All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Sourcetype is the "kind" of messages you get. It's not about what is contained within those events but how it's represented. If you want to have a nice and easy way of searching for similar "meaning... See more...
Sourcetype is the "kind" of messages you get. It's not about what is contained within those events but how it's represented. If you want to have a nice and easy way of searching for similar "meaning" events you can use tags or eventtypes. And might want to dig into datamodels.
The name of splunk slack channel has changed, but you can access it with URL given by @ITWhisperer's. I suppose that you could was reactivation for your current account by http://splk.it/slack. There... See more...
The name of splunk slack channel has changed, but you can access it with URL given by @ITWhisperer's. I suppose that you could was reactivation for your current account by http://splk.it/slack. There haven't been many people to manage those requests, so you must prepare to wait some time.
It doesnt appear this is a feature.  Tried all the existing solutions but they are all old and none of them work with 2025 Dashboard Studio.
The link above is out of date.  The current link is: https://download.splunk.com/products/universalforwarder/releases/6.4.6/windows/splunkforwarder-6.4.6-6635aa31e851-x86-release.msi
I think perhaps there's some mix-up in terminology that is making it harder to communicate the goal. Splunk Enterprise is Splunk's core data platform product for on-premises installation.  It can be... See more...
I think perhaps there's some mix-up in terminology that is making it harder to communicate the goal. Splunk Enterprise is Splunk's core data platform product for on-premises installation.  It can be used to collect observability (o11y) data. Splunk Cloud (AKA Splunk Cloud Platform) essentially is Splunk Enterprise on a public cloud provider (AWS, GCP, or Azure). Splunk Observability Cloud is Splunk's o11y product offering and is distinct from both Splunk Enterprise and Splunk Cloud.  This product is available only in a cloud offering. Splunk Real User Monitoring (RUM) and Splunk Synthetic Monitoring are other separate Splunk products. That said, can you please re-state the goal?
Thanks for the suggestion PickleRick, I've also submitted a false positive report at https://www.clamav.net/reports/fp.
We are currently using Splunk Enterprise on-premises, and the client has expressed plans to migrate to Splunk Cloud. In addition, they have clearly stated the need to work, specifically focusing on S... See more...
We are currently using Splunk Enterprise on-premises, and the client has expressed plans to migrate to Splunk Cloud. In addition, they have clearly stated the need to work, specifically focusing on Synthetic Monitoring and Real User Monitoring (RUM). While it appears they intend to adopt Splunk Cloud as the primary observability platform, I would like to confirm whether their strategy involves solely utilizing Splunk Cloud or if they intend to integrate with AWS or Azure cloud platforms as part of the observability or hosting architecture. Could you please provide guidance or clarity on whether the migration includes leveraging Splunk Cloud hosted on a public cloud provider (e.g., AWS or Azure), or if there is a broader hybrid/cloud-native observability strategy in play?
We are doing a dry run of a spunk 9.0.2 upgrade to 9.2.4  and when running the splunk show kvstore-status just get status starting How do we get this started? Note in mind that we will be runnin... See more...
We are doing a dry run of a spunk 9.0.2 upgrade to 9.2.4  and when running the splunk show kvstore-status just get status starting How do we get this started? Note in mind that we will be running this in prod in the near future   /opt/splunk/bin/splunk show kvstore-status WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. This member: backupRestoreStatus : Ready disabled : 0 guid : 9AEF8531-6F71-46C8-AC9F-F4EEE7FFE8DB port : 7511 standalone : 0 status : starting storageEngine : wiredTiger
/opt/splunk/bin/splunk show kvstore-status WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Your session is invalid. P... See more...
/opt/splunk/bin/splunk show kvstore-status WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Your session is invalid. Please login. Splunk username: admin Password: This member: backupRestoreStatus : Ready disabled : 0 guid : 9AEF8531-6F71-46C8-AC9F-F4EEE7FFE8DB port : 7511 standalone : 0 status : starting storageEngine : wiredTiger
I think I was going too far down that particular rabbit hole. I was planning to combine audit.log and linux secure into one sourcetype but finally realized there's no good reason for doing that when ... See more...
I think I was going too far down that particular rabbit hole. I was planning to combine audit.log and linux secure into one sourcetype but finally realized there's no good reason for doing that when I can just call on both types.
That was a great catch! But that was just a typo on my part. All of this I happening on an air gapped system, so I'm having to hand jam all this over. 
