Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About JyPl4wNYu7GV1uL
JyPl4wNYu7GV1uL
Explorer
Member since:
02-07-2018
12-12-2025
Community Statistics
| Posts | 19 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 02-07-2018 |
Activity Feed
- Posted Re: IndexScopedSearch The search failed. More than 1000000 events were found on Getting Data In. 12-12-2025 08:37 AM
- Posted Re: IndexScopedSearch The search failed. More than 1000000 events were found on Getting Data In. 12-11-2025 12:46 PM
- Posted Re: IndexScopedSearch The search failed. More than 1000000 events were found on Getting Data In. 12-11-2025 08:41 AM
- Posted Re: IndexScopedSearch The search failed. More than 1000000 events were found on Getting Data In. 12-11-2025 08:13 AM
- Posted IndexScopedSearch The search failed. More than 1000000 events were found on Getting Data In. 12-10-2025 01:16 PM
- Posted Re: Trouble with global deny list in inputs.conf on Getting Data In. 10-24-2025 12:29 PM
- Posted Re: Trouble with global deny list in inputs.conf on Getting Data In. 10-23-2025 11:47 AM
- Posted Re: Trouble with global deny list in inputs.conf on Getting Data In. 09-22-2025 01:05 PM
- Posted Trouble with global deny list in inputs.conf on Getting Data In. 09-22-2025 09:37 AM
- Posted Re: Particular sourcetype not appearing in search on Getting Data In. 09-12-2025 07:55 AM
- Karma Re: Particular sourcetype not appearing in search for livehybrid. 09-12-2025 07:53 AM
- Posted Re: Particular sourcetype not appearing in search on Getting Data In. 09-11-2025 11:47 AM
- Posted Particular sourcetype not appearing in search on Getting Data In. 09-11-2025 10:42 AM
- Posted return results even when the count of a field value is zero on Splunk Search. 01-21-2025 12:17 PM
- Got Karma for Re: About warning showing in Splunk Cloud message box. 12-09-2024 12:40 PM
- Got Karma for Re: About warning showing in Splunk Cloud message box. 10-28-2024 09:46 AM
- Posted Re: About warning showing in Splunk Cloud message box on Splunk Cloud Platform. 10-28-2024 09:41 AM
- Posted Re: About warning showing in Splunk Cloud message box on Splunk Cloud Platform. 10-28-2024 09:33 AM
- Posted Re: Events return blank results on Splunk Search. 02-26-2024 01:41 PM
- Karma Re: What would intermittently cause less events to return the raw data versus the total number of events it says it matched on? for dmarling. 02-26-2024 01:38 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-12-2025
08:37 AM
There's only one host forwarding right now. Ya, like I say, I ran a script to snapshot the audit.log file every 0.1s before, during, and after midnight and there is only a few hundred events with the 00:00:00 timestamp. I think I'm on to a solution. I ran a test on another splunk instance (10.0.1) I have and ingested a one-shot on the audit.log on that server and assigned it the pre-trained linux_audit sourcetype which is defined in system/default/props.conf. The timestamps were extracted correctly from the $SPLUNK_HOME/etc/datetime.xml config which is also set in etc/system/default/props.conf with a DATETIME_CONFIG = /etc/datetime.xml which has an epoch seconds extractor with sub-seconds. So I believe my issue on my other instance (9.1.0.2) is that the audit.log was give custom sourcetype of audit_log (which does not have any timestamp config associated with it). Then when the first event comes in just after 00:00:00, it get assigned the timestamp of index time, and then subsequent events get the prior event's timestamp and that goes on for millions of events. I can't explain exactly how my search for times after 00:00:01 see events with the correct _time matching the epochSeconds.ms in the log message. But, there's also this in the system/default/props.conf: [source::.../var/log/audit/audit.log(.\d+)?] sourcetype = linux_audit So, I'm guessing that is getting the default etc/datatime.xml triggered and getting the timestamps extracting properly. On my 9.1.0.2 instance I'm just going to change the sourcetype to the pre-trained linux_audit and it should fix the problem. I'll report back on Monday.
... View more
12-11-2025
12:46 PM
Yes, exactly, that's the time format I see in the events. Nonetheless, in a search which avoids the 00:00:00 time, _time values *are* getting the correct value matching the epochSeconds.ms in the log message. I'll troll around and see if there's some other TIME_FORMAT setting which is making this work, but it's not in my props.conf for the audit_log sourcetype. Hmm, I see I still have that old all_date_patch_props.xml installed. I'll check that.
... View more
12-11-2025
08:41 AM
See my reply below. I believe I addressed all your suggestions. For all the other events not at the 00:00:00 timestamp, the timestamp extraction is working just fine. None of the splunkd.log files show any weirdness around the midnight time.
