All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

SIX years later and this is still the behavior. Why is this even allowed to persist? The DESIGN of your software practically means the only foolproof way to deploy ssl is to use the password "passwo... See more...
SIX years later and this is still the behavior. Why is this even allowed to persist? The DESIGN of your software practically means the only foolproof way to deploy ssl is to use the password "password" because splunk *just might not* feel like re-hashing anything.  Do YOU think it's worth your time to fix this for the love of the hundreds of millions of dollars you've earned? @splunk You owe me and my partner some hair. 
This seems to be some fancy modern top-like program. And I supose it shows separate threads of single splunkd process. Notice that the memory usage is identical for all those entries.
I can also confirm that UF is working on my environment with several macOS 15.4 both intel and M3. But initial versions of those have been lower than 9.4 and then those are updated.
It’s exactly this way what you need to do. In Yourcase this must do everything with props and transforms instead of defining it on inputs.conf. Clone sourcetype to sent it to HF and filter it like yo... See more...
It’s exactly this way what you need to do. In Yourcase this must do everything with props and transforms instead of defining it on inputs.conf. Clone sourcetype to sent it to HF and filter it like you need. And send original into local indexers. You can check the next links: - https://community.splunk.com/t5/Getting-Data-In/How-can-I-use-CLONE-SOURCETYPE-to-send-a-cloned-modified-event/m-p/317487 and - https://www.tekstream.com/blog/routing-pii-data-to-multiple-indexes/ Those explains this with samples.
You must add all needed fields in stats command if you want those to be present after its execution. Use values(a) as a values(b) as b like there is already used. Here is one old post which explains... See more...
You must add all needed fields in stats command if you want those to be present after its execution. Use values(a) as a values(b) as b like there is already used. Here is one old post which explains who you should replace different joins in SPL. https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948
This seems to work but does not return any of the fields from the Index=cisco_ise. these are the fields in reference to the data.   Index=network src_interface Network_Device message_text Index... See more...
This seems to work but does not return any of the fields from the Index=cisco_ise. these are the fields in reference to the data.   Index=network src_interface Network_Device message_text Index=cisco_ise src_int NetworkDeviceName User_Name Location src_ip src_mac   Thank you.
Example?  Screenshot?
For multiple sourcetypes, linecount is 2, while clearly, it should be 1. Has anybody encountered this case?
Hi @Nicolas2203  Soo...if you want to redact your logs sent to one place but not redact them sent to the other then I think you would have to use CLONE_SOURCETYPE and then apply some redaction and r... See more...
Hi @Nicolas2203  Soo...if you want to redact your logs sent to one place but not redact them sent to the other then I think you would have to use CLONE_SOURCETYPE and then apply some redaction and routing of this new sourcetype as required.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @gpalau  Please could you confirm the permissions that you have on the installation? ls -ltr /Applications/SplunkForwarder Are you intending to run Splunk as your own user?  According to the ... See more...
