Hello Splunk community, I have an issue with a Splunk Deployment Server where FS /var is of size 30Gb and currently 22G are being used by the log "uncategorised.log" under the path /var/log/syslog. Is it viable/possible to delete that log or make a backup of it to a tape or a different server.?  

I'm trying to UNION two different tables containing info on foreign traffic - the first table is a log with time range earliest=-24h latest=-1h. The second are logs of those same systems for the full 24 hours (earliest=-24h latest=now()). My search: | union [ search index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=-1h | eval dest_loc_ip1=dest_location. "-" .dest_ip | stats DC(dest_loc_ip1) as oldconnections by src_ip] [ search index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now() | eval dest_loc_ip2=dest_location. "-" .dest_ip | stats DC(dest_loc_ip2) as allconnections by src_ip] | fields src_ip oldconnections allconnections I am trying to compare the values of oldconnections vs allconnections for only the original systems (basically a left join), but for some reason, the allconnections shows all null values. I get a similar issue when trying to left join - the allconnections values are not consistent to the values when I run the search by itself. I can run the two searches separately with the expected result, so I'm guessing there's an error in my UNION syntax and ordering. Thanks for the help! -also open to other ways to solve this

Hello All, I am trying to plot the count of events per day over a span of a week by using scatterplot matrix as the visualization to see if there is any linear relation observed. And I need to plot 4 charts, one for each week of the month since there are restrictions on number of datapoints a single chart can publish. But, when I plot more than one chart, the dashboard breaks down and I start getting error: - Error rendering Scatterplot Matrix visualization Thus, I need your guidance to resolve the error. Thank you Taruchit

Insight on my problem below is appreciated! I am using DB Connect to attempt to connect to a MSSQL database. When I Save/Edit the connection I get the following error from Splunkweb:   The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:XXXXXXXXXXXXXXXXXX   And the following (combination) error from splunk_app_db_connect_server.log and splunk_app_db_connect_audit_server.log:   com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:XXXXXXXXXXXXXXXXXX ........................... Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1661) ... 99 common frames omitted Collapse   I have tried the following to resolve the problem with no luck: Added the following to the DB Connect Task Server JVM Options: -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" Added the following parameters to the JDBC url: encrypt=true;trustServerCertificate=true; I have also installed and attempted to run the DB Connect troubleshooting tool (ran using the following command: python3 -m troubleshooting_tools.start)   |----|----|----|----|----| | DB Connect | | Troubleshooting Tools | |----|----|----|----|----| Which tool do you want to use? 1. Troubleshoot Starts 2. Services Status 3. Troubleshoot Connections 4. Troubleshoot Inputs : 3 Troubleshoot Connections Splunk URL: localhost Splunk management port: 8089 Splunk username (Default value is <admin>): admin admin Splunk password: ******** Connection name: MY_CONNECTION Connector path: %PATH_TO_CONNECTOR_JAR% JDBC path: %PATH_TO_JDBC_DRIVER_JAR%   Which leads to the following output   An error occurred while trying to get the connection with the name : MY_CONNECTION. Error message: Data must be padded to 16 byte boundary in CBC mode   In addition, here is some information regarding my environment: OS Oracle Linux 9 Splunk Enterprise Splunk 9.1.0.2  Splunk DB Connect 3.14.1  Splunk DBX Add-on for Microsoft SQL Server JDBC 1.2.0  Manually installed additional Microsoft JDBC Driver 12.4 for SQL Server driver mssql-jdbc-12.4.1.jre11.jar ***The above errors are occurring for both Connection Types. JAVA openjdk 11.0.20

Hello Everybody We've installed Splunk 9.1.1 OnPrem and now, unfortunately the Browser Icon Changer App will not work. Message: HTML Dashboards are no longer supported. In Splunkbase, Version 9.1 is listed as supported. Did we anything wrong? BR, Martin