Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jordanking1992
jordanking1992
Path Finder
Member since:
03-07-2018
08-10-2020
Community Statistics
| Posts | 31 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 3 |
| Member Since | 03-07-2018 |
Activity Feed
- Posted External Forwarder sending to DMZ Heavy Forwarder (9997) on Getting Data In. 08-10-2020 08:21 AM
- Tagged External Forwarder sending to DMZ Heavy Forwarder (9997) on Getting Data In. 08-10-2020 08:21 AM
- Karma Re: Field shows up under interesting fields but when you click any of the values, there are no results for woodcock. 06-05-2020 12:50 AM
- Karma Re: Why is CSV data showing up as hexadecimal? for gcusello. 06-05-2020 12:50 AM
- Karma Re: Indexer _internal size under /opt/splunk/var/lib is large for sathwikr076. 06-05-2020 12:50 AM
- Karma Re: Display Dates that Expire in 90 days for jacobevans. 06-05-2020 12:50 AM
- Karma Re: Is the max_searches_per_cpu setting based on CPU's of Index Cluster or just the searchead for gcusello. 06-05-2020 12:50 AM
- Karma Re: Identify Two Digit Year Timestamp Events Query (2020 Timestamp Issue) for MuS. 06-05-2020 12:50 AM
- Got Karma for Identify Two Digit Year Timestamp Events Query (2020 Timestamp Issue). 06-05-2020 12:50 AM
- Got Karma for Identify Two Digit Year Timestamp Events Query (2020 Timestamp Issue). 06-05-2020 12:50 AM
- Got Karma for Identify Two Digit Year Timestamp Events Query (2020 Timestamp Issue). 06-05-2020 12:50 AM
- Posted Re: splunk addon for aws does not list s3 buckets on Archive. 01-17-2020 11:22 AM
- Posted Re: Identify Two Digit Year Timestamp Events Query (2020 Timestamp Issue) on Getting Data In. 12-04-2019 01:55 PM
- Posted Identify Two Digit Year Timestamp Events Query (2020 Timestamp Issue) on Getting Data In. 12-04-2019 12:02 PM
- Posted Re: How can we verify the patch that has been provided for the date time issue before 1/1/2020? on Getting Data In. 12-04-2019 11:19 AM
- Posted Re: Is the max_searches_per_cpu setting based on CPU's of Index Cluster or just the searchead on Monitoring Splunk. 12-04-2019 06:32 AM
- Posted Is the max_searches_per_cpu setting based on CPU's of Index Cluster or just the searchead on Monitoring Splunk. 12-04-2019 05:58 AM
- Tagged Is the max_searches_per_cpu setting based on CPU's of Index Cluster or just the searchead on Monitoring Splunk. 12-04-2019 05:58 AM
- Posted Re: Indexer _internal size under /opt/splunk/var/lib is large on Getting Data In. 11-11-2019 06:55 AM
- Posted Re: Indexer _internal size under /opt/splunk/var/lib is large on Getting Data In. 11-04-2019 08:42 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-10-2020
08:21 AM
All, I am trying to send to from an external forwarder to a DMZ Heavy Forwarder that is behind a firewall w/ 9997 open. In my attempt to send data, I am getting "TCP output processor has paused the data flow" and unable to get to get results to the DMZ forwarder. I have similar setup with HEC and Syslog that works just fine but for traffic on 9997, Splunk is refusing to send. The box is ping-able and 9997 is open. The firewall is set up to route to the DMZ host as well. Anyone have some ideas on what I may be doing wrong or things to consider when setting up a Splunk HF in a DMZ?
... View more
Labels
- Labels:
-
heavy forwarder
12-04-2019
01:55 PM
Thank you so much. No more headaches!
... View more
12-04-2019
12:02 PM
3 Karma
We are trying to identify how much of our data is impacted by the latest timestamp bug. I was wondering if there was a query that used regex to search _raw for events that have 2 digit years. This will greatly help us analyze the risk of doing a last minute production upgrade...
... View more
12-04-2019
11:19 AM
Is there a query that can search the _raw events for sources that are using 2 digit years?
