All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@altink - Surely you can do that. Go to classic Splunkbase.   Click on Manage App (You won't see this option if you are not the editor or owner of the App)   Click on any of the ver... See more...
@altink - Surely you can do that. Go to classic Splunkbase.   Click on Manage App (You won't see this option if you are not the editor or owner of the App)   Click on any of the version number for which you would like to update the release notes.   And here, you should be able to update the release notes or any other details.   I hope this is helpful!!! If this helps, kindly upvote and accept the answer.!!
How do you implement this using ansible playbook? I'm also stuck with this process of accepting the license in Splunk. I'm using user-seed.conf but it couldn't access the src path since I'm using git... See more...
How do you implement this using ansible playbook? I'm also stuck with this process of accepting the license in Splunk. I'm using user-seed.conf but it couldn't access the src path since I'm using gitlab as my repository.  - name: Generate Splunk Seed Password   ansible.builtin.set_fact:     splunk_seed_passwd: "{{ 'password' | password_hash('sha512') }}"   register: hashed_pwd   when: splunk_agent_status.rc != 0 - name: Create user-seed.conf file   ansible.builtin.template:     dest: /opt/splunkforwarder/etc/system/local/user-seed.conf     owner: root     group: root     mode: 0640     option: "{{ item.opt }}"     value: "{{ item.val }}"   with_items:   - {opt: 'USERNAME', val: 'admin'}   - {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd}}'}   become: true   when: splunk_agent_status.rc != 0
Hi @harishlnu  One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization. https://docs.splunk.c... See more...
Hi @harishlnu  One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization. https://docs.splunk.com/Documentation/SOAR/current/PlatformAPI/RESTInfo#.2Frest.2Fhealth To monitor I would run an external script or if you are using Splunk Enterprise - by using | restsoar command you can call the above Rest API and create an alert.  You should install official  https://splunkbase.splunk.com/app/6361 Splunk App for SOAR to use  | restsoar command. -------- Srikanth Yarlagadda  
This is a message saying that the server you're trying to send your emails with doesn't let you do so (at least not without proper authentication first). It's something you have work with your email ... See more...
This is a message saying that the server you're trying to send your emails with doesn't let you do so (at least not without proper authentication first). It's something you have work with your email server provider (or configure proper settings on your Splunk server).
I am getting the following error :   command="sendemail", (*****SMTP; Client was not authenticated to send anonymous mail during MAIL FROM', '*****.com') while sending mail to: it-security@durr.com
Hi @swaprks, If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.:... See more...
Hi @swaprks, If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.: initiatedBy.user.id targetResources{}.id Arrays are extracted as multi-valued fields, e.g.: targetResources{}.modifiedProperties{}.displayName := AccountEnabled StsRefreshTokensValidFrom UserPrincipalName UserType Included Updated Properties Automatic extraction of arrays of objects with array fields can also be confusing. To return the native JSON directly, extract the fields as part of your search: index=directoryaudit | eval json=json(_raw), initiatedBy=json_extract(json, "initiatedBy"), targetResources=json_extract(json, "targetResources") | fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime  
Thank You @gcusello  But I do not own a Splunk system, so I have no Support account. I am just a developer, who has published two Apps at Splunkbase Should I ask via e-mail Splunk Developer in... See more...
Thank You @gcusello  But I do not own a Splunk system, so I have no Support account. I am just a developer, who has published two Apps at Splunkbase Should I ask via e-mail Splunk Developer instead ? best regards Altin
Hi @Mfmahdi , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @aasserhifni , the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer. is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer? If this a... See more...
Hi @aasserhifni , the apps distributed by Deployer are in this folder not in apps and aren't installed on the Deployer. is this app in the $SPUNK_HOME/etc/shcluster/apps of the Deployer? If this app is in this folder, remove it and push again apps. Ciao. Giuseppe  
Hi you could read more, how to use btool check from https://dev.splunk.com/enterprise/tutorials/module_validate/validateapp/ r. Ismo
As a quick follow-up, the setting is recognized by all currently supported versions of Splunk Enterprise and present at least as far back as Splunk Enterprise 8.1; however, it's not documented.
Probably because you have an Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey
The Search Head Cluster Deployer is not the same as Deployment Server (yes, I know the naming can be confusing). BTW SH captaincy doesn't have anything to do with deploying apps.
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make ... See more...
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make sure that the same passkey in SHC and the deployer is the same. Thank you  
Hi @gcusello , the app was installed on a single search head neither the deployer  nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head ... See more...
Hi @gcusello , the app was installed on a single search head neither the deployer  nor the search head master. When I apply your solutions, the files keep appearing after restarting the search head and also I don't have the option to disable either the app or the add on from the search head GUI. Thank you for understanding my odd situation.
Hi @aasserhifni , sorry but I don't understand: have you a Search Head Cluster or not? if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you ... See more...
Hi @aasserhifni , sorry but I don't understand: have you a Search Head Cluster or not? if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you don't have a SHC, you can remove an app, only removing the foder and restarting Splunk. Ciao. Giuseppe
You also need the list_all_users capability in your role, to list all users. For the alerts, your user needs permission to read the alert to fetch triggered alerts.
Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain. I tried removing everything related to threatq multiple times from this... See more...
Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain. I tried removing everything related to threatq multiple times from this search head but these file keep appearing again and also there is no disable option when I try to disable the threatq app or anything related to it from the search head gui
Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue. Also mentioning that the threatq app was installed on a single search head not the deployer or t... See more...
Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue. Also mentioning that the threatq app was installed on a single search head not the deployer or the search head captain
For future reference so that if someone finds this thread has full information - tell us what did you do to make things work in the end/what was the problem.