Can CIM be applied to data in a distributed search environment that CIM is...
I am searching on a distributed search environment (I don't own) that CIM is not installed on. If I install CIM on my search heads, will the CIM be applied to the distributed environment at search time...
View ArticleWhere to install Splunkgit in a distributed environment?
I can't find any documentation regarding the best deployment scheme for this. Looking at the configs I'm thinking: - Install it on a Heavy Forwarder and configure that to have the hooks into the repos...
View ArticleBest Practice forward search head to indexer but dispatch folder fills -how...
I am setting up distributed deployment monitor and trying to follow the Best Practices of sending the search head internal data to the indexers but using the basic recommended outputs.conf it also...
View ArticleWhat do Splunk Ninjas think are the top three daily Splunk tasks in a large...
Hello all, I am trying to build a workflow for our new Splunk product and want to know what top three regular daily tasks you may do in Splunk Enterprise. This includes anything in regards to ES...
View ArticleHow to configure and distribute indexes.conf with server specific CIFS shares...
What's the recommendation about setting up indexes.conf which will be distributed (via deployment server) and also supports server specific shares? Basically, today all buckets are being stored on a...
View ArticleIs there any additional guidance on installing the Palo Alto Networks App and...
Is there any additional guidance on installing the Palo Alto App and Add-on in a distributed & clustered environment? The installation guide says to install both components to all the heavy...
View ArticleHow to enable distributed search between two Splunk Cloud installations and...
I have 2 Splunk Cloud installations located in different regions (due to politics). I would like to enable distributed search between the 2 installations, however, when I try to add a new search peer...
View ArticleIn a distributed search environment, can we blacklist apps in distsearch.conf...
In a distributed search environment, can we blacklist the app in distsearch.conf and prevent it from being part of the bundle replication to search peers? I have a search head cluster with the Machine...
View ArticleFor scheduled searches am I required to have the same auth on all servers?
With a distributed environment am I required to have the same authentication.conf and authorize.conf on search heads and indexers? I'm using both basic auth and LDAP. I currently get errors like this...
View ArticleHow to prevent duplicate events from occurring when connecting a...
Hello guys, I've setup a separated search head using distributed search with clustered indexers (in order to have a different portal with different authentication) However if I select more than one...
View ArticleWhy is the search head distributing entire knowledge bundle 50+ times an hour...
While digging through my Search head logs, I stumbled upon some WARN messages from the DistributedBundleReplicationManager component regarding "Asynchronous bundle replication" "took too long (longer...
View ArticleHow to troubleshoot why an indexer in a cluster is missing from the...
We have a four (4) node indexer cluster. Under the 'Distributed Environment | Indexer Clustering', all four peers show as searchable and up. However, in the 'Monitoring Console' only 3 Indexers are...
View ArticleHow do you install Blue Coat ProxySG App for Splunk in a Distributed...
The installation instructions I have read are for standalone. What are the installation instructions for a distributed Splunk Enterprise environment? Does the app need to be installed on search heads,...
View ArticleWhat command type is accum? Is there a way to compute stats/counts on indexers?
Splunk's [command types page][1] is missing a few functions, including accum. I would like to know if accum is a centralized streaming command, distributable streaming command, or none of the above....
View ArticleWhere to deploy Eventgen in a distributed deployment?
We have created our own Eventgen app which holds sample data and the `eventgen.conf` file. Looking at Splunk's Eventgen [documentation][1], is it not entirely clear where such an app needs to reside in...
View ArticleSplunk IT Service Intelligence: How to restrict searches to specific search...
Hello, I am building an environment in which I have a Search Head (6.5.0), and many indexers: One indexer per customer. In the SH, I have Splunk IT Service Intelligence (ITSI) 2.4.0 and many alerts and...
View ArticleIs there an alternative to Splunk Free for a distributed search POC?
Hi, I am trying a POC on my personal PC where - Forwarder is on one machine (Linux) - Indexer + Search Head on another machine (Mac OS) I am using **Splunk Enterprise downloaded for free**. ISSUE: I am...
View ArticleCustom Streaming Command Won't Distribute to Indexers (Python SDK, V2)
I am writing a custom streaming search command using the Python SDK and the V2 Protocol. I believe I have followed all of the instructions for creating a streaming command compatible with distributed...
View ArticleDoes the splunk_archver app need to be distributed to the search peers via...
We recently upgraded to Splunk 6.5.1 and noticed a fairly large increase in our replicated knowledge bundle size from the Search head to our search peers. After doing some digging it appears that the...
View ArticleHow does distributed search work?
I have one SH and two IDX in my system. In my dashboard, seven panels use the following base search and do postprocessing search only. base search | fields $timefield.earliest$ $timefield.latest$...
View Article