? on Getting Data In. 08-10-2015 08:38 PM
- Posted How to count number of instances when a forwarder is down? on Getting Data In. 08-10-2015 02:42 AM
- Tagged How to count number of instances when a forwarder is down? on Getting Data In. 08-10-2015 02:42 AM
- Tagged How to count number of instances when a forwarder is down? on Getting Data In. 08-10-2015 02:42 AM
- Tagged How to count number of instances when a forwarder is down? on Getting Data In. 08-10-2015 02:42 AM
- Posted Re: How to write a conditional search to return a table if the value of a field is X, else, it shouldn't be displayed? on Splunk Search. 07-13-2015 06:32 PM
- Posted How to write a conditional search to return a table if the value of a field is X, else, it shouldn't be displayed? on Splunk Search. 07-13-2015 04:43 AM
- Tagged How to write a conditional search to return a table if the value of a field is X, else, it shouldn't be displayed? on Splunk Search. 07-13-2015 04:43 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-28-2015
10:00 PM
right on! thanks! can't believe i missed to read that part
... View more
09-28-2015
08:39 PM
Given this in outputs.conf:
[tcpout: my_LB_indexers]
server=10.10.10.1:9997,10.10.10.2:9996,10.10.10.3:9995
It states in the documentation that "The universal forwarder will load balance between the three receivers listed. If one receiver goes down, the forwarder automatically switches to another one on the list."
Question is, what if 10.10.10.1:9997 is always up, does that mean it wont send the data to the other two indexers? and only then will it change indexer, once 10.10.10.1:9997 is down? Or it distributes the data to all three indexers regardless if one is up/down?
... View more
09-22-2015
02:35 AM
So this means, you would recommend having one SH, multiple IDX (both of which are deployed in the office) and remote sites all have HF instances?
... View more
09-21-2015
07:04 PM
Got it. Thanks for giving detailed information on this. Follow up question: will it consume bandwidth? We will be deploying boxes remotely, and current architecture is that these boxes have universal forwarders. The main Indexer is here in our office.
If we deploy indexers to these boxes, instead of universal forwarders, I would imagine, that if I run a search query from the main server, it will connect to these remote boxes all the time? Isn't it going to be slower that way? Specially when at the worst case, the network is slow, even at load balancing?
... View more
09-20-2015
07:36 PM
Our present architecture now is single indexer, and multiple universal forwarders; However, it's getting slower when we have multiple panels and multiple search strings. Wondering if the solution is to have multiple indexers?
... View more
08-12-2015
03:01 AM
Unfortunately, it's still not returning anything. I even deleted "where count=0" to count those that are able to send, but still it returns nothing. Maybe at that specific minute, the forwarder did not send anything? is there like a duration in between 1 minute? There could be cases when the forwarder forwards data by 1m:15secs.
... View more
08-10-2015
08:38 PM
I tried it and find by host, but id didn't work
host="host_name" | bucket _time span=1m| stats count by _time | where count = 0 | stats sum(count) AS NumMinutesWithNoData
Also tried asterisk, but to no avail...
* | bucket _time span=1m| stats count by _time | where count = 0 | stats sum(count) AS NumMinutesWithNoData
Is there something I missed?
... View more
08-10-2015
02:42 AM
I have a forwarder that forwards data every 60 seconds.
I would like to know the count when the forwarder is down (means there's no network and/or the machine is off/no power)
... View more
07-13-2015
06:32 PM
Thanks! Been trying eval and stats. Wasn't able to run through the where clause. Thanks!
... View more
07-13-2015
04:43 AM
How to have a search that returns a table if the value of a specific field is X, else, it shouldn't be shown.
Name......Value
A..............3
B..............5
C..............20
IF: Value > 10
Name.....Value
C.............20
... View more
07-07-2015
08:00 PM
Thanks! Very helpful. Do you have an example on how to create a scripted lookup that calls an API? And where can I get that API?
... View more
07-06-2015
10:26 PM
Given that I have my latitude an longitude in an RDBMS and I can access it using Splunk DB Connect. I want to show the Physical address based on the latitude and longitude cordinates
... View more
