Yes you can change via CLI
location -
$SPLUNK_HOME/etc/apps/user-prefs/default/user-prefs.conf
stanza -
[general_default]
default_namespace = $default
appOrder = search,search,no_search_test,lookup_editor
etc.
... View more
Hi,
You can customise savesearches.conf and macros.conf file to use in any environments.
Splunk cloud I would suggest to write those searches manually.
However, I have tested this app in splunk cloud works fine.
... View more
Hi,
Map JSON logs to _json sourcetype.
In the props.conf file create stanza like below.
[_json]
KV_MODE= json
It will extract fields. So don't need to search nested json files. Just search fields you require.
... View more
Hi,
Create indexes in each indexer at /etc/apps folder.
From search head go to settings - search peers--> add indexers with management port.
Forward data from forwarders to indexers directly.
Logs will be searchable from search head. No need to create index in search head. Just add indexers in search peers of search head as explained above.
... View more
Check forwarder version. It is due to higher version of forwarders.
Fix forwarder version, it must be equal of lower than indexers splunk.
It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.
... View more
Check forwarder version. It is due to higher vesrion of forwarders.
Fix forwarder version, it must be equal of lower than indexers splunk.
It is not due to splunk SSL. If you disable splunk SSL still you will see that logs.
... View more