All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello PickleRick, for the point 3, you mean by using kv_mode=json, unlike using indexed extractions, I will be able to "selectively not index some fields". Would you mind to give me some more detail... See more...
Hello PickleRick, for the point 3, you mean by using kv_mode=json, unlike using indexed extractions, I will be able to "selectively not index some fields". Would you mind to give me some more details, or examples how I can do? On my side, I've checked the source type which is used, and indeed: indexed extractions = json and in advanced tab: kv_mode = none So, you recommend to set: indexed extractions = none and in advanced tab: kv_mode = json Can you confirm this is the right way? Then, how can I exclude some specific fields from automatic extraction? Thanks a lot Regards Nordine
Thank you for the clear answer. Removed and working fine. Does Splunk ES documentation state this anywhere? 
I see the useEnglishOnly setting which is known to cause problems. See my thread here https://community.splunk.com/t5/Getting-Data-In/Debugging-perfmon-input/m-p/621539#M107042
Hi @LAME-Creations  When I send an event to SOAR manually, I get a difference such as user=admin and mode=adhoc. Whereas if I wait for adaptive response from mission control, it is mode=saved and us... See more...
Hi @LAME-Creations  When I send an event to SOAR manually, I get a difference such as user=admin and mode=adhoc. Whereas if I wait for adaptive response from mission control, it is mode=saved and user=machinename.  
@BraxcBT  Issue started after an upgrade or new app/add-on install? Or first time you logged in and observed this? Try from different browser and see if it's still the same. Regards, Prewin Sp... See more...
@BraxcBT  Issue started after an upgrade or new app/add-on install? Or first time you logged in and observed this? Try from different browser and see if it's still the same. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@DarthHerm  Your inputs.conf looks good. Check splunkd.log on the affected forwarder for errors related to perfmon or permissions try upgrading - test the same config on one host with Universal Fo... See more...
@DarthHerm  Your inputs.conf looks good. Check splunkd.log on the affected forwarder for errors related to perfmon or permissions try upgrading - test the same config on one host with Universal Forwarder 9.3.5 Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi @LAME-Creations  Thank you for the explanation, but when I tried to send the manual to SOAR, everything went well. Because I feel that the problem is not there, approximately which part should ... See more...
Hi @LAME-Creations  Thank you for the explanation, but when I tried to send the manual to SOAR, everything went well. Because I feel that the problem is not there, approximately which part should I check again ?
That has to be frustrating and I don't know if I have ever seen what you are experiencing.  I would try a couple things just to see if by chance a mistake has been made.   1) This is what you said... See more...
That has to be frustrating and I don't know if I have ever seen what you are experiencing.  I would try a couple things just to see if by chance a mistake has been made.   1) This is what you said you already have done, but just validate that nothing has changed.  Try to send events manually to SOAR.  If they arrive, in theory the automated should work as well, but that does not seem to be your case.  Which leads me to  1a)  I have actually done this.  I had set up two connections to my SOAR when I was setting it up.  One of the setups had the correct credentials to hit SOAR and the other did not.  So when I set up adaptive response and it says what configuration do you want to use (can't remember the exact verbiage of the question) I picked the wrong one from the dropdown and it caused failure to connect.   2) When I started this, I had a clear idea what was my second thing I would try, but it slipped my mind as I wrote 1 and 1a.  But basically just verify that you really can manually send the alerts to SOAR and that you aren't able to send them as an adaptive response.  
Just for troubleshooting purposes, can you create a brand new event finding (what used to be called correlation search before splunk ES 8? )  What I like to do is just check to make sure if this i... See more...
Just for troubleshooting purposes, can you create a brand new event finding (what used to be called correlation search before splunk ES 8? )  What I like to do is just check to make sure if this is a problem with just this search or is systemic.  So I make my search something generic like  index=_internal | head 1 | table index, sourcetype, _time  Again the above query is just a query that you know will have results each time it runs.  Feel free to make the search anything you want.  Then plug in your drilldown using the same values you applied in your question.  When the alert fires and you click its drilldown, does it go all time or does it use the time selection that you gave it.   Again this is just to identify if this is a problem for one correlation search or for all of your correlation searches.  This will allow us to get a better idea of what is and what is not working.  
Hi Everyone,  I am experiencing an error when sending events from Mission Control to Splunk SOAR. I always get a failure when the send to SOAR action is automatically triggered through Adaptive Resp... See more...
Hi Everyone,  I am experiencing an error when sending events from Mission Control to Splunk SOAR. I always get a failure when the send to SOAR action is automatically triggered through Adaptive Response. Before I automated it, I tried to send event data from Mission Control to SOAR manually by clicking the three dots and then selecting 'Run Adaptive Response Actions' and everything went smoothly. Has anyone ever experienced a similar problem? Danke, Zake  
Hi @DarthHerm  Call me cynical but I suspect its a result of what has been done, rather than the Splunk upgrade files themselves, even rolling back the files might not correct things. I think the f... See more...
Hi @DarthHerm  Call me cynical but I suspect its a result of what has been done, rather than the Splunk upgrade files themselves, even rolling back the files might not correct things. I think the first thing to double check is the file permissions, does the service account running Splunk have access to all the relevant files on the UF? How are your apps deployed to the UF? Is this via a DS or manual? Can you confirm the app is installed. Are there any specific logs in the _internal index for one of these hosts, particularly anything that mentioned PerfMon!  Based on the docs at https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-windows-data/monitor-windows-performance it seems important that the service user has "Performance Monitor Users" role - are you able to confirm this, please? Another thing to double check - Can you run a btool ($SPLUNK_HOME\bin\splunk cmd btool inputs list --debug which should be a more detailed version of the inputs conf you provided. Has it loaded the relevant config in from your custom configuration? Lastly, is environment_performance_logs and event index (rather than metric index)?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @BraxcBT  Do you get the same behaviour when accessing from a different browser (or incognito mode in the same browser) ? Please could you also check the Developer Tools of your browser (it may ... See more...