... View more
12-11-2025
08:13 AM
The audit.log is being rotated by settings in auditd.conf. I'll check those settings and see if any might make the impact. The config options differ slightly from those in logrotate.conf. The /var/log/audit/audit.log is fully specified in the monitor statement in inputs.conf. The props.conf for the audit_log sourcetype is all defaults. Splunk is extracting the timestamps correctly without any timestamp config settings. It only hits the error at midnight every day. This file gets its own sourcetype and index (and, currently, I'm only forwarding from one host). I ran an inotifywait on the file and there were no anomalies. As I mentioned I made a copy of the file every 0.1 seconds before, during, and after midnight and there were just a couple hundred at the midnight timestamp (to the second; the timestamps also have ms). Also, there was no weirdness in the splunkd.log on the forwarder, indexer, or search head around midnight. Totally stumped. Also, even though the error is in the UI and in the info.csv file in var/run/splunk/dispatch/<sid>, in the "inspect job" the isFailed is 0. That's even more concerning.
... View more
12-10-2025
01:16 PM
I also have this issue:
[idx01,idx02] Error in 'IndexScopeSearch': The search failed. More than 1000000 events found at time 1765170000
This is on a /var/log/audit/audit.log file which fills to 2MB, then rotates to audit.log.1 (which is not indexed). It happens every night a midnight. I ran a snapshot script to get the audit.log file every 0.1 seconds around midnight and there are at most a few hundred log messages with the 1765170000 timestamp.
I searched with "| tstats count where index=audit_log by host, status" from 00:00:00 to 00:00:01 and splunk "thinks" there are 4.5 million events there.
Man, I'm stumped. I opened a splunk ticket, but wanted to track the issue here too.
Moreover, when examining the search with "inspect job" or when querying through the REST interface with curl, the "isFailed=0" is set. How does that make sense. You can see the error on the search head in the var/run/splunk/dispatch/<sid>/info.csv file, but that doesn't come back through REST.
... View more
Labels
- Labels:
-
other
10-24-2025
12:29 PM
Finally, I was able to get one syntax to work. This works: [blacklist:///var/dir1/dir2/dir3/.*abcdef.*] As long as you fully specify the full path down to the parent dir of the dir you want to block. For example, this does not work: [blacklist:///var/.*abcdef.*] I do still have a ticket open with splunk since this is so poorly documented and does not seem to follow wildcard rules like [monitor://]. I'd like to get the exact rules for <path> described somewhere.
... View more
10-23-2025
11:47 AM
Does not work. Still getting files in the abcdef directories. I didn't use that exact syntax cuz I have 1_abcdef, 2_abcdef, and 3_abcdef directories at multiple hierarchies. So my stanza was: [blacklist:///var/test/.../.*abcdef.*]
... View more
09-22-2025
01:05 PM
Hmm, based on that I thought I'd try fully specifying the full path. Even this does not work: [blacklist:/var/dir2/dir3/abcdef] Where the full path is fully specified. I still get files with that path from my [monitor] stanzas. Giving up and sticking with the "blacklist = <regex>" in the monitor stanzas.
... View more
09-22-2025
09:37 AM
I've reviewed this issue: https://community.splunk.com/t5/Getting-Data-In/Can-I-edit-inputs-conf-to-initiate-a-global-blacklist-so-it/m-p/220677 And this page: https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/Specifyinputpathswithwildcards But I'm still having issues with a global deny list (eliminating any files with "*abcdef*" in the path) working. It works fine when I put it in the [monitor] stanza but not globally when it's in the [default] stanza. Syntax I've tried: [default]
[blacklist:/var/.../*abcdef*/*] [default]
[blacklist:///var/.../*abcdef*/*] [default]
[blacklist:.*abcdef.*] That last one I expected not to work, but I tried it anyway. The first one looks correct to me. This works fine, but I have to put it in many [monitor] stanzas (which seem silly). [monitor:///var/.../mylog*.log]
blacklist = .*abcdef.* Basically, I want to skip any files in the "/var" path where ".*abcdef.*" appears in the directory hierarchy. In most cases, I just have a "whitelist" and "blacklist" statement in each [monitor] stanza, but I have a case where I want to globally deny all files in a certain path. I'm more comfortable with the regex syntax in the [monitor] stanza. The global [blacklist:] syntax is not well documented. I'm assuming it follows the same janky "sort of " regex rules like for the [monitor] stanza. This is no help at all: https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf Because it doesn't well define <path>.
... View more
Labels
- Labels:
-
blacklist
-
inputs.conf
09-12-2025
07:55 AM
@livehybrid Boom! Learn something new every day.
