Disable search feature on Indexer Cluster Nodes
Hi, I have configured SHC and Indexer cluster, Is there any way to disable search feature on Indexer cluster nodes, so indexer will do indexing only and search heads will do searching only. Thanks Rajeev
View ArticleSIngle value visalisation is not working using sub search
I am trying to build single value visualisation using search & sub search, But it is not working.SImple dashboardearliest=-60m latest=now index=XXXXXX Successfull Logins where like(sourcetype,...
View Articleissue querying events in quotes
Seeing issue with tabling results inside quotes and wondering if this is know issue with work around? query: index=perfmon source=process sourcetype=WinHostMon ProcessId=22864 results: Type=Process...
View ArticleMSSQL connect
Hey guys. When i configured New Connection in Splunk DB Connect v2 to my MSSQL server i had error: Database Type is required com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to...
View ArticleWhat UNIX OS and which filesystem do you recommend?
Hi, Both XFS and EXT4 filesystems are supported, the most of Linux distributtions are supported.. but I wonder if any of you did practical test and compared performance. I saw benchmarks for common...
View ArticleUnable to use stats on summary index
I've created a summary index to keep track of my customer IDs and what their last IP address was, however I'm getting very strange behaviour while trying to use the fields. This search runs...
View ArticleWhy is one indexer faster at search than the other two - troubleshooting...
I have three indexers. All configured the same all with the same hardware (16 cores 32 GB ram). I have a simple search for internal data ` index=_internal host=My-License-Manager...
View ArticleHow can I run this query more efficiently without using so many join commands?
Hello, I'm running the following query to combine data from two different sources and to create a table for our AppAssure monitoring: host="AppAssure1" source="WinEventLog:AppAssureMonitoring"...
View ArticleCreate an alert for field that has two values when it should only have one
Example: userid: 123 should have a unique pin # and no other pin #s. sometimes during a transaction userid's are assigned two pin #s by mistake. Alert when a userid has more than one pin # transaction...
View ArticleSocket Errors
Hello All, We are observing below warnings in all our indexer servers, it says socket error from our search head server. WARN HttpListener - Socket error from xx.yy.zz.aa while idling:...
View ArticleSplunk DB Connect 2: Why is no data being indexed with my current inputs.conf...
I created a index sapecc-stage and valid connection setup in DBconnectv2 app,query is good but still i'm not getting data into my index.just check uploaded image and it's previewing data in dbconnectv2...
View ArticleHow to edit my search to use a custom field created with eval in my time...
I have a search that comes up with a score based off a custom formula from nessus scan results. I want to plot that vulnscore over the past 90 days IE the score from 0-30/30-60/60-90. Can anyone...
View ArticleWhy am I unable to save my search as a query in a dashboard panel?
I have search that works fine when run manually: sourcetype=WinHostMonTest | rex field=_raw "CommandLine=(?.+[^\n])" | table CmdLine But when I try to add it into my dashboard, it complains and the...
View ArticleDoes the AWS SQS Poller app support a proxy server option like the Splunk...
Hi All, Does the AWS SQS Poller app support Proxy server option like SPLUNK Add-on for AWS? The SQS Poller data input does not provide an option to configure proxy server, but is there a way we can...
View ArticlemaxWarmDBCount limit exceeded
I am using different storage drives for hot/warm and cold storage. The Fire Brigade app was reporting a total of 524 buckets for index A with a limit of 300. I verified on the storage drive that there...
View ArticleShow EBS usage over time
Hello splunkers! I'm wondering how I can show a dashboard calculating EBS volume usage over time. And possibly into the future. This would be a very handy dashboard. at this point im trying to derive...
View ArticleFiles not reindexing even after deleting the fishbucket
I have some zip files that I need to reindex after cleaning the target index and refining the props. I cannot get splunk to re-ingest them no matter what--even after cleaning the fishbucket. Here is...
View ArticleFast mode in html view
Hi, We are using html views to run slpunk queries.. Is there any way to make the search run in fast mode in views for improving the performance of the search??
View ArticleIndex Cluster rolling-restart problem!
Hi all, We have in our productive splunk architecture a very unpleasant problem. The rolling-restart behaves not as he should. Be it creating an index or otherwise. In a rolling-restart, every indexer...
View ArticleHow to build a list of simultaneously running threads?
Given the log events, containing time, name of thread and whether the thread has started or stopped : _time , thread_name, start/end How to build a list of thread names that a currently running?
View Article