All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@kiran_panchavat @livehybrid Unfortunately , there seems to be no solution for this, i tried and followed the exact steps mentioned in the given below Splunk Doc, but i encounter the same error again... See more...
@kiran_panchavat @livehybrid Unfortunately , there seems to be no solution for this, i tried and followed the exact steps mentioned in the given below Splunk Doc, but i encounter the same error again and again. Do u know how to mitigate this scenarios or any further suggestions on why this is happening. I tried in few of the different settings of VMs where different platforms of linux were installed along with that i increased the capacity of the OS to ensure no issues on the other side. The issue seems to residing in unbundling of the downloaded packages. I understand installation is being corrupted but the package is being downloaded from splunk site right? it shows all files intact but unable to host forwarder in an instance I am stuck here with no specific solutions...   FYI -Tried different linux OS/versions, tried downgrading the SF versions as well... increased capacity of OS
@PickleRick @two separate apps - one with general HEC input settings, another with a token definition for your particular input needs) with CM in an app which is pushed to indexers... So here I crea... See more...
@PickleRick @two separate apps - one with general HEC input settings, another with a token definition for your particular input needs) with CM in an app which is pushed to indexers... So here I created two apps under etc/master-apps and in one enabled http and in other given token and other parameters. So once we push this to indexers.. HEC will be enabled right in indexers? Or do we need to edit each indexer etc/apps/http_input/local/inputs.conf and give [http] disabled = 0 in order to enable? Or already pushed app will do the similar work?
Hi @livehybrid , Thanks for the reply. We've already updated the build version and deployed it to the marketplace. Trying to understand why it's causing issues during an update, while working perfe... See more...
Hi @livehybrid , Thanks for the reply. We've already updated the build version and deployed it to the marketplace. Trying to understand why it's causing issues during an update, while working perfectly on a fresh install.
Hi, The problem seems to be the self signed certificate that was issued by Splunk from the cloud instance. It is not compatible with ver 9.4. I was wondering if it was just me who is experiencing t... See more...
Hi, The problem seems to be the self signed certificate that was issued by Splunk from the cloud instance. It is not compatible with ver 9.4. I was wondering if it was just me who is experiencing the issue or if some one else is experiencing it. But for now we are sticking with ver 9.3.1 in our HF until a fix is released by Splunk.  
I/O Error: DB server closed connection. Hi all, I am getting this error above when connecting to HPC primary database, secondary database connection works well on splunk db connect with exact same... See more...
I/O Error: DB server closed connection. Hi all, I am getting this error above when connecting to HPC primary database, secondary database connection works well on splunk db connect with exact same settings. From memory, hpc primary database connection used to be working too. I am using MS-SQL Server using jTDS Driver with Windows Authentication  jdbc:jtds:sqlserver://<ServerName>:<port number>/master;useCursors=true;domain=<domain_name>;useNTLMv2=true FYI this worked well for hpc secondary database with same configurations except <ServerName>
@livehybrid @kiran_panchavat PFA, this is so weird, i have seen few cases like this in the community with no solution. I tried multiple OS of Linux and older versions of forwarder, but its still the ... See more...
@livehybrid @kiran_panchavat PFA, this is so weird, i have seen few cases like this in the community with no solution. I tried multiple OS of Linux and older versions of forwarder, but its still the same.. Please find a solution as i tried a lot of versions here... splunkforwarder-9.4.1-e3bdab203ac8-linux-amd64-manifest older version 9.4.0 splunk forwarder - splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64-manifest  
As I said before in another thread - this is something that should be best discussed with your local Splunk Partner. I can tell you that you can just enable HEC input on the HF and send all the data... See more...
As I said before in another thread - this is something that should be best discussed with your local Splunk Partner. I can tell you that you can just enable HEC input on the HF and send all the data there so that the HF distributes it to the indexers but there are other possible issues with this setup. Since you probably have just one HF, you're gonna be creating a SPOF. It might also not be able to process all the load you're gonna push on it. That's why at the start I said that this problem only looks easy. There are several approaches to solving it which might look right from the technical point of view, meaning that each of them "should work" but some of them might be better from the business point of view given specific circumstances unique to your situation and environment.
