All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

5/17/24 12:45:46.313 PM persistuse Environment = LTQ3   In the above event character "r" is missing on word persistuse ( but exist in raw_data on host )  hence the events are creating without ti... See more...
5/17/24 12:45:46.313 PM persistuse Environment = LTQ3   In the above event character "r" is missing on word persistuse ( but exist in raw_data on host )  hence the events are creating without timestamp and getting data quality issues how this can be fixed 
We are generating HEC tokens on a deployment server and pushing them out to the HECs.  HEC tokens are disabled by default on the HECs and the deployment server and need to be enabled in global setti... See more...
We are generating HEC tokens on a deployment server and pushing them out to the HECs.  HEC tokens are disabled by default on the HECs and the deployment server and need to be enabled in global settings.  What I've done so far is: -authorize.conf, this is for user tokens and isn't working for HEC tokens -the CLI command for token enable isn't working because it's not enabled globally -inputs.conf has [http] disabled=0   The only thing that has worked is enabling it via the UI. Is there a way to enable these over CLI?
Hello @gcusello  Thanks for the quick response. One of my colleagues mentioned that he observed some intermittent connectivity issues/data loss when 8089 encryption was enabled.  What could be the... See more...
Hello @gcusello  Thanks for the quick response. One of my colleagues mentioned that he observed some intermittent connectivity issues/data loss when 8089 encryption was enabled.  What could be the possible reason?   Thanks.
This is perfect. Thank you! Only had to add the missing "by" in  | eventstats values(pod_name_all) as pod_name_all importance index=abc sourcetype=kubectl | lookup pod_list pod_name_lookup as pod_n... See more...
This is perfect. Thank you! Only had to add the missing "by" in  | eventstats values(pod_name_all) as pod_name_all importance index=abc sourcetype=kubectl | lookup pod_list pod_name_lookup as pod_name OUTPUT pod_name_lookup | where sourcetype == "kubectl" | bin span=1h@h _time | stats values(pod_name_lookup) as pod_name_lookup values(pod_name_all) as pod_name_all by importance _time | append [ inputlookup pod_list | rename pod_name_lookup as pod_name_all] | eventstats values(pod_name_all) as pod_name_all by importance | eval missing = if(isnull(pod_name_all), pod_name_all, mvappend(missing, mvmap(pod_name_all, if(pod_name_all IN (pod_name_lookup), null(), pod_name_all)))) | where isnotnull(missing) | timechart span=1m@m dc(missing) by importance
Hi Team,   is it possible to update/enrich a notable after executing a playbook in splunk soar and that execution output must be attached in the Splunk notable. Example:   Assume I have correlat... See more...
Hi Team,   is it possible to update/enrich a notable after executing a playbook in splunk soar and that execution output must be attached in the Splunk notable. Example:   Assume I have correlation search named one and this triggers a notable and run a playbook actions. Now once the search triggers and notable is created, the action run a playbook should execute in soar and attach that output to the notable created. You think of this attaching ip reputation/geo locations of an ip to the notable so that soc can work without logging into virus total or any other sites.   Thank you
Hi @Jyo_Reel, 8089 is a management port and it's already encrypted. Anyway, the traffic port (by default 9997) can be encrypted, for more details see at https://docs.splunk.com/Documentation/Splunk... See more...
Hi @Jyo_Reel, 8089 is a management port and it's already encrypted. Anyway, the traffic port (by default 9997) can be encrypted, for more details see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcertificates#:~:text=You%20can%20use%20transport%20layer,create%20and%20sign%20them%20yourself. Ciao. Giuseppe
I know someone whom has used this, its a flavour of Red hat / Cent OS - so you should be fine.  Here's the Splunk OS support matrix for the kernel versions supported  https://docs.splunk.com/Do... See more...
I know someone whom has used this, its a flavour of Red hat / Cent OS - so you should be fine.  Here's the Splunk OS support matrix for the kernel versions supported  https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/SystemRequirements 
Hello, Can 8089 port traffic be encrypted? What are the pros and cons?
If I have 6 search peers configured in the distsearch.conf file but 3 of them go down, can Splunk recognize that a host is down and continue skipping down the list until it gets a live host?
Hello, Does Splunk 9.0 compatible with Oracle Linux?
