All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

  Following three logs "Unexpected event id" ( 9.1.2 still logs) "Invalid ACK received from indexer" ( 9.1.2 should not log) "Got unexpected ACK with eventid" (9.1.2 should not log) What exa... See more...
  Following three logs "Unexpected event id" ( 9.1.2 still logs) "Invalid ACK received from indexer" ( 9.1.2 should not log) "Got unexpected ACK with eventid" (9.1.2 should not log) What exactly the issue you are hitting?
Hi, Everyone!   Starting to think about your agent management strategy?  Check out topical questions to spur your planning and inspire more questions: Smart Agent FAQ | Strategy How does Smart ... See more...
Hi, Everyone!   Starting to think about your agent management strategy?  Check out topical questions to spur your planning and inspire more questions: Smart Agent FAQ | Strategy How does Smart Agent manage existing agents—or new planned ones? What if there are hundreds, or more? How will it really work for your day-to-day? What do you think? Our team would love to hear your thoughts, including how we can add to and improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Hi, Everyone!   What are Smart Agent's requirements?  Here's a key question before getting started: What are the requirements?  Smart Agent FAQ | Requirements What do you think? We've starte... See more...
Hi, Everyone!   What are Smart Agent's requirements?  Here's a key question before getting started: What are the requirements?  Smart Agent FAQ | Requirements What do you think? We've started with the requirements questions we knew you'd want, plus questions others have already asked. Our team would love to hear your thoughts, including how we can add to and improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Hi, Everyone!   What about environments supported with Smart Agent?  Find out what environments and features are supported as what may be coming down the line. Post your questions and we will be su... See more...
Hi, Everyone!   What about environments supported with Smart Agent?  Find out what environments and features are supported as what may be coming down the line. Post your questions and we will be sure to address them. The future of Smart Agent depends on your needs! Smart Agent FAQ | Supported Environments What do you think? Our team would love to hear your thoughts, including how we can add to and improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Hi, Everyone!   Concerned about costs or support with Smart Agent?  Spoiler alert: You don't need to buy additional licenses to use Smart Agent. Check out the other most frequently asked about this... See more...
Hi, Everyone!   Concerned about costs or support with Smart Agent?  Spoiler alert: You don't need to buy additional licenses to use Smart Agent. Check out the other most frequently asked about this here:  Smart Agent FAQ | Licenses and Packages  What do you think? Our team would love to hear your thoughts, including how we can add to and improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Hi, Everyone!   Get to know some of the basics around using Smart Agent to simplify agent management tasks, such as it's value and what specific features are available.  Smart Agent FAQ | Simplifi... See more...
Hi, Everyone!   Get to know some of the basics around using Smart Agent to simplify agent management tasks, such as it's value and what specific features are available.  Smart Agent FAQ | Simplified Agent Management Basics There, find out how we define smart agent management, installation requirements and details, a high-level outline of value in this v23.11 release,  and more...  What do you think? Our team would love to hear your thoughts, and how we can improve the FAQ Please do share your impressions, considerations, and questions below. Our Smart Agent FAQ has a lot of information about Smart Agent and related features. We thought you might appreciate this quick way to get to the topics that most interest you, paired with a place to ask questions and enlarge on your take... 
Looks like it works but the received results are the same for each host, I have 7 of  8 servers offline and they all show received responses.
Thanks its fixed now
Hi, I have noticed over the last 4 days I had an increased number of Search Bundle replication errors: 12-21-2023 09:50:12.604 +0000 WARN ConfReplicationThread [9209 ConfReplicationThread] - Error ... See more...
Hi, I have noticed over the last 4 days I had an increased number of Search Bundle replication errors: 12-21-2023 09:50:12.604 +0000 WARN ConfReplicationThread [9209 ConfReplicationThread] - Error pushing configurations to captain=https://searchHeadCaptain:8089, consecutiveErrors=1 msg="Error in acceptPush: Non-200 status_code=400: ConfReplicationException: Cannot accept push with outdated_baseline_op_id=16ed9160640170315673324237791a4cfe256d59; current_baseline_op_id=cd93950208af34df00957e721b87128d3629d2d1" These occur in groups every 4 hours. I have also seen CPU spikes on the Search Heads that started occuring at the same time and also every 4 hours. Further investigation has shown that the following events from conf.log have also been occuring at the same time every 4 hours { [-]    component: ConfOp    data: { [-]      applied_at: 1703264397      asset_id: 220d8bbce6d790850cda3980c5784c62b1a9f9ff      asset_uri: [ [+]      ]      from_repo: https://searchHeadCaptain:8089      op_id: 102aa206f930da5eef0d47163b354c61254566c5      optype: 2      optype_desc: WRITE_STANZA      payload: { [-]        alias: Risk        metadata: { [-]          permissions: { [-]          }        }        value: ***TRANSIENT***://6613      }      payload_extra: ***ALLOW_SKIP_ON_WRITE***      status: applied      task: pullFrom      to_repo: https://searchHeadPeer.com:8089      to_repo_change_count: 20214    }    datetime: 12-22-2023 16:59:57.097 +0000    log_level: INFO } Does anyone know what these events mean and how I can find out what is causing them? Bundle replication errors:   conf.log events:   CPU spikes:  
Hi, No.  It's: jdbc:sqlserver://hostname.kusto.windows.net:1433;databaseName=DBName;selectMethod=cursor;encrypt=true;hostNameInCertificate=*.kusto.windows.net;authentication=ActiveDirectoryServiceP... See more...