... View more
09-11-2025
11:47 AM
Ok, solved it with this search: index=prefix_* host!="NotThisHost"
| dedup 1 host, sourcetype sortby - _time
| table host, sourcetype, source, _raw So, for some reason piping the "sort" to the "dedup" broke the search. I found this cuz the search dropdown suggested using "dedup ... sortby ..." over "sort | dedup." So my question is "WTF??!!" The interwebs AI claims the "dedup ... sortby ..." is more efficient than "sort | dedup." Perhaps the search dropdown should warn "Don't do that, I'm going to break your search results." So this is certainly a bug, so be forewarned. I'd give myself karma if I could. haha
... View more
09-11-2025
10:42 AM
CentOS 7.7.1908, Splunk v9.1.0.2 I want to get an example event for each sourcetype on each host (excluding one host). This is my search: index=prefix_* host!="NotThisHost" sourcetype=*
| sort - _time
| dedup 1 host, sourcetype
| table host, sourcetype, _time, _raw I run this for the period "yesterday." This all works, but I'm not getting a result for a particular sourcetype which has "myString" in the sourcetype name. If I rerun the exact same search with: index=prefix_* host!="NotThisHost" sourcetype=*myString*
| sort - _time
| dedup 1 host, sourcetype
| table host, sourcetype, _time, _raw I do get the expected results for the sourcetype with "myString" in the sourcetype name. So, the only change is to zero in the sourcetype with the "myString" in the sourcetype name. I'm stumped. I'm an admin user, so I have all the permissions. I had another admin user try the same 2 searches and they saw the same behavior where the sourcetype with "myString" in the sourcetype name was not in the first search, but appeared in the second. Not much help on the web with the Google AI or without. One suggestion was to see if your sourcetype had a hidden trailing space (it does not). I've tried with and without the "sort - _time"; no change. I've tried with various integers for dedup; no change. It's a pretty simple search, so I'm stumped. Anybody got any bright ideas? This feels like a bug to me. There'd be no way to recreate enough for a splunk issue ticket; and, I wouldn't bother anyway unless I could reproduce on 10.0.1 (when it comes out).
... View more
Labels
- Labels:
-
sourcetype
01-21-2025
12:17 PM
Stupid form editor adds extra CRs. Having trouble getting this search to work as desired. I've tried these 2 methods and can't them to work: eventtype="x" Name="x"
| fields Name, host
| dedup host
| stats count by host
| appendpipe [stats count | where count=0 | eval host="Specify your text here"] and using the fillnull command. Here is my search: index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 (field2="20005") OR (field2="20006") OR (field2="20007") OR (field2="666") | stats count(field2) by field2, field3 | sort count(field2) In this case the value for field2="666" does not exist in the results. Here're the results I get: field2 field3 count(field2)
1 20005 This is field3 value 1 2
2 20006 This is field3 value 2 6
3 20007 This is field3 value 3 13 To summarize, I want to search for all the values of field2 and return the counts for each field2 value even if the field2 value is not found in the search; so, then, count(field2) for field2=666 would be 0. As follows: field2 field3 count(field2)
1 666 <empty string> 0
2 20005 This is field3 value 1 2
3 20006 This is field3 value 2 6
4 20007 This is field3 value 3 13 This is a simplified example. The actual use case is that I want to search one data set and return all the field2 values and then search for those values in the first data set. This actual search I'm running looks like this: index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 [search index=idx1 host=host1 OR host=host2 source=*filename*.txt field1=20250106 | fields field2 | dedup field2 | return 1000 field2]
| stats count(field2) by field2, field3 | sort count(field2) I want to find all the field2 values when field1=20250106 and then find the counts of those values in the field1!=20250106 events (even for when the count of some field2 values have count=0 in results).
... View more
10-28-2024
09:41 AM
2 Karma
Disregard. I had put the setting in the [default] stanza, moved it to the [email] stanza, now the warning has resolved.
... View more
10-28-2024
09:33 AM
I just upgraded to 9.3.1 and was also getting that warning. I set a value for allowedDomainList in system/local/alert_actions.conf, restarted the daemon, but I still get the message. Just wanted to post in case other experience the same behavior.
... View more
02-26-2024
01:41 PM
I know this is ancient, but I had the same issue with blank results because of this: https://community.splunk.com/t5/Splunk-Search/What-would-intermittently-cause-less-events-to-return-the-raw/m-p/490525
... View more
02-16-2024
08:12 AM
Anybody got opinions on the opposite situation? I've always upgraded splunk using a tarball and extracted over top the prior /opt/splunk installation: ~6 upgrades. Now I'd like to switch to RPM, for all the stated advantages. Any issues I need to worry about by installing the RPM over a prior tarball install?
... View more
10-02-2023
10:33 AM
Similar has happened to me for my last 2 upgrades (9.0.5 and 9.1.0.2). In both cases after the upgrade, some conf files end up with root:root ownership. Before the upgrade they were splunk:splunk. Offending files (plus 1 .pyc file and migration.log in var/log/splunk): etc/system/local/eventtypes.conf etc/system/local/web-features.conf etc/system/local/authorize.conf Primary concern are the conf files. The upgrade is by .tgz file run as splunk:splunk. The initial start is run by root cuz it needs root permissions to create the systemd boot-start file. Is this just going to keep happening since I need to run "splunk enable boot-start . . . " as root? It's not a big deal to run chown to fix everything, but it is a manually step when is sometimes forgotten.
... View more
02-08-2018
04:16 PM
I'm curious about this answer because in my 6.5.2 version, when setting up a range value for a preset I'm offered a checkbox for create submenu. But the submenu does not work. So I'm wondering if it was removed or if it's just broken.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-12-2025
08:04 AM
|