That WARN is just for extra security. Its still having issues with the server.pem file  I'm out of options to check mate, consider logging a support call, or you could if this is an option to you... See more...
That WARN is just for extra security. Its still having issues with the server.pem file  I'm out of options to check mate, consider logging a support call, or you could if this is an option to you, backup /etc/apps folder and re-install Splunk,  and restore the backed up /etc/apps folder, I know this is a drastic step...but might be quicker. 
I've lately installed MISP add-on app from Splunk to integrate our MISP environment feed to Splunk app using the URL and the Auth API.  That being said, I was able to configure it with details requir... See more...
I've lately installed MISP add-on app from Splunk to integrate our MISP environment feed to Splunk app using the URL and the Auth API.  That being said, I was able to configure it with details required in MISP add-on app. However, after the configuration, I'm getting the following error: (Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability). Furthermore, by looking into the role capabilities under Splunk UI setting, I dont see "dispatch_rest_to_indexers" role either. Could someone please assist?
Thank you! 
I have checked the log, there is nothing there. In fact there is only 1 log with new entries. These are the last entries from splunkd-utility.log: 05-17-2024 16:44:40.570 +0200 INFO ServerConfig - F... See more...
I have checked the log, there is nothing there. In fact there is only 1 log with new entries. These are the last entries from splunkd-utility.log: 05-17-2024 16:44:40.570 +0200 INFO ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now. 05-17-2024 16:44:40.570 +0200 INFO ServerConfig - Host name option is "". 05-17-2024 16:44:40.570 +0200 INFO ServerConfig - TLS Sidecar disabled 05-17-2024 16:44:40.570 +0200 WARN SSLOptions - server.conf/[sslConfig]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security 05-17-2024 16:44:40.570 +0200 INFO ServerConfig - No 'C:\Program Files\Splunk\etc\auth\server.pem' certificate found. Splunkd communication will not work without this. If this is a fresh installation, this should be OK. 05-17-2024 16:44:40.586 +0200 INFO ServerConfig - disableSSLShutdown=0 05-17-2024 16:44:40.586 +0200 INFO ServerConfig - Setting search process to have long life span: enable_search_process_long_lifespan=1 05-17-2024 16:44:40.586 +0200 INFO ServerConfig - enableTeleportSupervisor=0, scsEvironment=production 05-17-2024 16:44:40.586 +0200 INFO ServerConfig - certificateStatusValidationMethod is not set, defaulting to none. 05-17-2024 16:44:40.586 +0200 INFO ServerConfig - Splunk is starting with EC-SSC disabled cacert.pem is valid till 2027 and I have checked server.conf, which has no entry for hostname. But this seems to be normal, have checked against another installation.
This has fixed by Splunk. It works at least 9.1.3+ versions as expected. _meta = foo::bar
Update for old post as splunk has fixed this. Currently (at lest 9.1.3+) you can use _meta also in HEC's inputs.conf.
Hello Splunk Community, To combine two search results where you are interested in the last x/y events from each subquery, you can utilize streaming commands effectively by piping the output of the f... See more...
Hello Splunk Community, To combine two search results where you are interested in the last x/y events from each subquery, you can utilize streaming commands effectively by piping the output of the first search into the second one. For instance, you can use command-line tools like grep, awk, or sed to filter and merge the results. If you're dealing with more complex data, consider using a programming language like Python with libraries such as pandas for better manipulation and merging of search results. Finally, to enhance your streaming and searching experience, I recommend you install the Spotify Web Mod PC. This mod can help streamline your music searches and organize your playlists efficiently, providing a seamless integration into your overall workflow. Best Regards!!
Hi you are fulfilling these requirements https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest ? r. Ismo
Hi it shouldn't bee to much. Could you show your inputs.conf inside </> block? Also which UF version and OS you have? Have you also check that your UF user have access to this new (?) or truncate... See more...
Hi it shouldn't bee to much. Could you show your inputs.conf inside </> block? Also which UF version and OS you have? Have you also check that your UF user have access to this new (?) or truncated file? What  splunk list inputstatus splunk list monitor commands outputs are? Can you find this individual file from those and what status it has? r. Ismo
Could give some more information about your issue and what you have already try?