All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Numb78  Im not sure this config will take effect, because SC4S uses the /event endpoint (unless you have overwritten this?) This blog article from Splunk  states "We want to ensure this is prop... See more...
Hi @Numb78  Im not sure this config will take effect, because SC4S uses the /event endpoint (unless you have overwritten this?) This blog article from Splunk  states "We want to ensure this is properly parsed before it gets to Splunk, as timestamp processing is bypassed (by default) with the /event HEC endpoint used by SC4S." I think there must be a configuration on the SC4S that needs applying which is different between the TCP and UDP ingestion.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @livehybrid I've also faced a similar problem. I want to specify the color corresponding to the field value in the map view, but the modification I made doesn't take effect. Could you please help ... See more...
Hi @livehybrid I've also faced a similar problem. I want to specify the color corresponding to the field value in the map view, but the modification I made doesn't take effect. Could you please help me check it?         { "type": "splunk.map", "options": { "center": [ -3.337953961431438, 79.98046874997863 ], "zoom": 2, "showBaseLayer": true, "layers": [ { "type": "bubble", "latitude": "> primary | seriesByName('latitude')", "longitude": "> primary | seriesByName('longitude')", "bubbleSize": "> primary | frameWithoutSeriesNames('_geo_bounds_east', '_geo_bounds_west', '_geo_bounds_north', '_geo_bounds_south', 'latitude', 'longitude') | frameBySeriesTypes('number')", "dataColors": " > primary | seriesByName('status') | matchValue('colorMatchConfig')" } ] }, "dataSources": { "primary": "ds_PHhx1Fxi" }, "context": { "colorMatchConfig": [ { "match": "high", "value": "#FF0000" }, { "match": "low", "value": "#00FF00" }, { "match": "critical", "value": "#0000FF" } ] }, "containerOptions": {}, "showProgressBar": false, "showLastUpdated": false }
Change the init block (solution updated) <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init>  
Hi @msatish  It looks like you need to "Rebuild Forwarder Assets". This can be done by going to Cloud Monitoring Console > Forwarders > Forwarder Monitoring Setup. and clicking on the "Rebuild Forwa... See more...
Hi @msatish  It looks like you need to "Rebuild Forwarder Assets". This can be done by going to Cloud Monitoring Console > Forwarders > Forwarder Monitoring Setup. and clicking on the "Rebuild Forwarder Assets" button. I'd also recommend checking out the Review the Forwarder Monitoring Setup page docs which has more info about this and how to view/manage your forwarders via the CMC.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @AsmaF2025  I dont have the specific of each migration as I havent done an upgrade to 7.x for a number of years now, however the docs really want you to upgrade to 7.x before upgrading to 8.x - "... See more...
Hi @AsmaF2025  I dont have the specific of each migration as I havent done an upgrade to 7.x for a number of years now, however the docs really want you to upgrade to 7.x before upgrading to 8.x - "Do not try to upgrade Splunk Enterprise or Splunk universal forwarders directly to version 8.0 from a version that is lower than 7.0"  You can upgrade from 6.6.x to > 7.1.x but < 8.0.x so really the logical option for me would actually be 7.3.9. The docs for 7.3.9 state "Upgrades to Splunk Enterprise and Universal Forwarders version 7.3 require the existing installation to be version 6.6.x or higher " The other reason I would go for 7.3.9 is because if you wanted, you could actually upgrade to 8.2.x to match the rest of your existing deployment, the docs state "Upgrading a universal forwarder directly to version 8.2 is supported from versions 7.3.x, 8.0.x, and 8.1.x " If its useful, the download links for 8.2.12 are: https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-Linux-x86_64.tgz https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-linux-2.6-amd64.deb https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-Linux-x86_64.tgz  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Thank you, it worked.
Thank you, it worked.
Hi, the dnslookup is available in Splunk cloud; but not like in enterprise. You might be missing your internal network information on default. Since Splunk Cloud is not hosted in your own network a... See more...
Hi, the dnslookup is available in Splunk cloud; but not like in enterprise. You might be missing your internal network information on default. Since Splunk Cloud is not hosted in your own network anymore, the platform does not talk to your private DNS servers and therefor misses internal DNS information. 
@livehybrid  Thanks for your help on this regard,   Based on reviewing your response - i should be good to update my splunk universal forwarder from version 6.6.3 to splunk universal forwarder vers... See more...
@livehybrid  Thanks for your help on this regard,   Based on reviewing your response - i should be good to update my splunk universal forwarder from version 6.6.3 to splunk universal forwarder version 7.3.9 and then to version 8.0.10.  But the suggested approach is :  6.6.x 7.1.x 8.0 why to stick to 7.3.9  ?   can u also guide me how to get older version release downloadable links ? And with respect to fishbucket and migration changes, i don't see anything captured on the doc , even at the issues session. Could you please give a glimpse on the same . 
Here are the download links which may also help: 8.0.10: https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-Linux-x86_64.tgz https://d... See more...
Here are the download links which may also help: 8.0.10: https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-Linux-x86_64.tgz https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-linux-2.6-x86_64.rpm https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-linux-2.6-amd64.deb  7.3.9: https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-linux-2.6-x86_64.rpm https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-linux-2.6-amd64.deb https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-Linux-x86_64.tgz  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @AsmaF2025  Yes those documents are labelled Splunk Enterprise however the upgrade paths for UF and full enterprise install are the same due to shared components which require updating such as fi... See more...
Hi @AsmaF2025  Yes those documents are labelled Splunk Enterprise however the upgrade paths for UF and full enterprise install are the same due to shared components which require updating such as fishbucket and config migration etc. There is a lot more in common between UF and full enterprise install than people often think. The main obvious difference is that Enterprise includes Python and Mongo DB.  Nevertheless the upgrade paths are the same.      Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing.