Hi livehybrid,   thanks for your answer.  I finally find the solution to this, and it was easier than ever. There's a note on SC4S guide saying that "When configuring a fortigate fortios device for... See more...
Hi livehybrid,   thanks for your answer.  I finally find the solution to this, and it was easier than ever. There's a note on SC4S guide saying that "When configuring a fortigate fortios device for TCP syslog, port 601 or an RFC6587 custom port must be used. UDP syslog should use the default port of 514." I read this, tried this on a first stage, but as it does now seemed to work, basically because I was using some test events sent via netcat without specifying any newline character. I have tried it again simply adding a "\r\n" at the end of the event blob and setting this environment variable on SC4S env file: SC4S_LISTEN_RFC6587_PORT=601 It works perfectly now, also tried in production environment with live events. Regards
"With 9 indexers and an RF of 3, each data bucket will be replicated across 3 of the 9 indexers. This means that any given bucket will have 3 copies, ensuring redundancy and high availability." This... See more...
"With 9 indexers and an RF of 3, each data bucket will be replicated across 3 of the 9 indexers. This means that any given bucket will have 3 copies, ensuring redundancy and high availability." This is not entrely true. 1. "Ensuring" redundancy and HA depends on organization's risk acceptance level. But more importantly 2. "each data bucket will be replicated across 3 indexers" suggests that whole bucket data will be replicated which is not true, as you pointed out earlier mentioning RF and SF.
Hi @TheJagoff  If you do not want your main index buckets to be frozen then you should set both coldToFrozenDir and coldToFrozenScript to blank values (which is the default unless specified elsehwer... See more...
Hi @TheJagoff  If you do not want your main index buckets to be frozen then you should set both coldToFrozenDir and coldToFrozenScript to blank values (which is the default unless specified elsehwere). coldToFrozenDir = coldToFrozenScript = By not setting coldToFrozenDir and not having a coldToFrozenScript, you effectively cause the data to be deleted when frozen.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Thanks so much for the info! The app I was working in was Mission Control, going along with the Video, but your suspicion of ES version is probably spot on.  This video is two years old, and I just ... See more...
Thanks so much for the info! The app I was working in was Mission Control, going along with the Video, but your suspicion of ES version is probably spot on.  This video is two years old, and I just upgraded to the latest version recently. This was the video: https://youtu.be/xhfb5Cc11Tg?t=177 I understand what you mean about creating the event from the analyst queue.  I'm just confused about how to add more searched events when performing manual searches.  There is an events tab within the investigation.  What I'm seeing you would go to the Search tab and if you find anything else of interest you should be able to add it along to your investigation created.  Right now the only way I can populate additional searches into this tab, is by using the add events macro, which works fine, but this can cause accidental additions if my SPL catches other entries in my search which I don't want added to the investigation.  Seems like a better way would be to allow me to manually add the event by finding the search myself and telling splunk to add it.     Hope that makes sense?   I did training on the previous version of Splunk for investigations, this newer Mission Control is totally different and appears to lack some of the functionality in the older version? Or perhaps I'm just missing something in terms of workflow for investigations in this version of Splunk ES - I see Response is probably the primary tab to work in, but it feels lacking at the moment.  Probably because everything is defaulted at the moment.        
I have a coldToFrozenScript that controls all of the indexes at an installation. I want the data in the "main" index to simply be deleted when it's time to be frozen. My question is, if I set the co... See more...
I have a coldToFrozenScript that controls all of the indexes at an installation. I want the data in the "main" index to simply be deleted when it's time to be frozen. My question is, if I set the coldToFrozenDir for the "main" stanza in indexes.conf to a blank, will it delete the buckets?  coldToFrozenDir =    Thank you. 
Hello @livehybrid . It works. Thanks a lot
Yes, this is exactly what I expected. Thank you for confirming the way it works.
There is most probably a better way to achieve your goal. Try to describe the logic behind what you're trying to do. Anyway,  | dedup A | table A is usually _not_ the way to go. You'd rather want ... See more...
There is most probably a better way to achieve your goal. Try to describe the logic behind what you're trying to do. Anyway,  | dedup A | table A is usually _not_ the way to go. You'd rather want to do | stats values(A) as A | mvexpand A  
Thanks a lot @ITWhisperer , but it seems like my account was deactivated. could you help me out to restore it? thanks