All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Xiaorq  It looks like you have a regular ingest license, plus the ITSI Internal license (this is for sourcetype=itsi_* - Used for internal ITSI metadata etc) however it doesnt look like you have... See more...
Hi @Xiaorq  It looks like you have a regular ingest license, plus the ITSI Internal license (this is for sourcetype=itsi_* - Used for internal ITSI metadata etc) however it doesnt look like you have the actual ITSI License which unlocks ITSI to be used. I see you are on a Sales Trial license - did the sales team provide you an additional ITSI license? I would recommend reaching out to them to check they've given you the correct license(s) to run ITSI. Check out https://www.youtube.com/watch?v=SUQpN8Re66g which might help too.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
same issue for me i have 3 panels with 22 servernames each that i want to have per 1 page.. splunk should expand the trelis and single value visualization options like add pages per view.. please let... See more...
same issue for me i have 3 panels with 22 servernames each that i want to have per 1 page.. splunk should expand the trelis and single value visualization options like add pages per view.. please let me know if there is an XML option in the panel or html code to increase the default 20 units per page
Hi, Limey, Use the '.dashboard-body' and add inside the properties you want: .dashboard-body{ background-image: url('/static/app/AppName/images/image.png'); background-repeat: no-repeat !impo... See more...
Hi, Limey, Use the '.dashboard-body' and add inside the properties you want: .dashboard-body{ background-image: url('/static/app/AppName/images/image.png'); background-repeat: no-repeat !important; background-size: cover !important; } The result will be a stretched image on the whole dashboard as a background Kind regards, Boryana
Hi @mshakeb , I suppose that you're ingesting logs using a Universal Forwarder. If there isn't any issue /that you can search in _internal) UF read all the wineventlogs from the Domain Controller, ... See more...
Hi @mshakeb , I suppose that you're ingesting logs using a Universal Forwarder. If there isn't any issue /that you can search in _internal) UF read all the wineventlogs from the Domain Controller, so if some event is missed, you should check, if it was generated in WinEventLog. Ciao. Giuseppe
Hi Data loss or intermittent event visibility can occur at several points: source generation, forwarder collection/sending, network transport, or indexer processing/filtering. Verify Event Genera... See more...
Hi Data loss or intermittent event visibility can occur at several points: source generation, forwarder collection/sending, network transport, or indexer processing/filtering. Verify Event Generation: First, confirm the Event ID 4724 is consistently generated in the Windows Security Event Log on the Domain Controller itself using the native Event Viewer during your tests. If it's not logged there reliably, the issue lies with Windows auditing configuration, not Splunk. Check Forwarder Configuration: Ensure the inputs.conf on the Universal Forwarder monitoring the Domain Controller has the correct stanza ([WinEventLog://Security]) and is enabled (disabled = false). Verify no blacklist or whitelist settings within this stanza or related props.conf/transforms.conf are unintentionally filtering Event ID 4724. Check Forwarder Status & Connectivity: Verify the Splunk forwarder service is running on the DC and can connect to the indexers. Check for errors in the forwarder's internal logs. Check Indexer Processing: Ensure no index-time filtering rules (props.conf/transforms.conf on indexers) are discarding these events (e.g., routing to nullQueue). Multiple Domain Controllers: Do you have multiple domain controllers? It could be that one/more of them are not configured correctly to send data to Splunk and therefore when this event is actioned against that particular DC then you do not get the logs in Splunk. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Kalyan_N  There is an example at https://github.com/livehybrid/dashpub/blob/master/template/src/pages/api/data/%5Bdsid%5D.js which I use to run Splunk queries for publishing dashboards externall... See more...
Hi @Kalyan_N  There is an example at https://github.com/livehybrid/dashpub/blob/master/template/src/pages/api/data/%5Bdsid%5D.js which I use to run Splunk queries for publishing dashboards externally. Basically you just hit the relevant REST API Endpoint for whatever action you want to carry out.  For more info on the search endpoints check out https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTsearch  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
We have noticed that some Windows Domain Controller server event logs are not appearing in the Splunk search. For example, we conducted testing on Event ID 4724, and what we noticed is that the even... See more...
We have noticed that some Windows Domain Controller server event logs are not appearing in the Splunk search. For example, we conducted testing on Event ID 4724, and what we noticed is that the event is logged sometimes and sometimes it isn't. what could be the issue? Has anyone faced this before
Hi @mshakeb , please, don't attach your request to another one, even if on the same topic, open a new question. In this way, you'll have more choices to describe your requirements and to receive an... See more...
Hi @mshakeb , please, don't attach your request to another one, even if on the same topic, open a new question. In this way, you'll have more choices to describe your requirements and to receive an answer. ciao. Giuseppe
Hi @shashigari , as also @livehybrid said, it isn't so clear why you are using this structure of search. In addition, you are using a macro that we don't know. Anyway, the format of time in earlie... See more...
Hi @shashigari , as also @livehybrid said, it isn't so clear why you are using this structure of search. In addition, you are using a macro that we don't know. Anyway, the format of time in earliest and latest is correct. Could you better describe your requirement and share your macro? Ciao. Giuseppe
Hi @AL3Z  did you fix the issue, i am also facing the same issue.
I want to get Data(Monitoring different application data in splunk) from splunk to Node Js web UI by API. Can any one please tell me the process. 
hi @kiran_panchavat , thanks for your reply. telnet works so not sure what is the issue here
Thanks @livehybrid , i used telnet on the db port and it works so likely not a fire wall issue. I am using a service account for both db hosts and one of them is not working. How do i check permis... See more...
Thanks @livehybrid , i used telnet on the db port and it works so likely not a fire wall issue. I am using a service account for both db hosts and one of them is not working. How do i check permissions? I have access to the server in splunk db connect, but can you point me to the relevant logs? I am using windows.
