Activity Feed
- Got Karma for rsyslog forwarding without header. 02-20-2025 06:59 AM
- Got Karma for Re: rsyslog forwarding without header. 08-22-2024 06:14 AM
- Got Karma for Re: alert_actions.conf being ignored. 04-01-2024 12:47 PM
- Got Karma for Re: After upgrading to 6.5.0, KV Store will not start. 01-18-2023 05:43 AM
- Got Karma for Re: How do I clean a clustered index?. 08-17-2022 07:36 AM
- Got Karma for Re: how to find the earliest and latest event in an index?. 04-06-2022 02:26 PM
- Got Karma for Re: alert_actions.conf being ignored. 03-09-2022 08:46 AM
- Got Karma for Re: how to find the earliest and latest event in an index?. 06-15-2021 09:45 PM
- Posted Re: how to find the earliest and latest event in an index? on Splunk Search. 02-10-2021 08:13 AM
- Posted Re: CMMaster - Unable to send scheduled jobs on Splunk Enterprise. 01-14-2021 03:58 AM
- Posted Re: CM splunkd.log getting filled up with WARNING messages on Installation. 01-14-2021 12:03 AM
- Posted Re: CMMaster - Unable to send scheduled jobs on Splunk Enterprise. 01-14-2021 12:01 AM
- Got Karma for Re: alert_actions.conf being ignored. 12-18-2020 07:07 AM
- Karma Loading loop add on microsoft cloud service- Having configuration problem for lmaurogomez. 06-05-2020 12:50 AM
- Karma Re: Installed Splunk Enterprise 7.2.1 and promoted it as cluster master. Splunk Web is not loading. for marend. 06-05-2020 12:50 AM
- Karma Where did Splunk 7.3.1 go? for eden881. 06-05-2020 12:50 AM
- Got Karma for Re: Where did Splunk 7.3.1 go?. 06-05-2020 12:50 AM
- Got Karma for Re: Where did Splunk 7.3.1 go?. 06-05-2020 12:50 AM
- Got Karma for Re: Where did Splunk 7.3.1 go?. 06-05-2020 12:50 AM
- Got Karma for Re: Where did Splunk 7.3.1 go?. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
02-10-2021
08:13 AM
2 Karma
I know thats an old post but i wanted to share a way more efficient solution to get latest timestamp by each index in a "metadata" manor: | rest /services/data/indexes
| stats max(maxTime) by title Hop that helps others- Cheers
... View more
01-14-2021
03:58 AM
Thanks for sharing but in my opinion it has an impact on the fixup/recovery progress/speed- As @berlincount already mentioned: and it's putting the brakes onto Cluster Data Rebalances massively We see the same behaviour on our bigger cluster as sf fixup task took significantly longer as they did pior to the update. We will open a case on our behalf as well and i well share the conclusion here.
... View more
01-14-2021
12:03 AM
Not a solution but another post tracking this- https://community.splunk.com/t5/Splunk-Enterprise/CMMaster-Unable-to-send-scheduled-jobs/m-p/535346/highlight/false#M4666
... View more
01-14-2021
12:01 AM
Any news on this case? Facing the same issue after upgrading from 7.3x to 8.1.1
... View more
11-08-2019
03:26 AM
My thoughts exactly - i dont get the point why dbx ingests data using hec with json instead of simple csv as a db would perfectly be suited for that. Most of the use cases we dont care about ingestion speed (advantage of hec) but we do care about search performance (indexed fields).
... View more
10-24-2019
11:12 PM
Win 2012-
... View more
10-18-2019
01:41 AM
Solution? - Same story here
... View more
09-20-2019
01:40 AM
Hi @cyang - Will this version also adress this problem:
https://answers.splunk.com/answers/770766/splunk-app-for-jenkins-audit-health-panels-still-p.html
thanks
... View more
09-17-2019
05:59 AM
1 Karma
I would not recommend to use a buggy version at all, since this problem may just be the "top of the iceberg"
... View more
09-16-2019
03:46 AM
10 Karma
Feedback from Splunk Support: They decided to take it from the web as there is a bug in it, asking for a more verbose feedback on this bug i got this:
On-prem customers on Splunk Enterprise
7.3.1 using SmartStore are vulnerable to an issue that may impact data
durability under certain conditions.
This issue is triggered during
SmartStore migration, upgrade, rolling
restart or indexer offline operations
in 7.3.1 with active on-going
searches. Under such conditions, a
bucket which recently transitioned
from hot to warm with active searches,
is inadvertently considered as frozen
and discarded leading to loss of the
bucket contents.
I just upgraded a production environment last friday to 7.3.1 and this is far off being helpful- i strongly expect splunk to
-communicate this bug to all users
-Releasing the fix asap as i dont revert to 7.3.0
##UPDATE 17.09.2019##
After reaching out to my splunk contacts i learned that:
7.3.1 was removed from download due to a critical exposure that was found
The 7.3.1.1 patch will be released on Wednesday
7.3.2 will likely be released the following week
The most current version available now is 7.3.0
The critical exposure is affecting smart store
Splunk Legal is working on a public communication of this issue
Hope that helps others-
... View more
09-09-2019
08:07 AM
We are using splunk 7.0.11 and the jenkins app 2.0.2 and facing the following problem:
The performance panels in the health dashboard and the whole audit dashboard still refering to the default indexnames. We configured the custom index-names and the macros.conf looks good - the other panels seem to work fine.
