All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Hassaan.Javaid, Did you get a chance to check out that linked post? 
Ciao a tutti, dato che il nostro splunk non è collegato in rete, volevo sapere se era possibile usare vt4splunk in modalità offline
Linux, RHEL 8.9. Splunk 9.2.0.1   Had a forwarder manager running (for years) with 2,000+ clients connecting. Did the upgrade from 9.1 to 9.2.0.1 and now have "No clients phoned home."   No... See more...
Linux, RHEL 8.9. Splunk 9.2.0.1   Had a forwarder manager running (for years) with 2,000+ clients connecting. Did the upgrade from 9.1 to 9.2.0.1 and now have "No clients phoned home."   No firewall or selinux issues are noted.   Getting gazillions of: 03-21-2024 09:59:59.050 -0500 WARN AutoLoadBalancedConnectionStrategy [8459 TcpOutEloop] - Current dest host connection 10.14.8.107:9997, oneTimeClient=0, _events.size()=20, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0, _lastHBRecvTime=Thu Mar 21 09:59:45 2024 is using 18446604244100536835 bytes. Total tcpout queue size is 512000. Warningcount=301   Funny thing is, that's the only "error" (warning) I have. it otherwise looks like it's seeing clients:   03-21-2024 09:59:15.468 -0500 INFO PubSubSvr [842449 TcpChannelThread] - Subscribed: channel=tenantService/handshake/reply/carmenw2pc/A265FEF1-4A37-4D58-90ED-AD1142694F05 connectionId=connection_10.14.72.83_8089_blah.domain.edu_blah_A265FEF1-4A37-4D58-90ED-AD1142694F05 listener=0x7f2c78d44000
Hi @Osama.Abbas, I'm still waiting to hear back from the Docs team. Have you found a solution you could share in the meantime?
Hi, I am working on prototype on the splunk dashboards, where having 30 + panels. The dashboard panels is basically between upstream and downstream data/volume comparison.  Client would like to se... See more...
Hi, I am working on prototype on the splunk dashboards, where having 30 + panels. The dashboard panels is basically between upstream and downstream data/volume comparison.  Client would like to see the arrow marks or any line between the panels as to show connects. please could you share the XML source reference? Thanks, Selvam.    
hi @LearningGuy, as I said, you have to say what kind of string you want: | makeresults | eval num = 1 | eval var_type = typeof(num) | eval num2 = tostring(num,"commas") | eval var_type2 = typeof(... See more...
hi @LearningGuy, as I said, you have to say what kind of string you want: | makeresults | eval num = 1 | eval var_type = typeof(num) | eval num2 = tostring(num,"commas") | eval var_type2 = typeof(num2) Ciao. Giuseppe
@gcusello  Yes but why the first one is also string? The first one is number. Should I remove " " from typeof?        Thanks | makeresults | eval num = 1 | eval var_type = typeof(num) | eval num... See more...
@gcusello  Yes but why the first one is also string? The first one is number. Should I remove " " from typeof?        Thanks | makeresults | eval num = 1 | eval var_type = typeof(num) | eval num2 = tostring("num") | eval var_type2 = typeof(num2)   Thanks
did you ever get resolution on this? My deployment server stopped servicing clients -- start throwing this error. No firewall or selinux issues as suggested below...
Hi @LearningGuy, the second it's a string, you transformed it using the tostring function, infact you have the commas. Ciao. Giuseppe
They both became String.     Num should be number.  Thanks  
Hello, I solved it installing again the credentials package of universal forwarder.   But now, it is connected but I am not recieving data. can you help me troubleshoot a splunk deployment w... See more...