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_licens... See more...
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_license_dependent] Checking is license dependent : License manager uri : self : 2025-04-14 21:48:49,551 INFO [root] [itsi_license_checker] [do_run] Modular input is running... 2025-04-14 21:48:49,558 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Active license group: Enterprise 2025-04-14 21:48:49,638 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Non ITSI internal licenses in active group: [<license.License object at 0x7f3317aa22e0>] 2025-04-14 21:48:49,639 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [get_license_group] Active subgroup: Production 2025-04-14 21:48:49,647 INFO [itsi.license_checker.LicenseManager] [license_manager] [manage_license_expiration_signaling_license] No real ITSI license is installed 2025-04-14 21:48:49,647 INFO [root] [itsi_license_checker] [do_run] Modular input completed successfully 2025-04-14 21:48:49,647 INFO [root] [modular_input] [execute] Modular input: itsi_license_checker exit normally. 2025-04-14 21:49:49,277 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... Splunk Enterprise Sales Trial 307,200 MB 2025年5月22日 上午2:59:59 有效 IT Service Intelligence Internals *DO NOT COPY* 102,400,000 MB 2038年1月18日 下午10:14:07 有效 The above informations are logs and licenses. Please help confirm: Can the ITSI run normally? Thank you.
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_li... See more...
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_license_dependent] Checking is license dependent : License manager uri : self : 2025-04-14 21:48:49,551 INFO [root] [itsi_license_checker] [do_run] Modular input is running... 2025-04-14 21:48:49,558 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Active license group: Enterprise 2025-04-14 21:48:49,638 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Non ITSI internal licenses in active group: [<license.License object at 0x7f3317aa22e0>] 2025-04-14 21:48:49,639 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [get_license_group] Active subgroup: Production 2025-04-14 21:48:49,647 INFO [itsi.license_checker.LicenseManager] [license_manager] [manage_license_expiration_signaling_license] No real ITSI license is installed 2025-04-14 21:48:49,647 INFO [root] [itsi_license_checker] [do_run] Modular input completed successfully 2025-04-14 21:48:49,647 INFO [root] [modular_input] [execute] Modular input: itsi_license_checker exit normally. 2025-04-14 21:49:49,277 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:49:49,531 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_license_dependent] Checking is license dependent : License manager uri : self : 2025-04-14 21:49:49,531 INFO [root] [itsi_license_checker] [do_run] Modular input is running... 2025-04-14 21:49:49,538 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Active license group: Enterprise 2025-04-14 21:49:49,618 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Non ITSI internal licenses in active group: [<license.License object at 0x7f57146e22e0>] 2025-04-14 21:49:49,618 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [get_license_group] Active subgroup: Production 2025-04-14 21:49:49,626 INFO [itsi.license_checker.LicenseManager] [license_manager] [manage_license_expiration_signaling_license] No real ITSI license is installed 2025-04-14 21:49:49,626 INFO [root] [itsi_license_checker] [do_run] Modular input completed successfully 2025-04-14 21:49:49,626 INFO [root] [modular_input] [execute] Modular input: itsi_license_checker exit normally.   Splunk Enterprise Sales Trial 307,200 MB 2025年5月22日 上午2:59:59 有效 IT Service Intelligence Internals *DO NOT COPY* 102,400,000 MB 2038年1月18日 下午10:14:07 有效     The above informations are logs and licenses. Please help confirm: Can the ITSI run normally? Thank you.
I couldn't find any other cause and solution. I don't have any problems with Splunk operations, so I'm just using it..
FYI - I got the same problem installing on a ubuntu 22.04 VM. Splunkd is up and running though so perhaps, as suggested above, this is a red herring?  
Hi @RobertCEG Pass the list of email addresses as a list/array to the "add_to_list" utility block, not as a single comma-delimited string.   Use a playbook block (e.g., "Format" or "Custom Functio... See more...
Hi @RobertCEG Pass the list of email addresses as a list/array to the "add_to_list" utility block, not as a single comma-delimited string.   Use a playbook block (e.g., "Format" or "Custom Function") to ensure your email addresses are output as a list/array. Connect this output directly to the "add_to_list" block. Example (pseudo) code for a Custom Function: def add_emails_to_list(email_string): # Split comma-separated string into a list return [email.strip() for email in email_string.split(',')] Then, pass the resulting list to "add_to_list". If you pass a single string (even if comma-separated), SOAR treats it as one row with multiple columns. Passing a list/array adds each value as a new row. Check the output type from your previous block—ensure it is a list, not a string. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Xiaorq  Just to check is it IT Essentials Work (ITEW) that you see installed? If you install ITSI but do not apply the ITSI License to your environment then I believe it reverts to ITEW (see ht... See more...
Hi @Xiaorq  Just to check is it IT Essentials Work (ITEW) that you see installed? If you install ITSI but do not apply the ITSI License to your environment then I believe it reverts to ITEW (see https://splunk.my.site.com/customer/s/article/ITSI-app-reverted-to-IT-Essential-Work-IT-W-and-does-not-show-premium-features) Please can you confirm if you have installed your ITSI specific license? The install location depends on your environment configuration/architecture - please see https://docs.splunk.com/Documentation/ITSI/4.20.0/Install/InstallDD for more info.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @shashigari  Sorry it isnt clear to me which search is having the issue. I'm not sure why you are doing a makeresults followed by an append? Are you specifying the earliest/latest in your subsea... See more...
Hi @shashigari  Sorry it isnt clear to me which search is having the issue. I'm not sure why you are doing a makeresults followed by an append? Are you specifying the earliest/latest in your subsearch/append search? Please can you post your full search with the issue.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing