Activity Feed
- Posted Re: Kv store migration before or after Splunk upgrade to 9.0.1 on Deployment Architecture. 11-03-2022 08:59 AM
- Posted Kv store migration before or after Splunk upgrade to 9.0.1 on Deployment Architecture. 11-03-2022 08:24 AM
- Posted Re: The current bundle directory contains a large lookup file that might cause bundle replication fail - delta on Splunk Search. 06-24-2022 01:30 AM
- Karma Re: The current bundle directory contains a large lookup file that might cause bundle replication fail - delta for gcusello. 06-24-2022 01:13 AM
- Posted Re: The current bundle directory contains a large lookup file that might cause bundle replication fail - delta on Splunk Search. 06-24-2022 01:12 AM
- Posted How to resolve:The current bundle directory contains a large lookup file that might cause bundle replication fail- delta on Splunk Search. 06-23-2022 03:19 PM
- Tagged How to resolve:The current bundle directory contains a large lookup file that might cause bundle replication fail- delta on Splunk Search. 06-23-2022 03:19 PM
- Posted Re: Deployment Server access via Winscp on Splunk Dev. 04-22-2022 12:47 AM
- Posted Re: Deployment Server access via Winscp on Splunk Dev. 04-22-2022 12:46 AM
- Karma Re: Deployment Server access via Winscp for Stefanie. 04-22-2022 12:44 AM
- Karma Re: Deployment Server access via Winscp for isoutamo. 04-22-2022 12:44 AM
- Posted Deployment Server access via Winscp on Splunk Dev. 04-21-2022 01:13 PM
- Posted What is Index Retention Policy for maximum storage usage? on Deployment Architecture. 03-23-2022 03:18 AM
- Posted Re: Update TA via Deployment Server on Deployment Architecture. 03-17-2022 06:46 AM
- Posted Re: Update TA via Deployment Server on Deployment Architecture. 03-17-2022 06:27 AM
- Posted How to update TA via Deployment Server? on Deployment Architecture. 03-17-2022 04:15 AM
- Posted Re: Set Up Your Splunk Enterprise Security Sandbox on Installation. 09-29-2021 02:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-03-2022
08:59 AM
@richgalloway - thanks for the quick response. Is the migration obligatory though or optional?
... View more
11-03-2022
08:24 AM
Hi all, we are planing to update to version 9.0.1. and I was wondering if the kv store migration from mmap v1 to WiredTiger obligatory is? The first sentence from the Splunk documentatiosn says "Splunk Enterprise versions 9.0 and higher require the WiredTiger storage engine and server version 4.2" but I was wondering if something will go wrong if we don't perform the kv store migration before the Splunk upgrade or if we don't perform the migration at all. Thanks!
... View more
Labels
- Labels:
-
search head
06-24-2022
01:30 AM
Hi gcusello, only the delta is mentioned in the message. That's why I am bit confused - should I be looking at the bundle instead? The delta is just the new changes made, while the bundle contains all lookups, as far as I know. Thanks, Daisy
... View more
06-24-2022
01:12 AM
Hi Giuseppe @gcusello, my problem is rather that the delta is shown in the message, not the bundle. So my question is - should I look for a big file in the delta and what is considered a bid file for the delta? Or should I still look for big files in the bundle? I can't identify which file is causing the problem. Thanks, Daisy
... View more
06-23-2022
03:19 PM
Hi all,
I keep getting a message that the current bundle directory contains a large lookup file and the specified file is a delta under /opt/splunk/var/run. I read that the max_memtable_bytes determines the maximum size of lookups. But how about the delta? What delta size is too large? Or should I rather be looking at the largest lookups in the bundle to resolve the problem? Do you have any tipps on how to resolve this?Thanks.
... View more
- Tags:
- lookup
Labels
- Labels:
-
lookup
04-22-2022
12:47 AM
I was looking for this option (as I read online about it) but couldn't find it so it might be disabled. Is it possible taht it is disabled or should I look further for it?
... View more
04-21-2022
01:13 PM
hi all, I would like to access DS via Winscp so I can look at and donwload some apps. The problem is that Splunk is installed as and owned by splunk user. When I use Putty, I use "sudo su - splunk" and am able to make changes to any directories under /opt/splunk. Can someone give me a hint what I need to change for Winscp to be able to use it and access the directories as I am currently getting "permission denied" messages. Thanks!
... View more
Labels
- Labels:
-
app
03-23-2022
03:18 AM
hi all, I am considering updating our index retention policy. However, I am not sure how to choose the maximum possible allocated space. We have a few indexes and one of them takes about half of the total index volume. We would like to keep the data for as long as possible, however have limited storage. For simplicity, let's say we have 1 TB storage and a single instance, 10 indexes. As far as I understood, it would be best to choose MaxTotalDataSizeMB to set the max MB per index. However, I can't divide the space of 1TB per index as only some of the space can be taken up by indexed data. So my questions are:
1) How should I choose what the MaxTotalDataSizeMB per index is?
2) How can I use to the maximum server storage without getting Splunk problems?
3) Is it reasonable to calculate the total index storage by looking at the total storage outside of /opt/splunk/var/lib directory and then deciding how much storage can be allocated to indexes? What approach do you recommend?
4) What approach would you recommend in my case? Is it reasonable to keep data for as long as possible and are there reasons for avoiding this approach?
... View more
Labels
- Labels:
-
indexer
03-17-2022
06:46 AM
Hi @gcusello - thank you very much. I have indeed used WinScp as well as MobaXTerm. But I am lacking the practical experience of updating TAs so I was wondering what the best way would be. Thank you, very much - you answered all my questions.
... View more
03-17-2022
06:27 AM
Hi @gcusello thanks for the quick reply. I have some additional questions: 1) How do you get the TA on DS - do you download it on your laptop and then move via SSH? 2) Why do you need to untar the TA twice? via tar- xvzf should be sufficient to use the tar command once. Or do you mean to get from .tar.tgz the fully uncompressed folder? 3) Why do I need to modify the ServerClass via GUI? The TA name would stay the same so it should already be available. Or am I missing somethign here? 4) When untarring the TA, the local folder should be left untouched, right? As there should be custom configurations and I am afraid to lose these. Thus, I wrote that I would take backup before untarring, is this needed at all? Thank you very much!
... View more
03-17-2022
04:15 AM
Hi all, from the available documentation, I am not getting how to practically update TA via Deplyoment server (i.e. distribute a newer version to the UFs via DS). If it matters, it is about the Add-On for Linux and Unix. I would imagine that it looks like this:
1) get the TA on the Deployment Server via GUI - go to "install app from file" -> upload the downloaded .tgz file from splunkbase -> restart Splunk
2) Backup the used TA (older version)
3) Copy the TA (newer version) from the App folder into the deployment-apps folder (via cp -R)
4) Redeploy Deployment Server via splunk reload deploy-server
5) Check if data is still being obnoarded properly
Am I missing anything? Is this approach valid?
... View more
Labels
- Labels:
-
deployment server
-
universal forwarder