... View more
12-04-2019
06:32 AM
Thanks for the response. This is what i was suspecting. The reason for posting is because this time of year we have excessive use of Splunk. Teams put up all there dashboards for Holiday monitoring and we are getting this message. What you described with dashboards and panels is exactly whats happening hear.
As an admin, how do you manage multiple users loading the same dashboard with 12 searches (thus triggering many concurrent searches)? I explain to the users that this is why searches are queued but they do not seem to understand it haha.
... View more
12-04-2019
05:58 AM
We are receiving the message "This instance is approaching the max concurrency searches" on our search head. Usually if we are hitting concurrency for a role, it will mention "...max concurrency for this role.". From what i've read, when the instance hits max concurrency, it has to do with the system wide concurrency setting Splunk calculates based on CPUs.
Does the maxsearchper_cpu need to be applied to the limits.conf of the indexers or the search heads?
Thanks,
... View more
Labels
11-11-2019
06:55 AM
Hey, thanks for the reply. However, Splunk doesn't care what the name of the directory is as long as that directory never changes. When an index is created using [], Splunk knows to write and read data from the directory paths specified under this stanza.
The solution to my problem was what @sathwikr076 mentioned. By changed the DBPATH under /opt/splunk/etc/splunk-launch.conf, data for the **internal** index began writing to splunk_hot like anticipated.
Thank you for your response though!
... View more
11-04-2019
08:42 AM
Hey, i had no idea about this setting. So if i put the SPLUNK_DB path to /opt/splunkhot, will that affect any of my other indexes? Keep in mind, all indexes excluding *internal* are correctly sending to /opt/splunkhot. I would've assume explicitly setting the path's above (which are not referencing *SPLUNKDB*) woulve work...
... View more
11-04-2019
05:59 AM
Hello,
We have an indexer cluster that has a custom indexes.conf that specifies the volume path and retention of each index.
However, it appears the _internal DB on each of the indexers it writing to /opt/splunk/var/lib instead of our custom volume where all the other indexes are writing. This is causing our /opt/splunk filesystem to fill up.
Can someone explain why the indexers are not sending their _internaldb logs to /opt/splunk_hot even though we are referencing the volume in _internal? The ellipses are all the other indexes in the indexes.conf
indexes.conf
# VOLUME SETTINGS
# One Volume for Hot and Cold
[volume:primary]
path = /opt/splunk_hot
[volume:secondary]
path = /opt/splunk_cold
....
[_internal]
repFactor = auto
homePath = volume:primary/_internal/db
coldPath = volume:secondary/_internaldb/colddb
thawedPath = /opt/splunk_cold/_internaldb/thaweddb
... View more
10-31-2019
01:20 PM
Thank you so much for this solution. I have been going insane trying to figure out why this was happening.
Respectfully,
J
... View more
10-24-2019
08:35 AM
Hello,
If a user creates a dashboard with 10 searches and has 10 members of his team open up this dashboard, does this execute 100 searches (10 per each user of the dashboard refresh)? If so, how to we manage this in a scenario where this dashboard is needed often? We are thinking this behavior is responsible for high cpu as there are so many searches being executed each time the dashboard is opened.
Thoughts?
... View more
10-21-2019
08:06 AM
Hey keerthana_k,
I had this occur when i create a custom time range view. Try navigating to User Interface -> Time Ranges and you should be able to see any custom time ranges that have been created. In my case, the one that was created was had a label of default times.conf label
Respectfully,
... View more
10-04-2019
10:27 AM
okay its displaying half of what my search is reporting...aka what is should be. So if we enabled replication of _internal, why is the search above sayings is double what i see in t [Settings -- Licensing -- License Usage Reporting]
... View more
10-04-2019
10:04 AM
All,
We noticed something very strange with our reporting. We have recently transitioned to an indexer cluster. We have always had a report that is sent out with yesterdays license usage totals. However, a day after transitioning our reports now show double the license consumption when running searches like : index=internal source="*licenseusage.log" sourcetype=splunkd type="Usage" | stats sum(b) as bytes| eval GB=round(bytes/1024/1024/1024) |fields GB| rename poolszg as "Daily License Quota" GB as "Daily License Quota Used"
Our repfactor and search factor is both set at 2 which correlates with the doubling we see per index.
