All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi When you have run that command have you gotten any error/warnigs? Have you try this? sudo -uroot bash $SPLUNK_HOME/bin/splunk enable boot-start -user splunk -systemd-managed 1 In current linux... See more...
Hi When you have run that command have you gotten any error/warnigs? Have you try this? sudo -uroot bash $SPLUNK_HOME/bin/splunk enable boot-start -user splunk -systemd-managed 1 In current linux versions it's usually better to run splunk under systemd than old init. But if you still want to use init then you must also update those startup scripts as this instructions said https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/ConfigureSplunktostartatboottime r. Ismo 
Hi If you cannot get any new data then mos obvious reason is that you have that disk space full. Second one is that for some reason your permissions / ownerships have changed on disk. Please try "s... See more...
Hi If you cannot get any new data then mos obvious reason is that you have that disk space full. Second one is that for some reason your permissions / ownerships have changed on disk. Please try "source /opt/splunk/bin/setSplunkEnv && df -H $SPLUNK_HOME $SPLUNK_DB" as a root on cmd line. Also check if you have volumes in use and check that disk space also. To find volumes you should login as splunk user and then use splunk btool indexes list volume|egrep '(\[|path)' Which show those physical disk areas what those are using. If there are enough space left then you should check ownership of those directories / files and change those if needed. Did I understand right that you get some new data into _audit index, but not anywhere else? r. Ismo 
As it has said earlier all queries from _internal logs works only if you have those still on indexers. Quite often retention time for those is so short that you haven't those on any larger environment!
Thanks.  No problems with persmissions.  It could be something wrong with with some confiles.  But since the proplems  involves all indexfiles it must be something global settings, or some services/p... See more...
Thanks.  No problems with persmissions.  It could be something wrong with with some confiles.  But since the proplems  involves all indexfiles it must be something global settings, or some services/program not running.  Do you thinks it's best to backup $SPLUNK/etc, run installation/upgrade and next copy etc files into new installation.  Geir
If you have defined all peers via adding cluster as a search target, then just on cm "splunk remove cluster-peers <GUID>" should be enough to remove that from CM's search peer list after you have rem... See more...
If you have defined all peers via adding cluster as a search target, then just on cm "splunk remove cluster-peers <GUID>" should be enough to remove that from CM's search peer list after you have remove that peer from cluster. If this didn't work then you should create a support case to splunk. Of course if you have configured manually something extra to your heart report then you probably need to update it? See https://docs.splunk.com/Documentation/Splunk/9.1.1/DMC/Configurefeaturemonitoring#:~:text=Log%20in%20to%20Splunk%20Web,description%20of%20each%20feature%20indicator.  
and for Ubuntu when you try to start it manually does it start or gives the same errors?
for windows the service status should be set to automatic for it to start on boot.
or you are getting any permissions issue on splunk.
Did you try btool to check your configs, indexes.conf , inputs etc. may be there is a overlapping setting routing data somewhere else.
Still having this error with 9.0.4 I'm afraid.     50b81383ef0d:/opt/splunkforwarder/bin# ./splunk start --accept-license --answer-yes --no-prompt Warning: Attempting to revert the SPLUNK_HOME own... See more...
Still having this error with 9.0.4 I'm afraid.     50b81383ef0d:/opt/splunkforwarder/bin# ./splunk start --accept-license --answer-yes --no-prompt Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" This appears to be your first time running this version of Splunk. Creating unit file... Error calling execve(): No such file or directory Error launching command: No such file or directory Failed to create the unit file. Please do it manually later. Splunk> The Notorious B.I.G. D.A.T.A. Checking prerequisites... Checking mgmt port [8089]: open Creating: /opt/splunkforwarder/var/lib/splunk Creating: /opt/splunkforwarder/var/run/splunk Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css Creating: /opt/splunkforwarder/var/run/splunk/upload Creating: /opt/splunkforwarder/var/run/splunk/search_telemetry Creating: /opt/splunkforwarder/var/spool/splunk Creating: /opt/splunkforwarder/var/spool/dirmoncache Creating: /opt/splunkforwarder/var/lib/splunk/authDb Creating: /opt/splunkforwarder/var/lib/splunk/hashDb Checking conf files for problems... Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug' Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-9.0.4-de405f4a7979-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security Done      
Bit of an old post but I had this exact error, spent way too long troubleshooting it, and was saddened when this post didnt have an accepted solution. The problem is, the s3 vpc endpoint you are usi... See more...
