All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi are you sure that you have Trial license not a Free license? Splunk Free don't contains  user license (Auth). There is only system user in internal use but no real user like admin.  Splunk Ente... See more...
Hi are you sure that you have Trial license not a Free license? Splunk Free don't contains  user license (Auth). There is only system user in internal use but no real user like admin.  Splunk Enterprise Trial license (valid for 60d after installation) have (at least one) user license (Auth option in lic file).  Based on documentation, it have all all features allowed as normal license has, except it's just for single-instance, standalone version (e.g. no LM or any cluster features).  <features> <feature>Auth</feature> <feature>FwdData</feature> <feature>RcvData</feature> <feature>LocalSearch</feature> <feature>DistSearch</feature> <feature>RcvSearch</feature> <feature>ScheduledSearch</feature> <feature>Alerting</feature> <feature>DeployClient</feature> <feature>DeployServer</feature> <feature>SplunkWeb</feature> <feature>SigningProcessor</feature> <feature>SyslogOutputProcessor</feature> <feature>AllowDuplicateKeys</feature> </features> See more about those licenses https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/TypesofSplunklicenses r. Ismo
Hi, Will disable the app (ES Content Updates)  affect the functionality of Enterprise Security? Thanks Regards  
Both these options are not working and splunk is not able to extract the bizMsgIdr from the field Properties.appHdr .  Can you please provide some other way to extract this text.     
I also tried it using the CMI, with the splunk add user -password -role -auth,  But I got a error there also. "WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/... See more...
I also tried it using the CMI, with the splunk add user -password -role -auth,  But I got a error there also. "WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Requires license feature='Auth'" How can I solve the problem?
Hello, I want to add a user to Splunk. I have a free license trial, and there is no "USER" oder "ADD USER" on my interface on splunk enterprise. How else can i do that?
Hi I'm not sure if I understood your question correctly ;-( As long as you have your license in one LM and you could connect all search peers (even from several indexer clusters) to this same LM it... See more...
Hi I'm not sure if I understood your question correctly ;-( As long as you have your license in one LM and you could connect all search peers (even from several indexer clusters) to this same LM it's ok. But you cannot install the same license file into several LMs. If that is needed then you need to ask Splunk support to split that license into several license files are delete the original. r. Ismo
Hi as @PickleRick already said, you must have a plan and test it before do it with production server! Here is some old posts which told how you could do it. But if/when you already have done it the... See more...
Hi as @PickleRick already said, you must have a plan and test it before do it with production server! Here is some old posts which told how you could do it. But if/when you already have done it these is just for next time Some of those also discuss what has done wrongly and how it could be fixed. But as said, it's really hard to guess what is the issue without seeing your environment. I also prefer to use rpm instead of tar on RH systems. https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true https://community.splunk.com/t5/Installation/What-are-the-steps-for-Splunk-enterprise-migration-physical-to/m-p/648565/highlight/true r. Ismo
Hi that "earliest=-1w@w" is correctly to get all events from 1 week backwards and starting from first day of that week. Based on that you should get those events what you want. Have you look from _... See more...
Hi that "earliest=-1w@w" is correctly to get all events from 1 week backwards and starting from first day of that week. Based on that you should get those events what you want. Have you look from _internal that this report hasn't run or is it just your email systems which cannot manage it due for amount of events or something else? BUT you have this "stats count by user _time" which calculates how many times user existed in particular time which can be e.g. millisecond. That could leads you to calculate every event separately, which probably is not what you are looking for? Maybe you want to those events e.g. daily base (add "|bin span=1d _time" before stats)? r. Ismo
Hi getting exact retention time for e.g. 1y in splunk could be almost mission impossible There is several parameters how splunk define when it removes those buckets, which has all events older t... See more...
Hi getting exact retention time for e.g. 1y in splunk could be almost mission impossible There is several parameters how splunk define when it removes those buckets, which has all events older than your defined retention time! You must understand than when splunk calculate retention in reality it's for all events in bucket! It's not event based, as a smallest storage unit is a bucket not an event. Practically this means that splunk can remove bucket, when all events in that bucket has older than your defined retention. In your case, you have quite low event volume, which means that you could have one bucket, which contains events from several months max(15GB divide 30MB divided by #hot buckets for that index ). Usually you have several (default is 3) active hot buckets (per search peer) at same time, where splunk can write new events. Default for keeping a bucket as hot is 90d or when it's come full or when you restart splunk. There are also some other parameters which could affect this! Here is some links where you could learn more how this is actually working: https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Bucketsandclusters https://community.splunk.com/t5/Splunk-Search/How-can-I-find-the-data-retention-and-indexers-involved/m-p/645365/highlight/true https://community.splunk.com/t5/Getting-Data-In/Indexes-configuration/m-p/564276 https://community.splunk.com/t5/Splunk-Enterprise/Splunk-shows-only-9-months-270-days-data-How-do-I-increase-the/m-p/624944#M14863 https://community.splunk.com/t5/Getting-Data-In/What-counts-for-Splunk-retention-time-if-events-come-in-with-a/td-p/601655 r. Ismo
Hi @jbates58 , at first on the server containin the indexes, don't use the main index, but create a custom index (e.g. firewalls) then for this new index define the retention you want (one year). ... See more...
