All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

IHAC running a large C11 On-Prem stack. They are in a bit of a pickle due to unsupported RHEL 7 and halfway through an upgrade from 9.3.x to 9.4.x and are seeking advice on the recent CVE's. My prob... See more...
IHAC running a large C11 On-Prem stack. They are in a bit of a pickle due to unsupported RHEL 7 and halfway through an upgrade from 9.3.x to 9.4.x and are seeking advice on the recent CVE's. My problem / question is what version of 'golang' is installed with their particular version of Splunk, this is in response to SVD-2025-0603 | Splunk Vulnerability Disclosure It is not clear how to verify this.  
Not quite, _indextime will always the time its indexed, however _time is usually derived/determined from the data. For some reason Splunk is detecting the incorrect time. Try updating your props lik... See more...
Not quite, _indextime will always the time its indexed, however _time is usually derived/determined from the data. For some reason Splunk is detecting the incorrect time. Try updating your props like this: [source::.../var/log/splunk/SA-ldapsearch.log] sourcetype = SA-ldapsearch DATETIME_CONFIG = CURRENT  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @maddop  Is the link you're clicking on a regular a/href link with a target=_blank ?  You may be able to "Execute Javascript" before the click to remove the target from the link, then click as n... See more...
Hi @maddop  Is the link you're clicking on a regular a/href link with a target=_blank ?  You may be able to "Execute Javascript" before the click to remove the target from the link, then click as normal? const links = document.querySelectorAll('a'); // Iterate over each link and remove the 'target' attribute links.forEach(link => { link.removeAttribute('target'); });  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@richgalloway  My understanding is that, if indextime is today so _time should have been the same since there is no delay during ingestion. Here is the default props.conf that comes with the ... See more...
@richgalloway  My understanding is that, if indextime is today so _time should have been the same since there is no delay during ingestion. Here is the default props.conf that comes with the SA-ldapsearch TA: (there is no transform.conf) [source::.../var/log/splunk/SA-ldapsearch.log] sourcetype = SA-ldapsearch [SA-ldapsearch] EXTRACT-vars = Level=.+, (?<log_source>Pid=.+, File=.+, Line=.+), (?<message>.*)
Hi @tech_g706  If there are no fields in the event that you want to use as the _time field when it is ingested then I would recommend forcing the _time to be the ingestion time using the following p... See more...
Hi @tech_g706  If there are no fields in the event that you want to use as the _time field when it is ingested then I would recommend forcing the _time to be the ingestion time using the following props.conf update: [yourSourcetype] # Your other props here # Set _time to current time DATETIME_CONFIG = CURRENT If you want one of the fields in the event to be _time then please share the full raw event and details of the field which should be _time.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi., Need to generate a server metric report which gives Server Availability and other Hardware metrics.   Tried Dexter, but it doesn't give the Machine Availability metric. Correct me if any chan... See more...
Hi., Need to generate a server metric report which gives Server Availability and other Hardware metrics.   Tried Dexter, but it doesn't give the Machine Availability metric. Correct me if any changes to be done to get this metric in DEXTER.   Tried the API POST Call, but it gives the report with 1/10 mins granularity data. For eg, if I fetch for last 1 hours it splits the data into 6 times for each 10 mins and shares the data, This makes it very complex to get the desired metric. Tried Dashboard, but have to create multiple widgets or Dashboard to achieve this, even after that the reports generated out if it is not clear. Kindly suggest a way to get the Machine availability metrics and other hardware metrics from AppDynamics as  report.    
What do you expect/want to see for capturetime?  None of the timestamps in the event seem appropriate and all of them will either throw a warning or cause a quarantine bucket to be created. Please s... See more...
What do you expect/want to see for capturetime?  None of the timestamps in the event seem appropriate and all of them will either throw a warning or cause a quarantine bucket to be created. Please share the props.conf settings for that sourcetype.
Hi, I am experiencing issue with  SA-ldapsearch TA.   I am using this search to validate the timestamp index = <index name> | eval bucket=_bkt | eval diff = _indextime - _time | eval indextim... See more...
Hi, I am experiencing issue with  SA-ldapsearch TA.   I am using this search to validate the timestamp index = <index name> | eval bucket=_bkt | eval diff = _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") | table indextime capturetime diff _raw I can see that, the indextime  = 2025-06-08 05:00:20 but capturetime = 2020-01-13 10:00:01 Splunk is ingesting the latest ldap events but _time field is having timestamps of 2020.  In the raw event, there are multiple timestamps available: "whenCreated":"2018-06-05 10:43:19+00:00 "whenChanged":"2024-02-11 13:52:37+00:00 "pwdLastSet":"2019-07-24T06:41:44.698530Z "lastLogonTimestamp":"2019-07-24T06:41:44.282975Z but I am not able to understand how the TA is extracting the 2020 timestamp from the raw as there is no such timestamp in the raw event.