Faced the same issue. Though it shows 401 Authorized, the search  in "_internal" index showed its a  "JsonWebToken validation failure". This happens mostly when you got Splunk cloud and there is a ma... See more...
Faced the same issue. Though it shows 401 Authorized, the search  in "_internal" index showed its a  "JsonWebToken validation failure". This happens mostly when you got Splunk cloud and there is a maintenance or restart happening. The API bearer token you/service account using may need a kick. So please try 'logout' (user from Splunk console) or expire it from Splunk and relogin/retry. Hopefully that will fix it.  For us, it was a suddent stoppage of 3 or 4 Tokens at same time which gave the hint
@livehybrid  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x .Seems like , you are referring to Splunk Enter... See more...
@livehybrid  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x .Seems like , you are referring to Splunk Enterprise upgradation. 
@livehybrid  / All,  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x . ANd my current version of Splunk ... See more...
@livehybrid  / All,  Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x . ANd my current version of Splunk ENterprise is 8.2.7 which ll be upgradated next to version 9.0.x. Assuming , updating the Universal forwarder to 8.0.x will be compatible , for the splunk enterprise 9.x.x QA: 1.I can do straight upgrade from 6.6.3 to 8.0.x? 2.how do i get the older version UF packages , required tgz,rpm and msi . Request suggestions and guidance pls. 
Hi @AsmaF2025  According to the documentation we must install 7.1.x before upgrading to 8.0.x - See https://docs.splunk.com/Documentation/Splunk/8.0.10/Installation/HowtoupgradeSplunk#:~:text=and%20... See more...
Hi @AsmaF2025  According to the documentation we must install 7.1.x before upgrading to 8.0.x - See https://docs.splunk.com/Documentation/Splunk/8.0.10/Installation/HowtoupgradeSplunk#:~:text=and%20release%20notes.-,Upgrade%20paths%20to%20version%208.0,-The%20following%20table Personally I have achieved this upgrade directly previously however it has been discussed on here before that there are a bunch of different things such as fishbucket etc which get upgraded along the way and therefore you should follow the documented upgrade path.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
I have abunch of Splunk universal forwarder which runs on the version 6.6.3 - Linux machines. Im looking forward to upgrade them to 8.0.x .  Am i good enough todo the straight upgrade from 6.6.3 t... See more...
I have abunch of Splunk universal forwarder which runs on the version 6.6.3 - Linux machines. Im looking forward to upgrade them to 8.0.x .  Am i good enough todo the straight upgrade from 6.6.3 to 8.0.x? and my splunk Enterprises are in the version of 8.2.7 . As i next plane, we will also be updating the splunk enterprises to 9.x.x series. if  i go ahead, and update Splunk enterprise to version 9.0 , i hope UF with 6.6.3 is not compatible with 9.0 as per the official doc.  QA: 1.I can do straight upgrade from 6.6.3 to 8.0.x? 2.how do i get the older version UF packages , required tgz,rpm and msi . Request suggestions and guidance pls.  #universalforwarder6.6.3 #universalforwarder8.0.x #Linux #upgradation
@msatish  You need to rebuild the forwarder asset table in the CMC for it to update properly. Go to CMC > Forwarders > Forwarder Monitoring Setup > Rebuild Forwarder Assets Refer the below doc... See more...
@msatish  You need to rebuild the forwarder asset table in the CMC for it to update properly. Go to CMC > Forwarders > Forwarder Monitoring Setup > Rebuild Forwarder Assets Refer the below docs:  Use the Forwarder dashboards - Splunk Documentation Solved: monitoring console triggered alerts - missing forw... - Splunk Community Solved: Why is our universal forwarder not visible in the ... - Splunk Community
I need the same functionality like in Studio  -  "Select matched" . As we have established, there is no feature parity between Dashboard Studio and SimpleXML.  All you can do is to emulate an effe... See more...
I need the same functionality like in Studio  -  "Select matched" . As we have established, there is no feature parity between Dashboard Studio and SimpleXML.  All you can do is to emulate an effect.  Let me repeat: there are a million ways to do this.  Details will depend on your desires, data characteristics, and how token will be used.  In the following sample dashboard, the user can enter a string of text to "match" some element in the list displayed in the upper right box.  The result is used to populate a token named $group_tok$.  This token is then used in search in the bottom "Results" panel. (Again, index=_internal is used as example source data.) <form version="1.1" theme="light"> <label>"Select matches"</label> <description>https://community.splunk.com/t5/Splunk-Search/Multiselect-filter-Select-all-matches-in-classic-dashboard/m-p/745537#M241480, but only use matches</description> <fieldset submitButton="false"></fieldset> <row> <panel> <input type="text" token="group_string" searchWhenChanged="true"> <label>type a string to match group</label> <default></default> </input> </panel> <panel> <table> <search> <query>| tstats count where index=_internal by PREFIX(group=) | search "group=" = "*$group_string$*" | stats values(group=) as matches</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <done> <set token="group_tok">$result.matches$</set> </done> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <title>$group_tok$</title> <event> <title>Results</title> <search> <query>index=_internal group IN ($group_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> </event> </panel> </row> </form> Play with it and adapt to your use case.
Newly installed Universal forwarders on windows servers are forwarding logs to Splunk Cloud but newly installed forwarders name is not coming up in forwarders list in Cloud Monitoring Console. What... See more...
Newly installed Universal forwarders on windows servers are forwarding logs to Splunk Cloud but newly installed forwarders name is not coming up in forwarders list in Cloud Monitoring Console. What could be the reason?
it is working fine , but when i am refreshing the entire dashboard unsolved color becomes opposite meaning the panel which is showing green shows red and other panels are showing green .