All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Haleb, did you followed all the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcertificates#:~:text=You%20can%20use%20transport%2... See more...
Hi @Haleb, did you followed all the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcertificates#:~:text=You%20can%20use%20transport%20layer,create%20and%20sign%20them%20yourself. ? Ciao. Giuseppe
Thank you for the swift response. It looks to be working as expected.
Hi @karthi2809, have you in the search a nother field with the values to correlate with interfacename? field values must be the same. if yes, you can use this field to join the lookup. Ciao. Giu... See more...
Hi @karthi2809, have you in the search a nother field with the values to correlate with interfacename? field values must be the same. if yes, you can use this field to join the lookup. Ciao. Giuseppe
Hello splunkers! Has anyone else experienced slow performance with Splunk Enterprise Security? For me, when I open the "Content Management" in  "Configure" and let's say try to filter to see enabl... See more...
Hello splunkers! Has anyone else experienced slow performance with Splunk Enterprise Security? For me, when I open the "Content Management" in  "Configure" and let's say try to filter to see enabled correlation searches, it might take up to 5 minutes to load just 5 or 6 correlation searches. However, if I try to perform a search in search and reporting (Within Enterprise Security) the searches will run pretty much fast, returning hunderds of thousands of events. Another case where I might experience huge lags is when: creating a new investigation, updating the status of the notable, deleting investigation, opening Incident review settings, adding new note in investigation. If anyone had similar experience could someone please share how to improve the performance in Enterprise Security app? Some notes to give more info about my case: - The health circle is green.  - The deployment is all-in-one (Splunk Enterprise, ES, and all the apps and add-ons, everything is running on ubuntu server 20.04 virtual machine with 42 GB RAM, 200 GB hard disk (thin provisioned), 32 vCPU - My Splunk deployment has around 4-5 sources from which it receives the logs, average load of data is around 500-700 MB/day Thanks for taking your time reading  and replying to my post
tcpout persistent queue will solve the issue.  https://community.splunk.com/t5/Knowledge-Management/Splunk-Persistent-Queue/m-p/688223#M10063
Try something like this <my search command for transaction records> | dedup orderId | table orderId, sellerId, buyerId | append [ search <my search command for list user rating list> | table user, ... See more...
Try something like this <my search command for transaction records> | dedup orderId | table orderId, sellerId, buyerId | append [ search <my search command for list user rating list> | table user, rating] | eval user=if(isnull(sellerId), user, sellerId) | eventstats values(rating) as sellerRating by user | eval user=if(isnull(buyerId), user, buyerId) | eventstats values(rating) as buyerRating by user | where isnotnull(orderId) | table orderId, sellerId, buyerId, sellerRating,buyerRating
Hello! Dark mode still does not work in Splunk Enterprise 9.2.1 when an emoji is in one of the visualizations, like a single for example. Here is run anywhere dashboard.  Just set it do dark mode a... See more...
Hello! Dark mode still does not work in Splunk Enterprise 9.2.1 when an emoji is in one of the visualizations, like a single for example. Here is run anywhere dashboard.  Just set it do dark mode and it stops working.  Remove the pizza and it works again.  If you are in dark mode already and add the emoji then after initial save it will work, but after refreshing it reverts to light.  If you don't like pizza then add an emoji of choice.     <dashboard version="1.1" theme="light"> <label>pizza dark test</label> <row> <panel> <single> <search> <query>| makeresults | eval emoji="ciao " | table emoji</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">0</option> <option name="useThousandSeparators">1</option> </single> </panel> </row> </dashboard>       Thanks! Andrew
https://docs.splunk.com/Documentation/Splunk/9.2.1/ReleaseNotes/Fixedissues https://docs.splunk.com/Documentation/Splunk/9.1.4/ReleaseNotes/Fixedissues One  customer reported a very interesting i... See more...
https://docs.splunk.com/Documentation/Splunk/9.2.1/ReleaseNotes/Fixedissues https://docs.splunk.com/Documentation/Splunk/9.1.4/ReleaseNotes/Fixedissues One  customer reported a very interesting issue with graceful splunk restart. Event missing during a graceful restart/rolling restart(splunk stop gracefully finished). useACK=true is an option but that ideally must be applied if splunk stop timed-out. This has been an issue for so many years. This is important where config changes are pushed frequently, thus triggering frequent indexer/HF/IF restart. The issue is fixed by 9.1.4/9.2.1   TcpInputProcessor not able to drain splunktcpin queue during graceful shutdown   How to detect if it's applicable for your deployment? Check splunkd.log for  WARN TcpInputProc - Could not process data received from network. Aborting due to shutdown Also from metrics.log see https://community.splunk.com/t5/Knowledge-Management/During-indexer-restart-indexer-cluster-rolling-restart/m-p/683763#M9962
I think all the suggestions that spawned from my original question are worth considering in the context of the individual environments a user might have.  For instance, I was not able to spin up a du... See more...
