Getting direct download is deprecated on splunk 9.X?  The app_exporter has many issues, but the biggest one is that it no longer works in splunk cloud as far as I can tell.  ... View more

stale product, hasn't improved much in state management after 10 years.    ... View more

In the documentation and answer, it talks about UF; the original question seems to be about HF.  For Intermediate HF (IHF),  this is NOT the way for forcing the downstream indexers to be the place of parsing data.  I tried it with Splunk cloud deployment.    Downstream indexers (aka cloud indexers) will NOT parse the data (index time timestamp fixing, transforms etc) without other techniques (setting route keyword).       ... View more

 The  default queue in inputs.conf was set to  IndexQueue?   So all your inputs by default, unless specified otherwise will SKIP parsing queues on HF.  That would not solve your problem of parsing queue getting full issue on your indexers.   so perhaps you need to remove that setting, but explicitly set queue=IndexQueue on sourcetypes that do not require scrubbing etc.       ... View more

Thanks! Let me try to understand what you said. * About services.  I agree for something this simple, 1 service with multiple KPIs should suffice.  I proposed multiple services because of some other reasons.  One of them is silo-ed departments.  The OS team or WEB team is completely separate from each other.   They demand clear delineation of "their stuff".    In your experience, when would you go with multiple services with dependencies between them?  * Let's go with 1 service for a simplified case.   I remember being taught the natural business key of an entity is the combinations of  title+alias+information.   That's why it is  Theoretically possible to have 2 entities with the same title.   See this: https://docs.splunk.com/Documentation/ITSI/4.5.0/Entity/EntityImportConflicts for an example that can lead to 2 entities with the same title, e.g 2 servers with the same host name on different data centers.  My question is when you would go with treating potential entities from different sources as being essential one entity and when you will separate them?   * Let me apply your strategy of unifying entities that applies to my case,  please correct me if I'm wrong: I created previously at least 1 entity per forwarder instance with Title-><hostname>,  instead in my entity importing search,  I should add a tmpentity field--- eval tmpentity=hostname and make tmpentity the Title,  and also  include tmpentity as part of the alias fields.   For importing entities from any other data sources,  if I decide that they should be just referring to and enriching an existing entity,  instead of creating a different entity,  I would:  eval tmpentity=<a field that takes the same set of values as existing entity>,  and use tmpentity will be used as the conflict resolution field so for the web log,  tmpentity=host  will suffice. what about the OS log,  where entity is called "web-host" in the "host" field.    should I do eval tmpentity=if(host="web-host", "web01", host)?  In my service definition / entity associations,  I will then always use tmpentity field for filtering. I should also then always include "eval tmpentity=..."  in my base KPI searches.  I appreciate any comments.   ... View more

Hi, what is not true? Can you be specific? Thanks. What I meant is when I have that specific settings (restart=always), "splunk stop" won't stop splunk. It seems that you have created some kind of polkit changes to get round systemd enabled splunk asking for password. I am sure it is possible for certain distributions of Linux and will definitely look into it. Note that is not an official solution from splunk as far as I know, having dealt with many splunk consultants whose suggestions are always "don't enable it". My frustration is that I haven't seen any other software so frustrating like splunk in terms of start/stop. The best direction going forward is for splunk to fix the damn issue, as we are paying them big bucks. No? ... View more

I have researched this issue for a very long time. So far there isn't a perfect solution still: linux system with only systemd (and auto routing to /etc/init.d script) support, but without actual sysV Restart= on-failure will cause splunk to stop but not restart when an internal splunk start is invoked, in situtations like rolling-restart etc. The only way to get it to reliably restart is to set Restart= always Ironically, this seems to be also the recommended setting in splunk's systemctl config with splunkd binary support. The downside is that you will not be able to control start/stop using splunk binary. using splunk splunkd systemctl support. This was default in 7.2 and then removed as default >=7.3 I was told by PS not to enable due to other issues. One issue is of course that you need (can get around) root password to start/stop. ... View more

Hi, I'm assuming you used raw+ props to get what you want. Are you able to do event protocol+ NO props to get proper time-stamping? I thought that is what HEC was designed for among other things, i.e. to simplify and speed-up data landing without data having to go through the parsing pipeline etc. If you CAN control the formatting from the sender side, you need to change time to epoch time, and then you can just use HEC event protocol. ... View more

Did you fix this issue? Does HEC support explicit indexed_extractions of CSV or JSON files when it is set to raw mode? ... View more

What was the solution? ... View more

I did pass the architect exam today but my experience was not very good. Here are a few things that you need to know: MAC OS Mojave is not working with the test system (as of 09/07/2019), and thus you need to find a windows PC. I was fortunate to have a spare windows laptop otherwise I would have to reschedule it. The exam software jumps in and out of its existence without any prompt on windows, which is scary. All windows will suddenly close and then reopen etc. So be patient. The test result is not shown on your screen, when you click "existing the survey". So you don't know whether you really have finished the test or not. I waited for about 5 minutes to get an email that informs me how to check the result. The proctor never showed up when the exam begins, and then in the middle of the exam, he opened up chat window to tell me that my head is not completely in the video recording. All in all, none of these should affect your performance, if you have studied for the exams. But I would say the test experience does need improving. ... View more

Can any splunk guru provide an example of a manager UI that dynamically shows or hides a set of fields? ... View more

Thanks. I did. However I needed functionality that is currently not provided by the add-on builder. ... View more

Hi, I have the same question. Is there not an official documentation somewhere? ... View more

This is not cool, now I have to do this. SELECT TO_TIMESTAMP('1970-01-01 00:00:00.0' ,'YYYY-MM-DD HH24:MI:SS.FF' ) + NUMTODSINTERVAL(r.TIMESTAMPfield, 'SECOND') AS event_date, r.* FROM r where ID> ? ORDER by ID ... View more

splunk should provide a simpler way for this on their GUI. ... View more

doesn't seem to really answer the question. I'm debugging someone's custom alert, and I don't want to change his code yet. So where are stderr stored, maybe it IS lost? ... View more

Did you solve this issue? I have the exact problem. dbx version is 1.1.6. ... View more

Did you find the answer to your question? ... View more

note this only works for the pretrained indexed extraction type such as w3c. For any other sourcetype, you do need to use a heavy forwarder. ... View more