Bit of an old post but I had this exact error, spent way too long troubleshooting it, and was saddened when this post didnt have an accepted solution. The problem is, the s3 vpc endpoint you are using DOES NOT match the supported format Splunk expects.  Then, when it tries to do hostname validation (s3 VPC endpoint) against the expected format, it fails and throws this ugly error. you said: "As part of the Splunk AWS Add-on naming convention for private endpoints, the Private Endpoint URL for the S3 bucket must be https://vpce-<endpoint_id>-<unique_id>.s3.<region>.vpce.amazonaws.com" This isnt true, as the docs explain.  You actually need to use: Thus, the format for S3 is actually https://bucket.vpce-<endpoint_id>-<unique_id>.s3.<region>.vpce.amazonaws.com.  I didnt read the documentation closely enough and wasted a lot of time.. so I hope this helps someone.  
Hello community, I have come across the issue when I got identical token generated for SOAR user "REST" that I am using for SIEM-SOAR integration and the same was in the Splunk app for SOAR. When I... See more...
Hello community, I have come across the issue when I got identical token generated for SOAR user "REST" that I am using for SIEM-SOAR integration and the same was in the Splunk app for SOAR. When I run "test connectivity" command on the SOAR Server Configuration, it responded with "Authentication Failed: Invalid token". I have just regenerated the token and everything works like a charm. Have you ever encountered such issue?
There is not really enough information here to be able to easily help you. Please can you share your full search and some anonymised sample events for the volunteers to work with.
Hi, I would like to export a table to csv in Dashboard studio. Unfortunately when I click on export only a png is exported. Any Hint? Thank you  Best regards Marta      
Hi @richgalloway @gcusello , When I ra n splunk btool --debug check on the host, I observe the following;  C:\Program Files\SplunkUniversalForwarder\bin>splunk btool --debug check No spec file f... See more...
Hi @richgalloway @gcusello , When I ra n splunk btool --debug check on the host, I observe the following;  C:\Program Files\SplunkUniversalForwarder\bin>splunk btool --debug check No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf Invalid key in stanza [webhook] in C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 229: enable_allowlist (value: false). No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\app.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\app.conf windows_test is the app where I had deployed the configurations. Thanks     
Hi Splunkers,    I'm having the multiselect value that results need pass to a macros,    Can you please help for that?    The need is to pass the multiselect values to token $macros2$, where multi... See more...
Hi Splunkers,    I'm having the multiselect value that results need pass to a macros,    Can you please help for that?    The need is to pass the multiselect values to token $macros2$, where multiselect values is an macros itself, multi select values 1. value 1 2.  value 2 3. value 3 4. All   search: `macros1(`$macros2$`,  now(), -15d@d, *, virus, *, *, *)` Thanks in Advance! Manoj Kumar S
Hi @secneer, to better escribe your question, could you share some screenshot? then, where do you located the props.conf containing SEDCMD? have you intermediate Heavy Forwarders between the Unive... See more...
Hi @secneer, to better escribe your question, could you share some screenshot? then, where do you located the props.conf containing SEDCMD? have you intermediate Heavy Forwarders between the Universal Forwarder and the Indexers? Ciao. Giuseppe
Hi,  i have the below table data where i have timecharted for 1hr time span i want to remove the row which is in red colour as it is coming with different time when compare to other data.  can ... See more...
Hi,  i have the below table data where i have timecharted for 1hr time span i want to remove the row which is in red colour as it is coming with different time when compare to other data.  can i be using outlier command to perform this operation and how i can achieve this requirement. Thank you in advance,  _time B C D E F 2023-10-06 22:00             2023-10-07 22:00             2023-10-08 22:00             2023-10-09 09:00             2023-10-09 22:00             2023-10-10 09:00             2023-10-10 22:00             2023-10-11 22:00            
Thank you @richgalloway and @gcusello for the response... but those unfortunately weren't the answers I was looking for.  Now I realise I may have not explained it the best I could; I apologise for ... See more...
Thank you @richgalloway and @gcusello for the response... but those unfortunately weren't the answers I was looking for.  Now I realise I may have not explained it the best I could; I apologise for that. The field that has been SEDCMD appears as an available field even if I search for data that does not have it in the logs.  Say, it's been easily over 10 hours since the restart. Searching, right now, for the data of the last 15 minutes still shows that field, showing that it's in 100% of the logs of that search. That's what I don't understand/know how to fix.  Thanks!  
Thanks for the answer.  Everyting seems to be ok.  disk not full, licenses ok, rebooted several times, restarted splunk several times. But still we don't receive  data into indexes.  To save time, I... See more...
Thanks for the answer.  Everyting seems to be ok.  disk not full, licenses ok, rebooted several times, restarted splunk several times. But still we don't receive  data into indexes.  To save time, I wondered if it's possible to backup some files $SPLUNK_HOME/etc, and then reinstall splunk sw +  copy files into new installation.    Do you think it will work? Rgds Geir