I think all the suggestions that spawned from my original question are worth considering in the context of the individual environments a user might have.  For instance, I was not able to spin up a duplicate SHC or IDXC and thus chose a different option.    However, I suggest that new threads be created for each solution, with a detailed explanation.  This thread is getting a bit long.
I tried to configure SSL/TSL connection between Forwarder and Indexer.  On forwarder /opt/splunkforwarder/etc/system/local/output.conf:     [tcpout] defaultGroup = default-autolb-group [tcpout... See more...
I tried to configure SSL/TSL connection between Forwarder and Indexer.  On forwarder /opt/splunkforwarder/etc/system/local/output.conf:     [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] disabled = false server = my.domain.com:9998 disabled = 0 clientCert = /opt/splunk/etc/auth/mycerts/client.pem useClientSSLCompression = true [tcpout-server://my.domain.com:9998]     Certificate  has been created by Certbot and prepared according to the instructions.  Works well for Splunk Web and I believe it works here too. On indexer /opt/splunk/etc/system/local/inputs.conf     [splunktcp-ssl:9998] disabled=0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/test_full.pem   test_full.pem - prepared certificate from Certbot. If I use forwarder without certificates everything works fine so there is no connection errors. Output of splunk list forward-server   Configured but inactive forwards: my.domain.com:9998     From  /var/log/splunk/splunkd.log I can see the following error:   05-22-2024 11:51:03.823 +0000 ERROR TcpOutputFd [29087 TcpOutEloop] - Read error. Connection reset by peer 05-22-2024 11:51:03.823 +0000 WARN AutoLoadBalancedConnectionStrategy [29087 TcpOutEloop] - Applying quarantine to ip=99.99.99.99 port=9998 connid=2 _numberOfFailures=2   Could you please help me debug the problem?  
my search as below, the two <my search command for list user rating list> search command is the same, how to reduce this search command. I want to use once time <my search command for list user rat... See more...
my search as below, the two <my search command for list user rating list> search command is the same, how to reduce this search command. I want to use once time <my search command for list user rating list>, mean share the same search results for queries. The transaction sellerId and buyerId could look up user of rating list to get the rating data. <my search command for transaction records> | dedup orderId | table orderId, sellerId, buyerId | join type=left sellerId [ search <my search command for list user rating list> | table sellerId, sellerRating] | search orderId!="" | table orderId, sellerId, buyerId, sellerRating | join type=left buyerId [ search <my search command for list user rating list> | table buyerId, buyerRating] | search orderId!="" | table orderId, sellerId, buyerId, sellerRating,buyerRating transaction records maybe like as below orderId sellerId buyerId 123 John Marry 456 Alex Josh   user rating (all user) user rating Josh 10 Alex -2 Lisa 1 Marry 3 John 0 Tim 0   excepted result orderId sellerId buyerId sellerRating buyerRating 123 John Marry 0 3 456 Alex Josh -2 10
yes, we want to know how integrate splunk into keycloak as an IDP Provider?
Since this is a distributed environment. I think the best approach here would be as follow: Migrare your management nodes first like Cluster manager, SHC Deployer, Deployment Server, etc. Migrate ... See more...
Since this is a distributed environment. I think the best approach here would be as follow: Migrare your management nodes first like Cluster manager, SHC Deployer, Deployment Server, etc. Migrate the Search tier Migrate Indexers Now the question is how do you achieve this with less to no downtime?  For CM: Setup new RHEL 9 machines Backup  Setup Splunk on the new machine Copy/Merge "/system/local" and "etc/manager-apps" directory to the new machine  Restart Splunk  Update the DNS or IP. Easier way would be to deattach the DNS/IP of older CM and attach it to the new CM. Once the DNS/IP is update, your old indexers should start reporting to the new CM For Indexers: Setup new RHEL 9 machines Now for example if you have 6 IDXs in your old cluster, then spawn 6 new machines in RHEL version Setup Splunk on the new machines  Ensure all the machines are part of one cluster(i.e older indexers and new both) Start decommissioning  old indexer one at a time. This will migrate the copy to the reminder IDXs: https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Takeapeeroffline Rebalnce the data if needed. This way you won't have any downtime on data ingestion or searching. For SH  Setup new RHEL 9 machine Backup  Setup Splunk on the new machine Copy/Merge "/system/local" and "etc/apps" directory to the new machine  Restart Splunk  Update the DNS or IP. Easier way would be to deattach the DNS/IP of older SH and attach it to the new SH. (Optional) Ensure you are able to search the data as a part of sanity checks   Another approach is mentioned in this Splunk Docs which will be tedious and would require downtime and lot of manual work:  Please let me know if you have any concerns.   
