All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @AL3Z  did you fix the issue, i am also facing the same issue.
I want to get Data(Monitoring different application data in splunk) from splunk to Node Js web UI by API. Can any one please tell me the process. 
hi @kiran_panchavat , thanks for your reply. telnet works so not sure what is the issue here
Thanks @livehybrid , i used telnet on the db port and it works so likely not a fire wall issue. I am using a service account for both db hosts and one of them is not working. How do i check permis... See more...
Thanks @livehybrid , i used telnet on the db port and it works so likely not a fire wall issue. I am using a service account for both db hosts and one of them is not working. How do i check permissions? I have access to the server in splunk db connect, but can you point me to the relevant logs? I am using windows.
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_licens... See more...
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_license_dependent] Checking is license dependent : License manager uri : self : 2025-04-14 21:48:49,551 INFO [root] [itsi_license_checker] [do_run] Modular input is running... 2025-04-14 21:48:49,558 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Active license group: Enterprise 2025-04-14 21:48:49,638 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Non ITSI internal licenses in active group: [<license.License object at 0x7f3317aa22e0>] 2025-04-14 21:48:49,639 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [get_license_group] Active subgroup: Production 2025-04-14 21:48:49,647 INFO [itsi.license_checker.LicenseManager] [license_manager] [manage_license_expiration_signaling_license] No real ITSI license is installed 2025-04-14 21:48:49,647 INFO [root] [itsi_license_checker] [do_run] Modular input completed successfully 2025-04-14 21:48:49,647 INFO [root] [modular_input] [execute] Modular input: itsi_license_checker exit normally. 2025-04-14 21:49:49,277 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... Splunk Enterprise Sales Trial 307,200 MB 2025年5月22日 上午2:59:59 有效 IT Service Intelligence Internals *DO NOT COPY* 102,400,000 MB 2038年1月18日 下午10:14:07 有效 The above informations are logs and licenses. Please help confirm: Can the ITSI run normally? Thank you.
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_li... See more...
2025-04-14 21:48:49,293 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:48:49,551 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_license_dependent] Checking is license dependent : License manager uri : self : 2025-04-14 21:48:49,551 INFO [root] [itsi_license_checker] [do_run] Modular input is running... 2025-04-14 21:48:49,558 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Active license group: Enterprise 2025-04-14 21:48:49,638 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Non ITSI internal licenses in active group: [<license.License object at 0x7f3317aa22e0>] 2025-04-14 21:48:49,639 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [get_license_group] Active subgroup: Production 2025-04-14 21:48:49,647 INFO [itsi.license_checker.LicenseManager] [license_manager] [manage_license_expiration_signaling_license] No real ITSI license is installed 2025-04-14 21:48:49,647 INFO [root] [itsi_license_checker] [do_run] Modular input completed successfully 2025-04-14 21:48:49,647 INFO [root] [modular_input] [execute] Modular input: itsi_license_checker exit normally. 2025-04-14 21:49:49,277 INFO [root] [itsi_license_checker] [do_run] Modular input is starting... 2025-04-14 21:49:49,531 INFO [itsi.license_checker.SplunkLicensesAPI] [splunk_licenses_api] [is_license_dependent] Checking is license dependent : License manager uri : self : 2025-04-14 21:49:49,531 INFO [root] [itsi_license_checker] [do_run] Modular input is running... 2025-04-14 21:49:49,538 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Active license group: Enterprise 2025-04-14 21:49:49,618 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [_get_active_subgroup] Non ITSI internal licenses in active group: [<license.License object at 0x7f57146e22e0>] 2025-04-14 21:49:49,618 INFO [itsi.license_checker.ItsiInternalLicensesGroupFactory] [itsi_internal_licenses_group_factory] [get_license_group] Active subgroup: Production 2025-04-14 21:49:49,626 INFO [itsi.license_checker.LicenseManager] [license_manager] [manage_license_expiration_signaling_license] No real ITSI license is installed 2025-04-14 21:49:49,626 INFO [root] [itsi_license_checker] [do_run] Modular input completed successfully 2025-04-14 21:49:49,626 INFO [root] [modular_input] [execute] Modular input: itsi_license_checker exit normally.   Splunk Enterprise Sales Trial 307,200 MB 2025年5月22日 上午2:59:59 有效 IT Service Intelligence Internals *DO NOT COPY* 102,400,000 MB 2038年1月18日 下午10:14:07 有效     The above informations are logs and licenses. Please help confirm: Can the ITSI run normally? Thank you.
I couldn't find any other cause and solution. I don't have any problems with Splunk operations, so I'm just using it..
FYI - I got the same problem installing on a ubuntu 22.04 VM. Splunkd is up and running though so perhaps, as suggested above, this is a red herring?  
Hi @RobertCEG Pass the list of email addresses as a list/array to the "add_to_list" utility block, not as a single comma-delimited string.   Use a playbook block (e.g., "Format" or "Custom Functio... See more...
Hi @RobertCEG Pass the list of email addresses as a list/array to the "add_to_list" utility block, not as a single comma-delimited string.   Use a playbook block (e.g., "Format" or "Custom Function") to ensure your email addresses are output as a list/array. Connect this output directly to the "add_to_list" block. Example (pseudo) code for a Custom Function: def add_emails_to_list(email_string): # Split comma-separated string into a list return [email.strip() for email in email_string.split(',')] Then, pass the resulting list to "add_to_list". If you pass a single string (even if comma-separated), SOAR treats it as one row with multiple columns. Passing a list/array adds each value as a new row. Check the output type from your previous block—ensure it is a list, not a string. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Xiaorq  Just to check is it IT Essentials Work (ITEW) that you see installed? If you install ITSI but do not apply the ITSI License to your environment then I believe it reverts to ITEW (see ht... See more...
