All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I'm using TrackMe Free Edition 2.0.92 on my test env (single instance with 2 UF on debian 11). I'm able to create vtenant, but I do not see any of them on the Vtenant page : Yet, they a... See more...
Hello, I'm using TrackMe Free Edition 2.0.92 on my test env (single instance with 2 UF on debian 11). I'm able to create vtenant, but I do not see any of them on the Vtenant page : Yet, they are listed in the configuration tab : I cannot access the "pop in" to manage any of the tenant specs. This behaviour was already in place with previous version of trackme v2. I checked logs, trackme logs, restarted the instance, updated the app, checked the browser logs (har files), removed then installed again the app, tried to remove banner, deactivated  then reactivated library restrictions, checked limits : all without success. I don't have any more ideas. My prod env is distributed and do not have the issue. I'm sure I did something wrong somewhere, but I cannot pinpoint where. Could you please suggest some leads ? Thanks, Ema
Hi @LearningGuy, use a lookup on a csv or on KV-store, to be eventually populated using a connection with a db, but don't use dbxlookup. Ciao. Giuseppe
https://splunkbase.splunk.com/app/4564 Hi All, want to know the status on usage of particular app ,as we are seeing app being deprecated ,is there any alternate app/addon in leveraging the same func... See more...
https://splunkbase.splunk.com/app/4564 Hi All, want to know the status on usage of particular app ,as we are seeing app being deprecated ,is there any alternate app/addon in leveraging the same functionality. Current App stopped working  Regards Teja 
Do you mean KVStore? Have you tried DBXlookup yourself?  How slow is it? Thanks
Hi @LearningGuy , copy your csv in a lookup and use the lookup to enrich your searches. Remember to create also the Lookup definition. Ciao. Giuseppe
There are few things which we need to check before we check the search Is the file available for each date? Is the search produce some result for   index="BBB" host="AAA" sourcetype="CCC" earl... See more...
There are few things which we need to check before we check the search Is the file available for each date? Is the search produce some result for   index="BBB" host="AAA" sourcetype="CCC" earliest=-24h | eval dateFile=strftime(now(), "%Y-%m-%d") | where like(source,"%".dateFile."%Report.csv")   Does it still has some values in the column C1111?
Hello, Do you have any other alternative if I want to move away from CSV? Thanks
Better late than never Since I had the same issue: From the documentation Using RapidDiag - Splunk Documentation The RapidDiag app is available on Linux-based Splunk Enterprise installati... See more...
Better late than never Since I had the same issue: From the documentation Using RapidDiag - Splunk Documentation The RapidDiag app is available on Linux-based Splunk Enterprise installations only. Since I was running splunk on windows, that explains it for me.
The "no_start_line" error suggests format mismatch. Proper PEM-formatted cert or key file should begin with a header. See https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail  
Hello @Poojitha  you can try splunk list deploy-clients -count -1 Also you should use Settings/Forwarder management (GUI interface of your DMC server).    
Hi everyone, I'm trying to forward Sysmon event logs from a Windows Server to Splunk with a Universal Forwarder installed on the Windows machines. I've successfully forwarded security event logs wit... See more...
Hi everyone, I'm trying to forward Sysmon event logs from a Windows Server to Splunk with a Universal Forwarder installed on the Windows machines. I've successfully forwarded security event logs with the same forwarder, so I'm confident there are no network connectivity issues. Sysmon events are created as expected and exist in the Event Viewer. In my setup, I'm sending Sysmon events from my Windows clients to a WEF server, which collects all the logs. This part works fine. My Splunk deployment is a single server deployed on Rocky Linux. I installed the Splunk UF with a network user account, so it should have access to any event log. When I try to add a new "Windows Event Logs" input, I only have options to choose from the following event channels: Application ForwardedEvents Security Setup System I've tried adding the input manually to the app in the file located at: /opt/splunk/etc/deployment-apps/_server_app_WindowsServers/local/inputs.conf Security logs are sent, but Sysmon logs are not. Here's the content of the file: [WinEventLog://Security] index = win_servers [WinEventLog://Microsoft-Windows-Sysmon/Operational] index = win_servers checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest renderXml = true I've tried various options following some tutorials, but nothing worked. I also tried copying the content of this file to $SPLUNK_HOME\etc\apps_server_app_WindowsServers on the Windows server with the UF, but the results are the same. Any insights into this issue would be greatly appreciated. I'm sure I'm missing something here. Thank you in advance, Yossi
Hi @azer271  Have a look at this Splunk TLS config page. It sounds like there's a step / config missing, work through this and your steps.   That error could be  incorrect PEM format  or  some confi... See more...
Hi @azer271  Have a look at this Splunk TLS config page. It sounds like there's a step / config missing, work through this and your steps.   That error could be  incorrect PEM format  or  some config settings   https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS   
Hi, I have set up deployment server. When I checked splunkd_access.log , it shows successful phonehome connection from Heavy Forwarder. I can also see app getting deployed in  deployment clients. ... See more...
Hi, I have set up deployment server. When I checked splunkd_access.log , it shows successful phonehome connection from Heavy Forwarder. I can also see app getting deployed in  deployment clients. But when I do ./splunk list deploy-clients, it is showing "No deployment clients have contacted this server". What is going wrong here ? Please can anyone of you help me. Regards, PNV
Given that this looks like JSON, you could uses either spath or the json functions (new to 9.x)
Hello. Sorry about the late reply. After adding the rootCA setting, it still does not work. However, openssl shows "unable to load private key" ,which I believe this may be the issue. Regenerating th... See more...
Hello. Sorry about the late reply. After adding the rootCA setting, it still does not work. However, openssl shows "unable to load private key" ,which I believe this may be the issue. Regenerating the certs/keys also have the same issue. Here is the output of openssl: The private key is unable to load. The cert is showed properly. Morever, the search result shows that the ssl is still false. (I set up certs in hf and forwarder for testing) Troubleshoot output: Thank you for your help btw. 
Hey, if you found the solution, please let me know, I am getting NA for R2 value, dont know the reason and how do I approach it
Hey, did you got any resolution on this, I am trying the same thing
SPL Query: | getservice | search algorithms=*itsi_predict_* I want to extract the algorithms and then outputlookup the model_id of the model where recommended:True     Please sugges... See more...
SPL Query: | getservice | search algorithms=*itsi_predict_* I want to extract the algorithms and then outputlookup the model_id of the model where recommended:True     Please suggest how do I do thiS?      
See if you can change the settings via the GUI Go to your User > Preferences > Settings > Theme (Dark) 
It worked. Thank you.