From 8.1 + : You can now use a more intuitive and better readable Syntax like index=main mysearchterm
```This is a comment```
| stats count by host
... View more
Check the dashboards permissions (apps -> your_app -> View Objects). Just found out that if sharing is set to private, it's not placed in the app local directory, but hidden somewhere else. Changing the sharing to App places the dashboard into the apps local/data/ui/views folder.
This was with Splunk 7.1.2 so it might not be entirely accurate for Splunk 5.
... View more
we are currently using version 6.3. We have randomly been getting the below message for a few months. We have even had issues where our search head became non responsive and we had to restart the splunkd service. We have received this message from both of our indexers while running searches from both our of search heads. Our Splunk Instance is on a windows server platform. Our Splunk software is located on our 😧 drive with a NTFS file system. Our Hot/Warm storage for our indexers is on a 6 +6 RAID 1+0 NTFS file system. Is there something we could do to safely tune our NTFS client-side parameters to allow for sufficient concurrency for our searches?
[PL-WLMSPLPP04] Configuration initialization for D:\Program Files\Splunk\var\run\searchpeers\pl-wlmsplpp01-1447872759 took longer than expected (1011ms) when dispatching a search (search ID: remote_pl-wlmsplpp01_1447875015.646); this typically reflects underlying storage performance issues
... View more
I'm having the same problem between my deployment server and index cluster. If I remove all the files and directories starting with my deployment server's name from $SPLUNK_HOME/var/run/searchpeers it recovers with no need to restart,
Splunk 7.0.3 (build fa31da744b51).
... View more
ewoo
I wrote 1-2ms just because once ina while I think I saw 2ms.
This is a local 10Gbe LAN, all on the same site.
Each Indexer is a HW with 128Gb of Ram and 32 newest CPUs with two 10Gbe interfaces joined as a bond interface on RHEL server 6.5
... View more
The most common reasons are mentioned in the comment immediately preceding yours: 1) stale lock file (caused by a crash, for example), or 2) poor performance of shared storage, leading to slow I/O and contention on the lock file.
Some improvements to splunkd were made to reduce the amount of I/O we perform against sentinel.txt; these improvements landed in 5.0.6 and 6.0 (SPL-66563)
... View more
Correct, indexers will use the system directory on shared storage, but search heads will ignore it, continuing to use their own local versions.
To "mount" the system dir, simply copy it from one of the search heads over to shared storage.
... View more
splunkweb's session files are stored in $SPLUNK_HOME/var/run/splunk, as are Splunk's PID files. The latter are what allow the CLI to know whether Splunk is running or not. If you delete those PID files while Splunk is running, the CLI will incorrectly report Splunk as stopped even though the processes are still alive.
... View more
Add the access line to the object and give write access to the custom role.
I thought you had already done this via the UI for the view in question. From your original question:
and that role has write rights to the object and to the app
... View more
The file at:
$SPLUNK_HOME/etc/apps/yourapp/appserver/static/yourfile.html
should be accessible via:
http://splunk/static/app/yourapp/yourfile.html
http://splunk/en-US/static/@12345.67:0/app/yourapp/yourfile.html
As best practice, try to use relative paths if you can, since Splunk will generate dynamic URLs that look more like the second version above. The first version works under 4.2.1, but not sure about older versions.
Or, if you want to do something within a view/dashboard, you may also want to look at the ServerSideInclude module in the Advanced XML.
... View more
Also, once you set the permissions at the app-level to allow Power role write access to the app, all new objects will auto-inherit this setting when you share them. As in, once you click on "Share in app", you'll see the Power role checked for write access.
For existing objects, yes, you'll have to manually update the permissions.
... View more
When I go Field Transformations to look for this it isnt there, not even under the All category.
I see. It looks like the Field Transformations settings page only supports REGEX/FORMAT-based transforms and not DELIMS/FIELDS-based ones.
Do you have REST API access to the search head? If so, you should be able to use the REST API directly to fix up the transform. For example, something like:
curl -sku admin:admin_password https://searchhead-hostport/servicesNS/original_owner/search/configs/conf-transforms/REPORT-LoadTest1/acl -d sharing=app -d perms.read=* -d owner=original_owner
... View more
Two new things:
1 - Splunk now explicitly checks your configuration files (using btool) as part of the standard startup. So always check the Splunk messages at startup.
2 - The SOS app (Splunk on Splunk) is very helpful for finding your configuration errors. Download it free from Splunkbase here.
2017 update (because answers never die!)
btool is still a wonderful thing. But instead of the SOS app, use the built-in Splunk Monitoring Console. (It is newer and it is the offspring of the SOS app.)
And, even in older versions of Splunk, remember that Splunk has its own internal logs, which it indexes into _internal .
So you can search
index=_internal error OR warn*
And see all the error messages that Splunk has logged. But if the problem means that Splunk was unable to index, you may need to examine the internal log files directly. splunkd.log is your friend. Use grep or findstr or some tool to find the errors and warnings.
... View more
This is not working for me under 4.1, ewoo. I've tried setting this via the manager and also via the user-prefs.conf but for some reason it doesn't take effect.herve leger Was there by any chance a change made in 4.1 to store user prefs in a db table instead of in flat files?
... View more