Splunk Enterprise Security

Count field is showing in the left most column

dzayas
Explorer

Anytime I run a search with a transforming command, the count field is populating in the left column. For some reason, Splunk has been doing this for all users and its messing with all of our dashboards. Anyone have a similar issue and a fix?

alt text

alt text

0 Karma
1 Solution

dzayas
Explorer

The fix for this was to comment out the line:

phased_execution_mode = singlethreaded

in limits.conf of Enterprise Security.

View solution in original post

0 Karma

dzayas
Explorer

The fix for this was to comment out the line:

phased_execution_mode = singlethreaded

in limits.conf of Enterprise Security.

0 Karma

rajindurbal
Path Finder

Good Evening @dzayas ,

I am not able to reproduce that error as well. Something you can do to fix that is:
index=fw
| stats count by description
| table description, count

Please let me know if that helps

0 Karma

dzayas
Explorer

I have done that but its a simple spot fix. This isn't normal operation for Splunk. Plus, it's messing up all the prebuilt dashboards in Enterprise Security.

0 Karma

jawaharas
Motivator

I can't reproduce the issue in Splunk 7.1.1. Which version of Splunk Enterprise you are using?

0 Karma

dzayas
Explorer

Splunk Core - 7.2.1
Splunk ES - 5.2.2

0 Karma

ahmadsaadwarrai
Explorer

I can't reproduce this issue also on Splunk version 7.2.4.

0 Karma

dzayas
Explorer

Splunk Core - 7.2.1
Splunk ES - 5.2.2

0 Karma

jawaharas
Motivator

@Dshys,
Can you try Splunk file integrity check and update here if you find any errors?

./splunk validate files

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...