We tried to hardcode the index somewhere but as this app deals with a lot of non standard components such as custom java and python scripts we are a bit lost here.
Anyone an idea on how to troubleshoot that?
Thx in advance
Claudio
... View more
09-09-2019
07:53 AM
2 Karma
Figured it out - this seems to happen when you not use en-US/app/splunk_app_jenkins/health in the url- so the GB endpoint seems to be broken for reasons.
This might be a bug
... View more
09-06-2019
03:35 AM
Coming back to this-
We are using splunk 7.0.11 and the latest 2.0.2 of the jenkins app on a windows machine and running into issues with some dashboards not showing up as described in the initial question here.
The admin dashboards
health,
audit
and the user dasbhoard
job
showing up with a blank page-
Any ideas?
... View more
07-04-2019
12:56 AM
Did jwalthour's hint helped out here? I have the same problem and as this is not documented at any point i'm a bit lost-
... View more
02-12-2019
03:45 AM
I know its an old post but i had the same problem-
Solution was that i extracted all my fields using a delims transforms on a dedicated field extraction (basically the _raw event without header data). Now the datamodel was not aware of the underlying field extraction. Adding it as a field of the datamodel did the trick and all other fields showed up.
... View more
12-28-2018
09:46 AM
Hello Ninjas,
Does anybody have an idea of how to properly define a volume of 5TB of total storage in indexes.conf?
Technically, it should look like this:
[volume:hot1]
path = /mnt/fast_disk
maxVolumeDataSizeMB = 500000
As from a storage perspective, we use decimal separators from MB to TB and not the binary/mebi 1024. But some panels in the monitoring console made me struggle as the values do not sem to align with this logic.
So should it rather be:
[volume:hot1]
path = /mnt/fast_disk
maxVolumeDataSizeMB = 5242880
Using 1024 steps to calculate the 5 tb-
I havent found anything in the docs so anything official would be appreciated
Cheers
Claudio
... View more
- Tags:
- indexes.conf
- volumes
11-26-2018
07:14 AM
Here's what i used-- kudos to splunk support for that one:
Ensure that you've got $SPLUNK_DB set in your environment (source $SPLUNK_HOME/bin/setSplunkEnv):
find $SPLUNK_DB -type f -wholename '/db/[dr]b_/rawdata/journal.gz' | perl -ne 'chomp;$d=$;$d=~s/journal.gz$//;if(-e "$d/slicesv2.dat"){@s= splunk cmd splunkd slices-dat-util --print \Q$d\E ;if(${^CHILD_ERROR_NATIVE}){print STDERR "Error processing $d\n"}elsif($s[$#s]!~/\d+:(?:\s+\d+){2}\s+(\d+)/){print STDERR "Error parsing results from $d\n"}else{print "$d\n" if $1 >= ((stat "$")[7])}}'
cheers
... View more
10-31-2018
07:32 AM
Hi Ninjas
Might be simple but i didn't figured it out yet-
I have values in a timechart command, displayed in a line chart. However, the values in the chart look like this:
2,335
What can be confusing as in my country as we use the commas for decimal values- however, i would like to change that look but i struggle find a good way to do so.
The "tostring" isnt a solution as the string conversion obviously leads to a missing numeric value context. And the behaviour seems only affect the visualization, not the value itself as in the statistics tab, the separators are gone
Cheers
... View more
09-03-2018
02:10 AM
Works like a charm, even without using the token in the actual search-thanks!
... View more
09-03-2018
01:29 AM
1 Karma
Hi Ninjas
I played around a bit but stuck somehow-
I have a dashboard with panel A and panel B- B is a detailed View from A. My goal is:
Only Panel A is showed when opening the dashboard, clicking somewhere on the panel, panel B shows up.
If i then click on panel B, it should disappear again.
I tried out various things with depend and reject but nothing did the trick above-
Thx in advance-
... View more
06-27-2018
02:41 AM
I dont wont the indexers to do more work as they had to, thats just based on personal experiences with heavy load environments - philosophy-wise if you know what i mean
LineBreaker's set already but i feel that i could be difficult to hande if it has to check for the example above as the line who we want to get rid of also matches the linebreaker of all other lines- i tried something like
([\r\n]+|[\r\n]+INTEGER.*$)\d
But it did not work-
Well i think we got a bit off topic here, however i appreciate your input on that- what bothers me at the end that there's a setting which never works for me and as it seems for other splunkers as well.
... View more
06-27-2018
02:08 AM
Well as linebraking is also done on the indexer/hf and based on the logic using a LINE_BREAKER who captures the unneeded lines in the pattern and get rid of them this way is basically the same as using a transform and a null queue regarding process costs no?
... View more
06-27-2018
01:33 AM
yes i did as i test this out on a standalone machine-
... View more
06-27-2018
01:09 AM
hi folks
I have exactly the same situation as capilarity had and i this should be a perfect scenario to use PREAMBLE_REGEX but it does not work.
Did actually ever someone get this scenario to work with PREAMBLE_REGEX? I have the feeling that this never works as documented. I'm not a big fan of nullqueues as the indexer has to process this and we neither want to put any unnecessary load on them, nor send the data from the uf as we obviously don't need those events. I know this can be done on hf as well, but there's not always one in place.
... View more
04-25-2018
11:12 PM
So reading this i feel that this is still something which is not supported in the current version, having a stored procedure as input?
... View more
