All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So, what is the solution you propose?
HEC sources, if writing to /event endpoint can provide own set of indexed fields beside the raw event. Also - with /event endpoint no line breaking takes place.
Also if some search works in one app/for one user and doesn't work in another app/for another user it's often a permissions issue.
Oooof, that's a golden shovel for you, Sir. But to the point - no. It's how Splunk works. It will allocate a single CPU for each search on a SH it's being run from as well as on each indexer taki... See more...
Oooof, that's a golden shovel for you, Sir. But to the point - no. It's how Splunk works. It will allocate a single CPU for each search on a SH it's being run from as well as on each indexer taking part in the search. So the way to "add cores to the search" is to grow your env horizontally in the indexer layer _and_ write your searches so that they use that layer properly.
First thing to debug inputs is usually, after verifying the config checking the output of splunk list monitor and splunk list inputstatus  
"...Splunk will use one core for each search" yep by default splunk will use 1 core for each search but can we adjust this limitation, let say one search can use 2 or 3 core?
Thanks Everyone for your response. Highly Appreciate your input. I was able to construct the query something like this: index="my_index" uri="*/experience/*" | eval common_uri = replace(uri, "^(/[^... See more...
Thanks Everyone for your response. Highly Appreciate your input. I was able to construct the query something like this: index="my_index" uri="*/experience/*" | eval common_uri = replace(uri, "^(/[^/]+){1,2}(/experience/.*)", "\2") | stats count(common_uri) as hits by common_uri | sort -hits | head 20
@ND1 Agreed with @sainag_splunk   Also, Most ES dashboard expects data in CIM fields or from a specific data model/summary index. Check fields Run your correlation search in Search & Reporting ... See more...
@ND1 Agreed with @sainag_splunk   Also, Most ES dashboard expects data in CIM fields or from a specific data model/summary index. Check fields Run your correlation search in Search & Reporting Use the field picker to see if required CIM fields are present If not, review your field extractions or data model configurations Check Datamodel | datamodel <datamodel_name> search If the data model is empty, review your data sources and field extractions. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
@Lien unfortunately, its not supported for the splunkcloud trial version. https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/TypesofSplunkClouddeployment       If this Helps, Pleas... See more...
@Lien unfortunately, its not supported for the splunkcloud trial version. https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/TypesofSplunkClouddeployment       If this Helps, Please Upvote!
Hi @livehybrid ,  Thank you for your reply. I only created one group. I am using Splunk cloud trial version. Is there any limitation for setting up SSO? Also another problem is once it shows that e... See more...
Hi @livehybrid ,  Thank you for your reply. I only created one group. I am using Splunk cloud trial version. Is there any limitation for setting up SSO? Also another problem is once it shows that error page, I could not logon with local user anymore. It redirect to Okta when I access. Then I lost opportunity to logon Splunk Cloud.
Thank you very much for the detailed comments. I edited my post with some details. I did not suspect anything with regards to the monitor stanza because another host with essentially the same config... See more...
Thank you very much for the detailed comments. I edited my post with some details. I did not suspect anything with regards to the monitor stanza because another host with essentially the same configuration works as expected. Where it doesn't work, I do find events from the /var/log/secure (from the same monitor stanza). I will run a btool debugging and report back. Thanks again!
Thank you for your reply. I edited my post with some more details. It's a custom TA with a simple file monitor stanza. I don't think the inputs configuration is an issue.
@ND1 It's not easy to troubleshoot without a screen share, but typically I recommend: Check the time filter on each dashboard panel Click the magnifying glass on the panel to view the search Expa... See more...
@ND1 It's not easy to troubleshoot without a screen share, but typically I recommend: Check the time filter on each dashboard panel Click the magnifying glass on the panel to view the search Expand the search to see what's actually running - you'll typically see macros there Expand those macros using Ctrl + Shift + E (Windows) or Cmd + Shift + E (Mac) Run the expanded search with a broader time range to see if data appears also check Time range mismatch: The ES dashboard is looking for recent data while your correlation search finds older events Data model acceleration: Your correlation search might need CIM-compliant field mappings Dashboard filters: Check if the dashboard has hidden drilldown tokens or filters applied check out this user guide: https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/analytics/available-dashboards-in-splunk-enterprise-security Additional help: If you have Splunk OnDemand Services credits available, I'd recommend using them to walk through this issue with a Splunk expert who can troubleshoot in real-time. If this Helps, Pleas Upvote.