Hi @Xiaorq  Just to check is it IT Essentials Work (ITEW) that you see installed? If you install ITSI but do not apply the ITSI License to your environment then I believe it reverts to ITEW (see https://splunk.my.site.com/customer/s/article/ITSI-app-reverted-to-IT-Essential-Work-IT-W-and-does-not-show-premium-features) Please can you confirm if you have installed your ITSI specific license? The install location depends on your environment configuration/architecture - please see https://docs.splunk.com/Documentation/ITSI/4.20.0/Install/InstallDD for more info.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @shashigari  Sorry it isnt clear to me which search is having the issue. I'm not sure why you are doing a makeresults followed by an append? Are you specifying the earliest/latest in your subsea... See more...
Hi @shashigari  Sorry it isnt clear to me which search is having the issue. I'm not sure why you are doing a makeresults followed by an append? Are you specifying the earliest/latest in your subsearch/append search? Please can you post your full search with the issue.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
This is an indication of inefficient bucket use, meaning buckets roll `before they fill up.  This can happen when indexers restart often, but in this case I suspect it's just a matter of the main ind... See more...
This is an indication of inefficient bucket use, meaning buckets roll `before they fill up.  This can happen when indexers restart often, but in this case I suspect it's just a matter of the main index getting very few events before maxHotSpecSecs is reached and the bucket rolls to warm. The answer for buckets that are known to contain few events is to set maxDataSize to a value that makes the bucket at least 50% full before it rolls.  The default bucket size is 750MB.  The dbinspect command can tell you the current size of buckets to give you an idea of how to set maxDataSize. Best Practice is to not use the main index at all.  All incoming data should go into a custom index, leaving main empty (and not needing to roll).
I have the same question
We've added documentation to dev.splunk.com to cover Custom REST Endpoints.   (apologies for thread necromancy but this is still one of the top hits on gsearch for this topic somehow, 14 years late... See more...
We've added documentation to dev.splunk.com to cover Custom REST Endpoints.   (apologies for thread necromancy but this is still one of the top hits on gsearch for this topic somehow, 14 years later) 
I have a list of email addresses being returned by a query that I want to use to update a custom list. My goal is to have one value per row. If I add a utility block "add_to_list" to my playbook, the... See more...
I have a list of email addresses being returned by a query that I want to use to update a custom list. My goal is to have one value per row. If I add a utility block "add_to_list" to my playbook, then all the values get added in as a single row, with a separate value per column. I assume this is because the values being returned are seen as a single long comma-delimited list. What is the best practice for ensuring my playbook is updating the custom list with just one value per row, and adding new rows for each value in my list?
Hi @Gururaj1  The UF does not have a web UI.  Check /opt/splunkforwarder/var/log/splunk/splunkd.log to see if the server is running (it should update quite regularly)  Did this answer help you? ... See more...
Hi @Gururaj1  The UF does not have a web UI.  Check /opt/splunkforwarder/var/log/splunk/splunkd.log to see if the server is running (it should update quite regularly)  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@marisstella- Kindly please accept the answer @isoutamo if that help you resolve/understand your query by clicking on "Accept as Solution" so future Splunk Community users will get benefited from you... See more...
@marisstella- Kindly please accept the answer @isoutamo if that help you resolve/understand your query by clicking on "Accept as Solution" so future Splunk Community users will get benefited from your question as well.
Hello @livehybrid , thank you for the update,  I would have ignored this if I was able to access the splunk UF webpage. But the issue here the webpage timeout appears and I tested the exact scenario... See more...
Hello @livehybrid , thank you for the update,  I would have ignored this if I was able to access the splunk UF webpage. But the issue here the webpage timeout appears and I tested the exact scenario with splunk HF and Splunk Enterprise  9.4.1 and it works perfectly fine[No errors while installation]. Am i missing something here ? However, thank you. If you find any resolution to this, please do let me know. As the issue is unknown, not sure how to tackle..
Good morning, I got a query like this [| makeresults count=0] | append [ search (index="my_index"] When I use to setup analert like  earliest="04/11/2025:12:10:01" latest="04/11/2025:12:20:01" `... See more...
Good morning, I got a query like this [| makeresults count=0] | append [ search (index="my_index"] When I use to setup analert like  earliest="04/11/2025:12:10:01" latest="04/11/2025:12:20:01" `mymacro` | table _time IP this is not picking up the events in that time frame. however when I expand to 8hours from dropdown it is showing results.   Any one can help provide approach for this issue?
Hi @Gururaj1  Just to check - apart from the errors you mentioned - Does Splunk install correctly? Those errors dont necessarily mean there is an issue - its likely that part of the debian preinst s... See more...
Hi @Gururaj1  Just to check - apart from the errors you mentioned - Does Splunk install correctly? Those errors dont necessarily mean there is an issue - its likely that part of the debian preinst script which calls a "temp_splunk-preinstall" file - this is looking for those locations to do *something* - "find" is usually used to "find" something (file/folder) and then do something to it like update permissions or something.  If the find returns no files the script looks to continue, finally finishing with "complete" - at this point I'd expect your install to be complete - Since you splunk validate command returned a success I thing these "errors" are benign.  The existence of them is either a mistake in that script - OR - it could be for something we arent necessarily aware of. Either way, If the files get installed then I'm confident this isnt an issue.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing