Hi scelikok, I killed the IP's restart splunk, but the data input with port 5514 is not deletable Error occurred attempting to remove :5514: Malformed IP address: :5514. here the inputs file [splunktcp://9997] connection_host = ip [tcp://:5514] connection_host = ip host = splunkindex index = linux sourcetype = linux_messages_syslog disabled = 1

Hi I match all other characters except ( and ' and there must be at least one or more those with any order and combination. You can test these e.g. regex101.com. There is also descriptions what all those anchors etc. are/meaning. r. Ismo

Hi as already said by @batabay don't disable it. Even you are using Splunk's internal certs it's better than without it. If you have issue to use that e.g. with cURL or other tools you could accept those cert within those command. Like "curl -k". Or other option (better) is just replace those Splunk's internal certs with official certs. See https://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL and https://conf.splunk.com/files/2023/slides/SEC1936B.pdf r. Ismo

First, A couple of links that you should probably have around.  This is a great flowchart for the whole pile o' stuff to do around and upgrade. https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Enterprise/m-p/408003 And of course the official docs https://docs.splunk.com/Documentation/Splunk/latest/Installation/HowtoupgradeSplunk And there are a few gotchas with the upgrades you'll have to go through.  While we don't know all the problems you'll have in your environment, the big ones that I'm aware of that you'll have to address is the upgrade to Python3 and the migration of kvstore to wired tiger.  The former is documented here: https://docs.splunk.com/Documentation/Splunk/9.0.0/Installation/AboutupgradingREADTHISFIRST The latter is found in here, though I think it doesn't make it prominent enough - https://docs.splunk.com/Documentation/Splunk/9.0.0/Installation/AboutupgradingREADTHISFIRST (It ends up pointing you to here: https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/MigrateKVstore) There may be others, you should read through the About Upgrading docs for each version with an eye on your environment and how it's set up.  For instance, here's the one for the 8.1.14 upgrade.  https://docs.splunk.com/Documentation/Splunk/8.1.14/Installation/HowtoupgradeSplunk I know, it seems boring.  But doing so will pay off in the end!   Happy Splunking! -Richfez      

client_ip is not getting returned.  I have tried using values() and count by. I tested rex for client_ip returns values using below test, and it does. index=_network snat IN (10.10.10.10*,20.20.20.20*) | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" ``` this applies to index _network ``` | table client_ip Above returns just a list of IPs from our clients.    

Hi I think that most important for you is check that all your apps etc. works with Python3 and fulfil other requirements which have come with 8.x and also on 9.x.  I suppose that you have several apps and TAs which you must/should update to the latest suitable versions. At least some of those need to update 1st to 8 than after update Splunk to 8.x then you can update those into latest version. One issue could be found versions which are working with Splunk 8.x as splunkbase don't have all versions and especially to found documentation which told how you should upgrade those (e.g. DBX etc.)! I propose that after you have upgraded to 8.x then use upgrade readiness app to check that everything is ok and fix what is needed! I suppose that you have already read this https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_platform For UFs I think that you can update those after you have updated to 9.1.x. Depending on your UF version you probably need to update those with several steps if needed? r. Ismo

Hi @shrinathkumbhar , if you are a Splunk Partner, you can access Splunk show (https://show.splunk.com/login/?redirect=/) where you can find many demo environments (also ES), but it isn't open to all. Ciao. Giuseppe

Hi @premrajvs , you can input these files on an HF in the same way of on UF and also by GUI (it's easiest). Then youcan forward them to the indexers. Why do you want to install an UF on the same server? Ciao. Giuseppe

Hi @hinako , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated

How can I sum all the time together ? stats sum did not work for me, and in addition, I need to add also  | stats count(event_id) and get the count of critical alerts in order to do Event Count / Total Time and get an average of how much time takes to close alert by severity.