@PickleRick we already have HF configured in our environment. So how to do it?
You don't define HEC input on CM. CM will not be ingesting your HEC events. You define HEC input (either just a token if you have the general HTTP input already enabled or enable whole HTTP input, d... See more...
You don't define HEC input on CM. CM will not be ingesting your HEC events. You define HEC input (either just a token if you have the general HTTP input already enabled or enable whole HTTP input, define TLS parameters and define a token - for maintainability I'd split it into two separate apps - one with general HEC input settings, another with a token definition for your particular input needs) with CM in an app which is pushed to indexers. So the only thing you should do (as with pretty much everything regarding configuring your indexers) is creating an app in the manager-apps directory and pushing it with a new configuration bundle to your indexers. I'm not sure if enabling HTTP input in general in case you hadn't had one already will not require you to rolling-restart your indexers (and that's why I prefer a dedicated HF-layer in front of indexers so that changes to ingestion process and parsing do not cause indexer restarts but that's a topic for another time.
In my case it is data manager or possibly lambda. There is no inputs.conf in both cases. 
Hi @PickleRick , thanks for the options. I think we are going with the 1st option. we are going to create AWS ELB for load balancing. But I am confused how to create HEC token on all indexers with t... See more...
Hi @PickleRick , thanks for the options. I think we are going with the 1st option. we are going to create AWS ELB for load balancing. But I am confused how to create HEC token on all indexers with the same token? My approach is this please correct me if I am wrong... Going to configure HEC on cluster manager first.. Then take those inputs.conf from etc/apps/http_input/local/ inputs.conf and paste it under etc/manager-apps/hec_input/local/inputs.conf and paste it here. But won't enable http in CM. (disabled = 1 for http) But http:inputname will be enabled (disabled = 0) will it still index HEC data in cluster manager (which should not do). Then push this configurations (app with inputs.conf) through configuration bundle to all my indexers so that each indexer will receive this inputs.conf. additionally should I need to go to each indexer and give [http] disabled = 0 to enable HEC in each indexer in order to receive data? Please confirm and correct me if I am wrong anywhere 
As usual, you have a relatively simply sounding problem which might not turn out to be so simple. As @marnall already pointed out - the HEC input is just an input on the component you define it on. ... See more...
As usual, you have a relatively simply sounding problem which might not turn out to be so simple. As @marnall already pointed out - the HEC input is just an input on the component you define it on. So you can have multiple options here. 1) Create a HEC input on each indexer using the same HEC token and let the sources load-balance their requests between the receivers. But that requires the sources which can actively do load-balancing. 2) Deploy an external HTTP LB which will distribute HTTP requests to HEC inputs defined on indexers (again - with the same HEC token). 3) Create a HF with a HEC input which will receive data and distribute it to indexers using normal s2s load-balancing mechanisms 4) Create multiple HFs with HEC input and either LB between them on source or set up a HTTP LB in front of them. Each of those scenarios have their own pros and cons (simplicity, cost, maintainability, resilience).
@marnall Where should I create HEC token through web interface? In cluster manager or deployment server? And do we need to copy inputs.conf which is generated initially to each of the indexers? And... See more...
@marnall Where should I create HEC token through web interface? In cluster manager or deployment server? And do we need to copy inputs.conf which is generated initially to each of the indexers? And once we copy it do we need to remove the data input created initially because of we don't remove data will index to that component also right? Please confirm?
Hi @arusishere  The issue with Splunk DB Connect appears to be related to authentication mismatches between Splunk and your SQL Server. Please can you confirm - when you created an identity for auth... See more...
Hi @arusishere  The issue with Splunk DB Connect appears to be related to authentication mismatches between Splunk and your SQL Server. Please can you confirm - when you created an identity for authentication, did you setup Windows authentication (Domain/User/Password) rather than just SQL authentication (User/Password)? As it seems like your DB server is setup for just Windows Authentication. Based on the docs you also need Splunk DBX Add-on for Microsoft SQL Server JDBC which I presume has been installed? (See install docs) .  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @hk_baek , Community is the right site for questions! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.... See more...