Hi @gpalau  Please could you confirm the permissions that you have on the installation? ls -ltr /Applications/SplunkForwarder Are you intending to run Splunk as your own user?  According to the docs (https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#:~:text=for%20this%20platform.-,Mac%20operating%20systems,-The%20table%20lists) Mac OS 15.4 Sequoia is not yet supported *however* I am running this myself on an M1 Silicon Mac running 15.4 without issue, so it should work, but consider that it might not be officially supported. For reference, on my installation the permissions are as follows: ls -l /Applications/ | grep SplunkForwarder >> drwxr-xr-x@ 17 MyUsername wheel 544 17 Apr 17:07 SplunkForwarder ls -l /Applications/SplunkForwarder drwxr-xr-x 27 MyUsername wheel 864 20 Feb 19:41 bin -r--r--r-- 1 MyUsername wheel 57 20 Feb 16:30 copyright.txt drwxr-xr-x 32 MyUsername wheel 1024 17 Apr 17:07 etc -rw-r--r--@ 1 root wheel 0 17 Apr 17:06 Icon? drwxr-xr-x 3 MyUsername wheel 96 20 Feb 19:23 include drwxr-xr-x 32 MyUsername wheel 1024 17 Apr 17:06 lib -r--r--r-- 1 MyUsername wheel 59708 20 Feb 16:30 license-eula.txt drwxr-xr-x 5 MyUsername wheel 160 17 Apr 17:07 openssl -r--r--r-- 1 MyUsername wheel 522 20 Feb 18:01 README-splunk.txt drwxr-xr-x 4 MyUsername wheel 128 20 Feb 19:23 share -r--r--r-- 1 MyUsername wheel 53332 20 Feb 19:41 splunkforwarder-9.4.1-e3bdab203ac8-darwin-universal2-manifest drwxr-xr-x 3 MyUsername wheel 96 20 Feb 19:24 swidtag -rw-r--r-- 1 MyUsername wheel 0 20 Feb 19:23 uf drwx--x--- 7 MyUsername wheel 224 17 Apr 17:07 var  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
@gpalau  You're running macOS 15.4 (Sequoia), which is not officially listed as supported yet. The permission errors you're encountering when running Splunk Universal Forwarder 9.4.1 on macOS 15.4 ... See more...
@gpalau  You're running macOS 15.4 (Sequoia), which is not officially listed as supported yet. The permission errors you're encountering when running Splunk Universal Forwarder 9.4.1 on macOS 15.4 are likely due to incorrect ownership or permissions for the Splunk Forwarder directories, or the process not being run with sufficient privileges.   If the permissions issue persists, you can try resetting the permissions for the entire Splunk Forwarder directory: sudo chown -R $(whoami) /Applications/SplunkForwarder sudo chmod -R 755 /Applications/SplunkForwarder   MacOS Supports the below         
I went ahead and re-installed the Splunk Forwarder manually, and on the last step of the .pkg install it reads: Click the "Splunk" icon on the Desktop to start and connect to Splunk. To start Sp... See more...
I went ahead and re-installed the Splunk Forwarder manually, and on the last step of the .pkg install it reads: Click the "Splunk" icon on the Desktop to start and connect to Splunk. To start Splunk manually, open a Terminal window and run the command: 
$ /Applications/Splunk/bin/splunk start Documentation: http://docs.splunk.com/Documentation/Splunk However the installation path is /Applications/Splunk Forwarder/bin Then you have to manually run a command line to approve the license?  
Hi @MrGlass , Splunk isn't a database, so the join command must be used only when there isn't any other solution and when you have few data, instead use stats, somerhing lie this: (index=network "a... See more...
Hi @MrGlass , Splunk isn't a database, so the join command must be used only when there isn't any other solution and when you have few data, instead use stats, somerhing lie this: (index=network "arp-inspection" OR "packets received") OR (index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*") | eval NetworkDeviceName=coalece(NetworkDeviceName, Network_Device) | rename mnemonic AS Port_Status | rename src_interface AS "src_int" | stats earliest(device_time) AS device_time values(User_Name) AS User_Name values(src_ip) AS src_ip values(src_mac) AS src_mac values(message_text) AS message_text values(Location) AS Location values(Port_Status) AS Port_Status BY "NetworkDeviceName" , "src_int" | table device_time, NetworkDeviceName, User_Name, src_int, src_ip, src_mac, message_text, Location, Port_Status Ciao. Giuseppe
I installed Splunk Forwarder 9.4.1 on macOS 15.4 and on first run I get a bunch of permission errors: Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk Warning: cannot create "/Ap... See more...
I installed Splunk Forwarder 9.4.1 on macOS 15.4 and on first run I get a bunch of permission errors: Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk Warning: cannot create "/Applications/SplunkForwarder/var/log/introspection" Warning: cannot create "/Applications/SplunkForwarder/var/log/watchdog" Warning: cannot create "/Applications/SplunkForwarder/var/log/client_events" This appears to be your first time running this version of Splunk. Could not open log file "/Applications/SplunkForwarder/var/log/splunk/first_install.log" for writing (2).   However these folders have the right permissions. A bit lost as to what to do here. 