What seemed to correct our reports was disabling repFactor = auto and setting it to repFactor=0 for the _internal index found under the _cluster app. Since disabling this, our license consumption now matches the trend we were seeing prior to the cluster move.
Has anyone else had this issue with inaccurate license totals when having repFactor=auto set on _internal index?
... View more
09-24-2019
12:48 PM
Hello,
We have a field called "Certificate Expiration Date" and trying to only show items that expire 90 days or less. Have tried fieldformat with no luck.
Suggestions?
... View more
08-15-2019
08:14 AM
root@ubuntu:/opt/splunk/etc/system/local# splunk btool outputs list --debug
/opt/splunk/etc/system/default/outputs.conf [syslog]
/opt/splunk/etc/system/default/outputs.conf maxEventSize = 1024
/opt/splunk/etc/system/default/outputs.conf priority = <13>
/opt/splunk/etc/system/default/outputs.conf type = udp
/opt/splunk/etc/system/local/outputs.conf [tcpout]
/opt/splunk/etc/system/default/outputs.conf ackTimeoutOnShutdown = 30
/opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/default/outputs.conf autoLBVolume = 0
/opt/splunk/etc/system/default/outputs.conf blockOnCloning = true
/opt/splunk/etc/system/default/outputs.conf blockWarnThreshold = 100
/opt/splunk/etc/system/default/outputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256
/opt/splunk/etc/system/default/outputs.conf compressed = false
/opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20
/opt/splunk/etc/system/local/outputs.conf defaultGroup = qacluster
/opt/splunk/etc/system/default/outputs.conf disabled = false
/opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5
/opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1
/opt/splunk/etc/system/default/outputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1
/opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false
/opt/splunk/etc/system/default/outputs.conf forwardedindex.0.whitelist = .*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.1.blacklist = _.*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.2.whitelist = (audit|internal|introspection|telemetry)
/opt/splunk/etc/system/default/outputs.conf forwardedindex.filter.disable = false
/opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30
/opt/splunk/etc/system/default/outputs.conf indexAndForward = false
/opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2
/opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2
/opt/splunk/etc/system/default/outputs.conf maxQueueSize = auto
/opt/splunk/etc/system/default/outputs.conf readTimeout = 300
/opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1
/opt/splunk/etc/system/default/outputs.conf sendCookedData = true
/opt/splunk/etc/system/default/outputs.conf sslQuietShutdown = false
/opt/splunk/etc/system/default/outputs.conf sslVersions = tls1.2
/opt/splunk/etc/system/default/outputs.conf tcpSendBufSz = 0
/opt/splunk/etc/system/default/outputs.conf useACK = false
/opt/splunk/etc/system/default/outputs.conf writeTimeout = 300
/opt/splunk/etc/system/local/outputs.conf [tcpout:qacluster]
/opt/splunk/etc/system/local/outputs.conf forceTimebasedAutoLB = true
/opt/splunk/etc/system/local/outputs.conf server = susplkidxqa001.homeoffice.anfcorp.com:9997
... View more
08-15-2019
08:11 AM
Weird. Yes, it is in fact indexed on that server and NOT the new cluster node specified in my outputs.conf. There is no reference to that server when using btool to check outputs.conf....
Could this be a bug or some type of network routing issue?
... View more
08-15-2019
07:00 AM
Timerange was in the last 15 minutes that i sent demo data. The searchheads are tied to the 3 old servers and the master_node that searches the three new. I am sending data to only one of new (cluster) nodes.
... View more
08-15-2019
06:28 AM
Hello,
We currently in the process of moving to indexer clustering with 3 new servers. The 3 old servers are standalone. After setting up the 3 new cluster peers and verify that the command ran for this are correct, i decided to send data to them. In my outputs.conf, i have only specified ONE peer from the new indexer cluster. However, when data is sent and indexed, the search head shows the splunk_server field with a value of our old server There are no references to that server name in any of the conf files either.. My machine has never sent data to the old servers so i am not sure whats going....
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-10-2020
02:15 PM
|