Hi, No.  It's: jdbc:sqlserver://hostname.kusto.windows.net:1433;databaseName=DBName;selectMethod=cursor;encrypt=true;hostNameInCertificate=*.kusto.windows.net;authentication=ActiveDirectoryServicePrincipal; And I have aadSecurePrincipalId (clientID) aadSecurePrincipalSecret   In drivers dir I have: mssql-jdbc-12.4.2.jre11.jar
@jbanAtSplunk - Are you trying to do Windows Authentication? That is supported in DB connect by default. - https://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/Createandmanageidentities    O... See more...
@jbanAtSplunk - Are you trying to do Windows Authentication? That is supported in DB connect by default. - https://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/Createandmanageidentities    Otherwise, DB Connect only supports putting Java DB driver files inside drivers directory - https://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/Installdatabasedrivers    I hope this helps!!!!
Since you are piping to a map command the final resulting dataset you are presented with are from the inner search of that map command. You should be able to use hostname as a token inside that inner... See more...
Since you are piping to a map command the final resulting dataset you are presented with are from the inner search of that map command. You should be able to use hostname as a token inside that inner search to get it to show up in the final results. Something like this.   | inputlookup iphost.csv | search src_ipV4=* hostname=* | rename src_ipV4 as host | stats values(host) as host by hostname | mvexpand host | map maxsearches=50 search="| ping host=$host$ count=1 | eval dest=if(isnull(dest),host,dest), hostname=\"$hostname$\" | fields host dest received, hostname" | table host dest received hostname    
@jbthomas1975 - Are you looking at the license usage by host?? How much is the usage by Splunk servers in GB?  
I am running the current search using the network toolkit but will not show the hostname field from the csv, do I need to do another inputlookup at the end of the search. | inputlookup iphost.csv |... See more...
I am running the current search using the network toolkit but will not show the hostname field from the csv, do I need to do another inputlookup at the end of the search. | inputlookup iphost.csv | search src_ipV4=* hostname=* | rename src_ipV4 as host | stats values(host) as host | mvexpand host | map maxsearches=50 search="| ping host=$host$ count=1 | eval dest=if(isnull(dest),host,dest) | fields host dest received" | table host dest received hostname
@richgalloway  The data is coming from a FIM product called Tripwire.  Here is the raw data;   Dec 22 02:30:34 10.62.32.10 1 2023-12-22T10:30:34.771Z servernameTW_ES - - - CEF:0|Tripwire|Enterpris... See more...
@richgalloway  The data is coming from a FIM product called Tripwire.  Here is the raw data;   Dec 22 02:30:34 10.62.32.10 1 2023-12-22T10:30:34.771Z servernameTW_ES - - - CEF:0|Tripwire|Enterprise|5.5|6|Audit Event|1|UserName=NT AUTHORITY\NETWORK SERVICE UserNameLabel=User Name ElementName=null ElementNameLabel=Element Name VersionTimeStamp=null VersionTimeStampLabel=Version Timestamp Message='C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask' accessed by 'NT AUTHORITY\NETWORK SERVICE'. Type 'Set Security'. Application: 'C:\Windows\System32\svchost.exe' Details: DACL Category=Audit Event CategoryLabel=Category rt=12/22/23 2:25 AM Level=Information LevelLabel=level dhost=trip.cs.ad.domain.com I don't have any props or transforms yet because I am not sure where to start with this. Thanks
 
Please share the props and transforms for that sourcetype as well as a couple of sanitized sample events. 
@richgalloway  Can you share a picture of the sourcetype along with the Splunk web screenshot? I am still getting errors on my end. Thanks
Hi @secphilomath1 , what technology are you using for these data? if they are standard, you can use the related add-on that gives you al the parsing rules. If it's custom, you have t omanually par... See more...
Hi @secphilomath1 , what technology are you using for these data? if they are standard, you can use the related add-on that gives you al the parsing rules. If it's custom, you have t omanually parse it. Ciao. Giuseppe
Hi @jbthomas1975, What are you collecting from your Splunk host? Internal indexes--_audit, _internal, _introspection, _metrics, etc.--don't count against ingest-based licensing but do factor into c... See more...
Hi @jbthomas1975, What are you collecting from your Splunk host? Internal indexes--_audit, _internal, _introspection, _metrics, etc.--don't count against ingest-based licensing but do factor into capacity planning.