Hi @jbates58 , at first on the server containin the indexes, don't use the main index, but create a custom index (e.g. firewalls) then for this new index define the retention you want (one year). Then assign the new index name to the inputs that you should have on your Forwarders. At least, when you'll ingest more logs, you should monitor your index to undertand if the dimension you configured is correct or if you need to enlarge it. Ciao. Giuseppe
Ok. To put it bluntly - if you don't want to put any effort into it and have it done, pay someone to it for you - Splunk Professional Services or you local friendly Splunk Partner. I don't think you... See more...
Ok. To put it bluntly - if you don't want to put any effort into it and have it done, pay someone to it for you - Splunk Professional Services or you local friendly Splunk Partner. I don't think you understand what this community is. It's not "someone at Splunl". This is a forum where voluteers, not affiliated with Splunk as a company, choose to give their time and effort to _help_ other people, no to do someone else]s job for free.
Hi @Siddharthnegi, you have to identify the add-On where the lookup is defined and disable this automatic lookup in props.conf. This is one of the reasons because I do't use automatic lookups. Cia... See more...
Hi @Siddharthnegi, you have to identify the add-On where the lookup is defined and disable this automatic lookup in props.conf. This is one of the reasons because I do't use automatic lookups. Ciao. Giuseppe
AdLdapConnector :Saving state: { "app_version": "2.2.1" } {"identifier": "set_password", "result_data": [{"data": [{"user_dn": "cn=uba,ou=sec-user,dc=seclab,dc=lab", "samaccountname": "uba", "set"... See more...
AdLdapConnector :Saving state: { "app_version": "2.2.1" } {"identifier": "set_password", "result_data": [{"data": [{"user_dn": "cn=uba,ou=sec-user,dc=seclab,dc=lab", "samaccountname": "uba", "set": false}], "extra_data": [], "summary": {"set": false}, "status": "failed", "message": "unwillingToPerform: Make sure account in asset has permissions to Set\n Password and password meets complexity requirements", "parameter": {"use_samaccountname": true, "user": "uba", "password": "ubapass", "confirm_password": "ubapass"}, "context": {}}], "result_summary": {"total_objects": 1, "total_objects_successful": 0}, "status": "failed", "message": "1 action failed", "exception_occured": false, "action_cancelled": false} Traceback (most recent call last): File "/opt/phantom/apps/adldap_*.py", line 32, in <module> raise Exception("Action Failed") Exception: Action Failed
please help to get results 
Hi All, I need to display the results same as like below  |chart count over API by StatusCode  API  200 300 400 400 total --   ---      ----     --      --- but I need to display the results... See more...
Hi All, I need to display the results same as like below  |chart count over API by StatusCode  API  200 300 400 400 total --   ---      ----     --      --- but I need to display the results behind API more fields like host and method as well API host method 200 300 400  total  --     ---    ---              --      ---    ---- please help to get the results
Could not load lookup=LOOKUP-minemeldfeeds_dest_lookup I am getting this error in one of the dashboards panels , any solutions?
Hi @hieuba Could you pls share with us your old dashboard query(SPL) - custom Missle Map Dasboard so, that we can try to reproduce it on Dashboard Studio, thanks. 
Hi @inventsekar , you're correct, i have a custom Missle Map Dasboard (only change js code), and i want to defined its as a visualization type in Splunk Dashboard Studio.
Here is the contents of that page. I have redacted out a little bit of info relating to the environment.      
Hi @jbates58 Yes, at times the retention policy may give difficult times.  in DMC Server, Pls check this...  Settings > Monitoring Console > Indexing > Indexes and Volumes > Index Detail: Instance ... See more...
Hi @jbates58 Yes, at times the retention policy may give difficult times.  in DMC Server, Pls check this...  Settings > Monitoring Console > Indexing > Indexes and Volumes > Index Detail: Instance EDIT - Pls check the docs at https://docs.splunk.com/Documentation/Splu nk/9.1.2/Admin/Indexesconf one thing to remember - frozenTimePeriodInSecs vs maxTotalDataSizeMB - can give confusion as well (i remember whichever comes first will work and take precedence over the other)