I am using the Synthetics browser test to track availability of our Citrix client application endpoints. The user journey: access public url sign into account (username, click next, password, cli... See more...
I am using the Synthetics browser test to track availability of our Citrix client application endpoints. The user journey: access public url sign into account (username, click next, password, click sign-in) click the application icon a new window loads with the application Everything works great up-to step 3. I cannot figure out how we track the new window. This is the key part, I need to know if this loads successfully.  I suspect it is not possible based upon reading the documentation but has anyone had a similar issue and successfully solved it?
Good points @PickleRick  So I guess further to my previous reply @L_Petch  - Is there a firewall between Site1 and Site2, and if so are you able to verify that this isnt causing an issue here!  D... See more...
Good points @PickleRick  So I guess further to my previous reply @L_Petch  - Is there a firewall between Site1 and Site2, and if so are you able to verify that this isnt causing an issue here!  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
To be precise, "connection reset by peer" means that the other end sent a packet with a RST flag. This might happen when: 1) The traffic is not filtered but the port is not open on the other side. ... See more...
To be precise, "connection reset by peer" means that the other end sent a packet with a RST flag. This might happen when: 1) The traffic is not filtered but the port is not open on the other side. In this case a server would simply respond with RST to the initial SYN packet and no session would be established at all. 2) The session is established (there is normal three-way handshake) but either: 2a) There is some low-level problem with the connection and the IP stack on the other end decides that it's unrecoverable and decides to close the session abruptly. 2b) There is some intermediate solution monitoring/inspecting/whatevering the traffic and breaking the connection in case it finds anything "wrong" or "suspicious". In my experience I encountered IPS solutions which would send spoofed RST both ways (to the client and server) because it was seeing unknown TLS certificates. 2c) The connection on the TCP level is working OK but there is some problem with a higher layer protocol and the protocol doesn't have signaling for that and doesn't allow for graceful shutdown and instead just closes the connection. Typical example is again TLS-oriented - when the server doesn't like client's crypto proposals (or client's certificate if you're using mTLS), it will send a TLS alert within the TLS negotiation session and then simply close the connection. It should be reflected in logs on the server's side in such case. It's often good to get a network dump (tcpdump/wireshark) from both ends of the connection to see who's sending the RST and at which moment.
Hi @Leonardo1998  I see you found the SC4SNMP before i was able to reply   Yes you can install this on a server with other Splunk components without issue as long as it meets the hardware require... See more...
Hi @Leonardo1998  I see you found the SC4SNMP before i was able to reply   Yes you can install this on a server with other Splunk components without issue as long as it meets the hardware requirements.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Lien  I assume your user has been assigned to a relevant group in Okta that is relevant to the Splunk application?  I have seen an issue before with users who having 100+ groups where the SAML ... See more...
Hi @Lien  I assume your user has been assigned to a relevant group in Okta that is relevant to the Splunk application?  I have seen an issue before with users who having 100+ groups where the SAML response doesnt send the groups, I wonder if that could be the case here - does your user have a high count of groups in Okta? I dont know if you have seen this but it may be useful? https://splunk.my.site.com/customer/s/article/SAML-user-unable-to-login  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @tgulgund @PrewinThomas  You can set a default refresh time which will apply automatically to all data sources (unless a specific datasource is overwritten, edit the source of your dashboard and ... See more...
Hi @tgulgund @PrewinThomas  You can set a default refresh time which will apply automatically to all data sources (unless a specific datasource is overwritten, edit the source of your dashboard and find the "defaults" section, under defaults->dataSources->ds.search->options create a new "refresh" key with a value containing your intended refresh interval, such as this: { "title": "testing", "description": "", "inputs": {}, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" }, "refresh": "60s" } } } }, "visualizations": { ... ... } }  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @L_Petch  The "Connection reset by peer" error indicates that the TCP connection was established, but then abruptly closed by the remote side (the License Manager or a network device in between).... See more...