Try to avoid using join - I suspect "data gets jumbled up when searching over longer periods of time" (not very precise terminology) is because subsearches (as used by join) are silently truncated at... See more...
Try to avoid using join - I suspect "data gets jumbled up when searching over longer periods of time" (not very precise terminology) is because subsearches (as used by join) are silently truncated at 50,000 events, so you join may not have all the events available that you are expecting (when you have extended periods of time). Try something along these lines: (index=network "arp-inspection" OR "packets received") OR (index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*") | rename mnemonic as Port_Status | rename Network_Device as "NetworkDeviceName" | rename src_interface as "src_int" | stats values(device_time) as device_time, values(User_Name) as User_Name, values(src_ip) as src_ip, values(src_mac) as src_mac, values(message_text) as message_text, values(Location) as Location, values(Port_Status) as Port_Status by NetworkDeviceName, src_int or perhaps: (index=network "arp-inspection" OR "packets received") OR (index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*") | eval Port_Status=coalesce(Port_Status, mnemonic) | eval NetworkDeviceName=coalesce(NetworkDeviceName, Network_Device) | eval src_int=coalesce(src_int, src_interface) | stats values(device_time) as device_time, values(User_Name) as User_Name, values(src_ip) as src_ip, values(src_mac) as src_mac, values(message_text) as message_text, values(Location) as Location, values(Port_Status) as Port_Status by NetworkDeviceName, src_int
I am trying to locate some data between two indexes, the common items are the src_interface and the network device name, but the data gets jumbled up when searching over longer periods of time. This ... See more...
I am trying to locate some data between two indexes, the common items are the src_interface and the network device name, but the data gets jumbled up when searching over longer periods of time. This is what I am using now.  index=network "arp-inspection" OR "packets received" | rename mnemonic as Port_Status | rename Network_Device TO "NetworkDeviceName" | rename src_interface TO "src_int" | join type=inner "NetworkDeviceName" , "src_int" [ search index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*"] | table  device_time, NetworkDeviceName, User_Name, src_int, src_ip, src_mac, message_text, Location, Port_Status  
Hello @livehybrid  Thanks for your time OK, I understand now. I see what I was missing. Strangely, what I had done was working, and I was perplexed about that. I will test with the configura... See more...
Hello @livehybrid  Thanks for your time OK, I understand now. I see what I was missing. Strangely, what I had done was working, and I was perplexed about that. I will test with the configuration you provided; it makes more sense. But I have a quick question: if the logs need to be anonymized before they are sent to the distant_HF, will putting the two outputs in the _TCP_ROUTING in the inputs.conf work? Many thanks for you clear answer !!!  
Hi @tangtangtang12  I presume you are using ITSI/ITEW which is where you have installed the content pack? The content pack is only KPIs and relies on specific data to be available - The content pac... See more...
Hi @tangtangtang12  I presume you are using ITSI/ITEW which is where you have installed the content pack? The content pack is only KPIs and relies on specific data to be available - The content pack itself does not onboard the data. Please check out the docs around the content pack data requirements here: https://docs.splunk.com/Documentation/CPWindowsMon/latest/CP/DataReqs That docs page gives an inputs.conf sample and other info about the data required for these KPIs to run, including the metrics you are looking for.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Even there is only one app there are also at least one serverclass and those 40 clients. Those serverclass(es) bind together clients and this app which contains outputs.conf. Usually you should have... See more...
Even there is only one app there are also at least one serverclass and those 40 clients. Those serverclass(es) bind together clients and this app which contains outputs.conf. Usually you should have one app for defining general output target (indexers) and another which define ds instead of configuring this on installation gui. Over those there are usually many apps and serverclasses as @gcusello #alteady said. Here is one great conf presentation about DS https://conf.splunk.com/files/2024/slides/PLA1310C.pdf  
This splunk_server_group is e.g your defined additional group in MC setup like az_hec_test