Hello, I solved it installing again the credentials package of universal forwarder.   But now, it is connected but I am not recieving data. can you help me troubleshoot a splunk deployment where I am sending high stick events to a heavy forwarder and the heavy has to forward them to the splunk cloud. These are the .conf files inputs.conf [udp://1514] sourcetype = pan:firewall no_appending_timestamp = true index = mx_paloalto disabled = 0 [splunktcp://9997] disabled = 0 outputs.conf [tcpout] defaultGroup = splunkcloud_20231028_9aaa4b04216cd9a0a4dc1eb274307fd1 useACK = true [tcpout:splunkcloud_20231028_9aaa4b04216cd9a0a4dc1eb274307fd1] server = inputs1.tenant.splunkcloud.com:9997, inputs2.tenant.splunkcloud.com:9997, inputs3.tenant.splunkcloud.com:9997, inputs4.tenant.splunkcloud.com :9997, inputs5.tenant.splunkcloud.com:9997, inputs6.tenant.splunkcloud.com:9997, inputs7.tenant.splunkcloud.com:9997, inputs8.tenant.splunkcloud.com:9 997, inputs9.tenant.splunkcloud.com:9997, inputs10.tenant.splunkcloud.com:9997, inputs11.tenant.splunkcloud.com:9997, inputs12.tenant.splunkcloud.com: 9997, inputs13.tenant.splunkcloud.com:9997, inputs14.tenant.splunkcloud.com:9997, inputs15.tenant.splunkcloud.com:9997 compressed = false clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem sslCommonNameToCheck = *.tenant.splunkcloud.com sslVerifyServerCert = true sslVerifyServerName = true useClientSSLCompression = true autoLBFrequency = 120 [tcpout:scs] disabled=1 server = tenant.forwarders.scs.splunk.com:9997 compressed = true clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem sslAltNameToCheck = *.forwarders.scs.splunk.com sslVerifyServerCert = true useClientSSLCompression = false autoLBFrequency = 120 server.conf [general] serverName = hvyfwd pass4SymmKey = $7$7+sDZpk4U5p8+jEvGlsFjca8/McSNMoOO/O4HIN+nkKs0FoDGr5s6Q== [sslConfig] sslPassword = $7$FMfYp/ZEJtp12iajMolR3PORwlFOl4WgEuJSfl2YIjfBn7Dw7t/ILg== [lmpool:auto_generated_pool_download-trial] description = auto_generated_pool_download-trial peers = * quota = MAX stack_id = download-trial [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free [license] active_group = Forwarder and this is the output of the tcpdump: [root@hvyfwd local]# tcpdump -i any udp port 1514 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 11:26:45.136626 IP static-confidential_ip.47441 > hvyfwd.fujitsu-dtcns: UDP, length 652 11:26:45.136752 IP static-confidential_ip.47441 > hvyfwd.fujitsu-dtcns: UDP, length 658 11:26:45.136771 IP static-confidential_ip.35720 > hvyfwd.fujitsu-dtcns: UDP, length 661 11:26:45.136796 IP static-confidential_ip.35720 > hvyfwd.fujitsu-dtcns: UDP, length 752 11:26:45.136861 IP static-confidential_ip.47441 > hvyfwd.fujitsu-dtcns: UDP, length 715
Hi @LearningGuy, what does it happen running: | makeresults | eval num = 1000 | eval var_type = typeof("num") | eval num2 = tostring(num, "commas") | eval var_type2 = typeof("num2") Ciao. Giuseppe
Hello @gcusello , I tried and the same result..  see below..  thank you  
Hi @LearningGuy , see at https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConversionFunctions and try | makeresults | eval num = 1 | eval var_type = typeof('num') | eval num2 = to... See more...
Hi @LearningGuy , see at https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConversionFunctions and try | makeresults | eval num = 1 | eval var_type = typeof('num') | eval num2 = tostring(num, "commas") | eval var_type2 = typeof('num2') Ciao. Giuseppe
The KV_MODE (and AUTO_KV_JSON) are options needed on search-heads, not HFs/indexers.
Hello, how to convert number to string using tostring function? I tried using tostring function, but the result is still number See below.   Thank you!! | makeresults | eval num = 1 | eval var_t... See more...
Hello, how to convert number to string using tostring function? I tried using tostring function, but the result is still number See below.   Thank you!! | makeresults | eval num = 1 | eval var_type = typeof('num') | eval num2 = tostring(num) | eval var_type2 = typeof('num2')    
We`re ingesting data using a REST API call, not a UF, but still experiencing the issue with duplicate values. We created an app using the Add-on Builder app then deployed it onto one of the HF whic... See more...
We`re ingesting data using a REST API call, not a UF, but still experiencing the issue with duplicate values. We created an app using the Add-on Builder app then deployed it onto one of the HF which ingests and sends the data to Cloud. Settings on the HF: KV_MODE = none INDEXED_EXTRACTIONS = json Any advice would be appreciated. Thanks, Toma
Hi, we have just installed the aruba networks add-on splunk, and I would like to have the dashboards that can be created from this add-on, also,  how can i get a table with SNR values vs AP vs user... See more...
Hi, we have just installed the aruba networks add-on splunk, and I would like to have the dashboards that can be created from this add-on, also,  how can i get a table with SNR values vs AP vs users, Thx    
Honestly kind of surprised here especially with the recent Cisco acquisition since this is using a Cisco technology. I feel like there would be more input on how we can do this.
Hi,  I am trying implement custom app using add-on builder. I am running a rest call and getting error as  Error: python ERROR HTTPSConnectionPool(host='*', port=*): Max retries exceeded with ur... See more...
Hi,  I am trying implement custom app using add-on builder. I am running a rest call and getting error as  Error: python ERROR HTTPSConnectionPool(host='*', port=*): Max retries exceeded with url: /*(Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at *>: Failed to establish a new connection: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions')) I have tried adding "verify=False" in python script but its not helping  response = str ((requests.get(url, data = body, auth=(user, password))).text,verify=False) Any idea what else could be an issue and how to fix it. ?