Hi @cfernaca  The duplicate field extractions are likely due to multiple or conflicting search-time field extraction configurations applying to the integration sourcetype. Since INDEXED_EXTRACTIONS ... See more...
Hi @cfernaca  The duplicate field extractions are likely due to multiple or conflicting search-time field extraction configurations applying to the integration sourcetype. Since INDEXED_EXTRACTIONS = none is set, the issue occurs at search time.  KV_MODE = json is generally sufficient for JSON data, but other configurations (e.g., REPORT-* or EXTRACT-* in props.conf) might be redundantly extracting the same fields. Check for conflicting configurations usingbtool, Run this command on your Search Head's CLI to see all applied settings for your sourcetype and the source props.conf files: splunk btool props list integration --debug Look for REPORT-* or EXTRACT-* configurations that might be extracting fields already handled by KV_MODE = json.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Good afternoon, I have a monitoring architecture with three nodes with the Splunk Enterprise product. One node acts as SearchHead, one as Indexer and one for all other roles. I have a HEC on the ind... See more...
Good afternoon, I have a monitoring architecture with three nodes with the Splunk Enterprise product. One node acts as SearchHead, one as Indexer and one for all other roles. I have a HEC on the indexer node to be able to receive data from third parties. The sourcetype configured to store the data is as follows: [integration] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Structured description = test disabled = false pulldown_type = 1 INDEXED_EXTRACTIONS = none KV_MODE = json My problem is that when I fetch the data, there are events where the field extraction is done in duplicate and others where the field extraction is done only once. Please, can you help me? Best regards, thank you very much  
@ND1 Most probably when an incident is not showing up, it's either suppression blocking the events or the notable action not being properly configured. 1. Check if notable events are being created... See more...
@ND1 Most probably when an incident is not showing up, it's either suppression blocking the events or the notable action not being properly configured. 1. Check if notable events are being created: index=notable earliest=-7d | search source="*your_correlation_search_name*" 2. Check suppression settings: | rest /services/saved/searches | search title="*your_correlation_search_name*" | table title, alert.suppress, alert.suppress.period Try below: If alert.suppress=1, try disabling suppression temporarily in ES > Content Management Edit your correlation search and ensure "Notable" action is checked and saved Test your correlation search manually first to confirm it returns results If this Helps, Please Upvote.  
I have checked the file. Besides, one of the messages (Will begin reading at offset=13553847 for file='/var/log/messages') would indicate that Splunk has found the file which has contents. The host ... See more...
I have checked the file. Besides, one of the messages (Will begin reading at offset=13553847 for file='/var/log/messages') would indicate that Splunk has found the file which has contents. The host I have problem with is actually one in a pair (A/B) of servers. I do see events in Splunk from the B server as expected. I also find events from the A server from /var/log/secure, just nothing from /var/log/messages.
Why is my Correlation Search not showing up in Incident Review?” “How do I determine why a Correlation Search isn’t creating a notable event?”
Hello family, here is a concern I am experiencing: I have correlation searches that are activated or enable, and to verify that they are receiving CIM-compliant data that are required to make it work... See more...
Hello family, here is a concern I am experiencing: I have correlation searches that are activated or enable, and to verify that they are receiving CIM-compliant data that are required to make it work, when I search their name one-by-one on a Splunk Enterprise Security dashboard pane to make sure the dashboard populates properly, nothing comes out. But when I run the query of this correlation searches on the Search and Reporting pane of Splunk, I will see the events populate. I have gone through the Splunk documentation on CIM-Compliance topics already and watched some You Tube videos, but still don't get it...Please any extra sources from anyone that can help me understand very well will be very welcome. Thanks and best regards.
@sainag_splunk's answer is correct, but be aware that not all searches specify an index name and those that do might do so using a wildcard.  This is a Hard Problem addressed in the .conf24 talk "Max... See more...
@sainag_splunk's answer is correct, but be aware that not all searches specify an index name and those that do might do so using a wildcard.  This is a Hard Problem addressed in the .conf24 talk "Maximizing Splunk Core: Analyzing Splunk Searches Using Audittrail and Native Splunk Telemetry", which offers some ways to get the indexes used by a search.