Hi @L_Petch  The "Connection reset by peer" error indicates that the TCP connection was established, but then abruptly closed by the remote side (the License Manager or a network device in between). This often happens during the SSL/TLS handshake or if the License Manager itself encounters an issue processing the request from the Site2 indexers. Verify License Master URI Configuration: Ensure the master_uri in $SPLUNK_HOME/etc/system/local/server.conf on the affected indexers (Site2) correctly points to the License Manager using HTTPS and port 8089. [license] master_uri = https://<LM_hostname_or_IP>:8089 Replace <LM_hostname_or_IP> with the actual hostname or IP address of your License Manager. Confirm this is resolvable from the Site2 indexers.   Check SSL/TLS Certificate and Configuration: Certificate Trust: The SSL certificate used by the License Manager on port 8089 must be trusted by the Site2 indexers. If using custom certificates, ensure the CA chain is correctly installed on the indexers. Test SSL Connection: From one of the problematic Site2 indexers, use openssl to test the SSL handshake directly: openssl s_client -connect <LM_hostname_or_IP>:8089 -servername <LM_hostname_if_SNI_used> This command can help identify SSL handshake failures and certificate issues. You may wish to try passing with your certificate files: openssl s_client -connect <LM_hostname_or_IP>:8089 -servername <LM_hostname_if_SNI_used> \ -cert /path/to/your/client-cert.pem \ -key /path/to/your/client-key.pem \ -CAfile /path/to/your/ca-cert.pem​    Check yuor logs: On affected indexers (Site2): Examine splunkd.log for more detailed messages around the "failed to send rows" error. Look for messages related to SSL, TLS, or connection failures. On the License Manager (Site1): Examine splunkd.log for any errors corresponding to connection attempts from the affected indexers' IPs. Look for SSL errors, resource issues, or licensing-specific messages. Inspect Splunk Logs: On your SH: Search in _internal, something like this would be a good starting point index=_internal host= sourcetype=splunkd (log_level=ERROR OR log_level=WARN) ("SSL" OR "handshake" OR "connection from" OR "LicenseManager  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@L_Petch  Check this https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-connect-to-license-master-since-certification/m-p/488156    https://community.splunk.com/t5/Security/Getti... See more...
@L_Petch  Check this https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-connect-to-license-master-since-certification/m-p/488156    https://community.splunk.com/t5/Security/Getting-an-issue-where-Splunk-hosts-can-t-reach-the-License/m-p/455396 
Hello,   I am getting the below error on two of my indexers. The indexers in question are on a different site (Site2) to the other two indexers & license manager in the cluster (site1). Site 1is wo... See more...
Hello,   I am getting the below error on two of my indexers. The indexers in question are on a different site (Site2) to the other two indexers & license manager in the cluster (site1). Site 1is working correctly with the same configuration as the indexers for site 2. My guess is networking but both indexers can connect to the LM on this port and there are no issues showing on the firewall between the two. All troubleshooting I have tried shows doesn't show any connectivity issues. Anyone come across this problem and have a solution? ####################################################################### HttpClientRequest [2156984 LMTrackerExecutorWorker-0] - Returning error HTTP/1.1 502 Error connecting: Connection reset by peer ERROR LMTracker [2156984 LMTrackerExecutorWorker-0] - failed to send rows, reason='Unable to connect to license manager=https://****:8089 Error connecting: Connection reset by peer' #######################################################################
I have a base search and multiple chain search. can u add refresh only to base search ?  Will that refresh other panels ?
@tgulgund  Unfortunately i dont think dashboard studio can set auto refresh for entire dashboard in a single config, auto-refresh is set per data source. You must define the refresh interval for... See more...
@tgulgund  Unfortunately i dont think dashboard studio can set auto refresh for entire dashboard in a single config, auto-refresh is set per data source. You must define the refresh interval for each relevant data source in the dataSources section of your dashboard JSON Eg: "dataSources": { "myDataSource": { "type": "ds.search", "options": { "query": "your search here", "queryParameters": { "earliest": "-48h@h", "latest": "@h" }, "refresh": "5m", "refreshType": "delay" } } } #https://docs.splunk.com/Documentation/Splunk/9.4.2/DashStudio/dsOpt Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
I am using splunk 9.3.2. I have visualisation panels added my dashboard with multiple queries. I use a base search with global time picker default value to 48 hours and subsequently use the chain ... See more...
I am using splunk 9.3.2. I have visualisation panels added my dashboard with multiple queries. I use a base search with global time picker default value to 48 hours and subsequently use the chain searches. I need my entire dashboard to refresh after every 5 mins. I tried "refresh":300 but it doesn't work. Not sure what am I missing here. { "visualizations": { }, "dataSources": { }, "defaults": { }, "inputs": { }, "layout": { "type": "absolute", "options": { "height": 2500, "backgroundColor": "#000000", "display": "fit-to-width", "width": 1550 }, }, "description": "", "title": "My Dashboard", "refresh": 300 }