Hi, I tried to add a piece of code to change the color of values based on certain condition, but it is not reflecting the change in my dashboard. Can you please check & advise what is going wrong? ... See more...
Hi, I tried to add a piece of code to change the color of values based on certain condition, but it is not reflecting the change in my dashboard. Can you please check & advise what is going wrong? New code added - <single id="CurrentUtilisation"> <search> <query> <![CDATA[ index=usage_index_summary | fields Index as sourceIndex, totalRawSizeGB | where Index="$single_index_name$" | stats latest(totalRawSizeGB) as CurrentSize by Index | join left=L right=R where L.Index=R.extracted_Index [ search index=index_configured_limits_summary | stats latest(maxGlobalDataSizeGB) as MaxSizeGB by extracted_Index ] | rename L.CurrentSize as CurrentSizeGB, R.MaxSizeGB as MaxSizeGB, L.Index as Index | eval unit_label = if(CurrentSizeGB < 1, "MB", "GB") | eval CurrentSizeGB = if(CurrentSizeGB < 1, CurrentSizeGB*1024, CurrentSizeGB) | eval CurrentSizeDisplay = round(CurrentSizeGB) . if(unit_label == "MB", "MB", "GB") | eval CurrentSizeDisplay = if(CurrentSizeGB == 0, "None", CurrentSizeDisplay) | eval range=if(CurrentSizeGB > MaxSizeGB, "over", "under") | table CurrentSizeDisplay, range ]]> </query> </search> <option name="colorBy">value</option> <option name="drilldown">none</option> <option name="rangeColors">["red", "white"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="underLabel">Current Utilisation</option> <option name="useColors">1</option> </single> What I want - If Currentsize > Maxsize then the value should display in Red else White. The query on being run independently is showing correct results for the range & current size maxsize values but the color does not change in the dashboard. I have looked up this in the community & tried using the same logic mentioned in this successful solution but to no avail.   Reference used - https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.splunk.com%2Ft5%2FDashboards-Visualizations%2FHow-can-I-change-Splunk-Dashboard-single-value-field-color-of%2Ftd-p%2F596833&data=05%7C02%7Csaleha.shaikh%40here.com%7C8e67306234504904e1c008dc7a4ac122%7C6d4034cd72254f72b85391feaea64919%7C0%7C0%7C638519708691080704%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iJit6osuY09q25VX8pWiUcuylKtrNczG4H%2BhCfSgEbo%3D&reserved=0
Hi @gcusello  In lookup file i have two fields one is interface name another one is link based on interface name we can map Right.
Hi @gdfasdasd , in the post is written also:  'if Splunk has the data - it is indexed and searchable', so only indexed data are searchable. If you discard an event and you don't index it, you canno... See more...
Hi @gdfasdasd , in the post is written also:  'if Splunk has the data - it is indexed and searchable', so only indexed data are searchable. If you discard an event and you don't index it, you cannot search it. So I confirm, that you can search only on indexed data, with the exception of DB-Connect with performances to forget. Ciao. Giuseppe
After upgrade Azure blob storage archiving to 1.1.1 we have ERROR BucketMover :   10:16:29.231 +0000 ERROR BucketMover [15786 FilesystemOpExecutorWorker-1] - coldToFrozenScript cmd='"/usr/bin/pyt... See more...
After upgrade Azure blob storage archiving to 1.1.1 we have ERROR BucketMover :   10:16:29.231 +0000 ERROR BucketMover [15786 FilesystemOpExecutorWorker-1] - coldToFrozenScript cmd='"/usr/bin/python3" "/opt/splunk/etc/apps/TA-azure-blob-archiving/bin/AzFrozen2Blob.py" /mnt/data1/splunkdata/network/db/db_1708118969_1708333374_3431' exited with non-zero status='PID 15806 exited with code 1'
https://community.splunk.com/t5/Splunk-Search/Searching-data-that-is-not-indexed/m-p/557435 i read this information
Hi @gdfasdasd , I don't know which forums are you speaking of,. as also @ITWhisperer said, you can access external data without indexing them e.g. using DB-Connect (that's a  Splunk JDBC client to ... See more...
Hi @gdfasdasd , I don't know which forums are you speaking of,. as also @ITWhisperer said, you can access external data without indexing them e.g. using DB-Connect (that's a  Splunk JDBC client to query Databases), but in this case, you have to forget performances from your system! In Splunk you can mainly search only on indexed data. Ciao. Giuseppe
Strictly speaking, there are other ways to access non-indexed data such as DB Connect and inputlookup, but generally speaking you should index your data (as @gcusello suggested) in order to get power... See more...
Strictly speaking, there are other ways to access non-indexed data such as DB Connect and inputlookup, but generally speaking you should index your data (as @gcusello suggested) in order to get powerful access to the information contained within it.