Hi @hk_baek , Community is the right site for questions! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thank you for your response. I understand that using a GPU is not mandatory, but I’ve heard that it can significantly improve performance when running deep learning algorithms like TensorFlow. That... See more...
Thank you for your response. I understand that using a GPU is not mandatory, but I’ve heard that it can significantly improve performance when running deep learning algorithms like TensorFlow. That’s why I was trying to find recommended GPU server specifications for using DSDL, but I couldn’t find any official guidance — so I wanted to ask here
hello, also we have the problem with increased SWAP OS: RHEL 9.5 RAM: 32GB SWAP: 16GB SPLUNK: 9.4.1 # free -m total used free shared buff/cache available Mem: 31837 6853 358 0 24953 24984 Swap... See more...
hello, also we have the problem with increased SWAP OS: RHEL 9.5 RAM: 32GB SWAP: 16GB SPLUNK: 9.4.1 # free -m total used free shared buff/cache available Mem: 31837 6853 358 0 24953 24984 Swap: 16383 16292 91  
@Huckleberry  If you cannot access the Splunk SOAR web interface using either IP address shown by ifconfig, the most likely causes are network configuration issues between your host machine and the ... See more...
@Huckleberry  If you cannot access the Splunk SOAR web interface using either IP address shown by ifconfig, the most likely causes are network configuration issues between your host machine and the Amazon Linux 2 VM. Are you able to SSH into the VM from your host machine? If so, which IP is it you are using? You should be able to access SOAR on the same IP. The other things that might be worth checking is any firewall rules on the VM. Run the following to see what rules are set, if it fails then its likely that the firewall isnt enabled so shouldnt be the issue. (Firewalld is the default for Amazon Linux I believe) sudo firewall-cmd --list-all  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @hk_baek , for my knowledge, the minimum reference hardware is the normal reference for Splunk:; 12 CPUs, 12 GB RAM and 300 GB hd. Then you should tune your installation to see if this specifica... See more...
Hi @hk_baek , for my knowledge, the minimum reference hardware is the normal reference for Splunk:; 12 CPUs, 12 GB RAM and 300 GB hd. Then you should tune your installation to see if this specifications are sufficient for the use that you will do. Obviously, this reference is to use DSDL without othe premium apps as ES or ITSI. You can find all the information and documentation at https://splunkbase.splunk.com/app/4607 Ciao. Giuseppe
Dear Splunk Community, I need some advice on how to get DB Connect configured. I'm hitting a brick wall trying to get it up and running. I believe I have done the driver installs, database connectio... See more...
Dear Splunk Community, I need some advice on how to get DB Connect configured. I'm hitting a brick wall trying to get it up and running. I believe I have done the driver installs, database connection settings, JDK install, and set environment variables correctly. I have gotten to the point where we can see login errors in the SQL server logs. With this, I know the servers are attempting to communicate. Here is the system setup: Splunk OS: Windows Splunk Version: 9.0.9 JDBC Drivers installed: 12.4 Connection settings: Tried both MS-SQL Generic and Windows Authentication Database OS: Windows Server 2016 (SQL 2019) Errors received from different attempts: Login failed for user xxx (On splunk) This driver is not configured to perform integrated authentication. (On splunk) Login failed for use <username> Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only. (On Windows SQL) My resources: https://lantern.splunk.com/Splunk_Platform/Product_Tips/Extending_the_Platform/Configuring_Splunk_DB_Connect The splunk documentation labyrinth. I would also like to add that I've gone through the labyrinth of documentation Splunk provides (it's overwhelming). Also, oddly enough, a friend with a very similar environment is having the same issue. Any advice would be much appreciated. And no, I will not install the JTDS drivers that some people recommended. It's open source and 10+ years old. Splunk's provided procedures and documentation that should work.   Thanks for your help. First time posting!   Kind Regards,