Hi @BraxcBT  Do you get the same behaviour when accessing from a different browser (or incognito mode in the same browser) ? Please could you also check the Developer Tools of your browser (it may vary depending what you are using) and have a look at the Console tab, are there any errors in here? Also if you could check the network tab (you might need to reload the page after opening it) and see if any requests are red or return 4xx/5xx errors?  If you do, click on the page and click the Response tab to see what error it returns and let us know    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Thought I would post here in the community as well since I have this opened with support. A couple weeks ago, another agency pushed updates to Splunk Universal Forwarder to half of my hosts without m... See more...
Thought I would post here in the community as well since I have this opened with support. A couple weeks ago, another agency pushed updates to Splunk Universal Forwarder to half of my hosts without my knowledge or consent. Those hosts were updated to 9.2.6.0 from 9.2.0.1. The updates went unnoticed for a couple weeks since the events from our custom application and Event Viewer continued to get indexed.  I started to notice an issue on one dashboard where no perfmon events were coming in. I reviewed another dashboard that checks the status of my forwarders and that's where I saw the updated installs. I went over the index the perfmon counters go to and validated only the hosts that were using Universal Forwarder 9.2.0.1 were coming in.  My version of Enterprise was 9.2.1.0 and support recommended I update Enterprise to a newer version. After some testing, I went to Enterprise 9.3.5.0. Not ready for 9.4.X with trying to update the kvstore. Reviewing the Universal Forwarder compatibility matrix, I've kept my Universal Forwarders on 9.2.0.1, 9.2.6.0, and two were updated to 9.3.5.0. Updating Enterprise didn't correct the issue.  I went through troubleshooting on the host looking over the config files. I did a rebuild of the resource counters and restarted the splunk forwarder service on one of the hosts using forwarder 9.2.6.0.  I've looking at one of the hosts by adding the service account used as a local member of the administrators and Remote Management Users groups, adding a path variable for SPLUNK_HOME at "c:\program files\splunkuniversalforwarder".  Chatted with the tech who pushed universal forwarder and they're not going to do that again. The hosts that got updated are members of my custom applications lower environments. I can live without the perfmon counters in the lower environments and none of my hosts in our production environment were updated. I know if I uninstall Forwarder and reinstall 9.2.0.1, the perfmon counters will resume coming in.  Convinced its a change I need to do and thought I would check with the community who have updated their forwarders. I attached a copy of the inputs.conf from one of my hosts which is the same for all of them (aside from the environment name)  
I used the metric finder to graph jvm.gc.duration_count, then exported the results to CSV.  I also have a SignalFlow API call to grab the same data. The counts are the same except they are offset by... See more...
I used the metric finder to graph jvm.gc.duration_count, then exported the results to CSV.  I also have a SignalFlow API call to grab the same data. The counts are the same except they are offset by 5 minutes.  IOW, my SignalFlow output says 303 GCs at 15:11 but the metric finder export shows the same 303 GCs at 15:16.  Subsequent periods are offset in the same way. My code is using ChannelMessage.DataMessage.getLogicalTimestampMs(). Postman output looks like this: data: { data: "data" : [ { data: "tsId" : "AAAAAMcvg8Q", data: "value" : 1.0 data: }, { data: "tsId" : "AAAAAKgFlvo", data: "value" : 303.0 data: } ], data: "logicalTimestampMs" : 1750709460000, data: "maxDelayMs" : 12000 data: } What's going on?   thanks  
I have never seen this before and I will be completely transparent that I put your question into an AI engine so the response may not be anything close to what you are looking for, but the AI seemed ... See more...
I have never seen this before and I will be completely transparent that I put your question into an AI engine so the response may not be anything close to what you are looking for, but the AI seemed to think you might be having web browser caching issues (which I have actually had the web caching problems, just never had them affect the pages you mentioned).  The recommendation is to try to clear your cache in your browser or the method I use the most often is to use incognito mode.  Again, no idea if this will help, but I do know that I have changed the navigation menus on an app and they would not update in my browser and I had to run in incognito mode or open up a different browser that hadn't cached my Splunk website to see the changes to the navigation.  Hope this helps.    
I am logged in as the admin user, but whenever I try to access Tokens, Users, or other settings pages, I get a blank page. I’m not sure what to do next. #Splunk #Enterprise
OK. So this is not (or at least might not be)  about the phonehomes as such but on the info shown in the DS console. I'd go for 1) Verifying on selected forwarders that the phonehomes are shown in ... See more...
OK. So this is not (or at least might not be)  about the phonehomes as such but on the info shown in the DS console. I'd go for 1) Verifying on selected forwarders that the phonehomes are shown in the splunkd.log 2) Checking the logs on the DS itself to see if it can see the phonehomes. 3) Checking if you have the selective routing properly configured on the DS. https://help.splunk.com/en/splunk-enterprise/administer/manage-distributed-deployments/9.2/configure-the-deployment-system/upgrade-pre-9.2-deployment-servers (it's not about upgraded instances only; we had this issue lately on a new installation of 9.3.something).
 How did you determine this? - This is what the Forwarder Management Web UI shows us, client phone home time stamp coincides with the restart. 
What do you mean by "clients phoning home only when you restart the DS"? How did you determine this? The clients phone home on schedule - it's asynchronous versus whatever the DS is doing.