All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@marnall Where should I create HEC token through web interface? In cluster manager or deployment server? And do we need to copy inputs.conf which is generated initially to each of the indexers? And... See more...
@marnall Where should I create HEC token through web interface? In cluster manager or deployment server? And do we need to copy inputs.conf which is generated initially to each of the indexers? And once we copy it do we need to remove the data input created initially because of we don't remove data will index to that component also right? Please confirm?
Hi @arusishere  The issue with Splunk DB Connect appears to be related to authentication mismatches between Splunk and your SQL Server. Please can you confirm - when you created an identity for auth... See more...
Hi @arusishere  The issue with Splunk DB Connect appears to be related to authentication mismatches between Splunk and your SQL Server. Please can you confirm - when you created an identity for authentication, did you setup Windows authentication (Domain/User/Password) rather than just SQL authentication (User/Password)? As it seems like your DB server is setup for just Windows Authentication. Based on the docs you also need Splunk DBX Add-on for Microsoft SQL Server JDBC which I presume has been installed? (See install docs) .  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @hk_baek , Community is the right site for questions! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.... See more...
Hi @hk_baek , Community is the right site for questions! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thank you for your response. I understand that using a GPU is not mandatory, but I’ve heard that it can significantly improve performance when running deep learning algorithms like TensorFlow. That... See more...
Thank you for your response. I understand that using a GPU is not mandatory, but I’ve heard that it can significantly improve performance when running deep learning algorithms like TensorFlow. That’s why I was trying to find recommended GPU server specifications for using DSDL, but I couldn’t find any official guidance — so I wanted to ask here
hello, also we have the problem with increased SWAP OS: RHEL 9.5 RAM: 32GB SWAP: 16GB SPLUNK: 9.4.1 # free -m total used free shared buff/cache available Mem: 31837 6853 358 0 24953 24984 Swap... See more...
hello, also we have the problem with increased SWAP OS: RHEL 9.5 RAM: 32GB SWAP: 16GB SPLUNK: 9.4.1 # free -m total used free shared buff/cache available Mem: 31837 6853 358 0 24953 24984 Swap: 16383 16292 91  
@Huckleberry  If you cannot access the Splunk SOAR web interface using either IP address shown by ifconfig, the most likely causes are network configuration issues between your host machine and the ... See more...
@Huckleberry  If you cannot access the Splunk SOAR web interface using either IP address shown by ifconfig, the most likely causes are network configuration issues between your host machine and the Amazon Linux 2 VM. Are you able to SSH into the VM from your host machine? If so, which IP is it you are using? You should be able to access SOAR on the same IP. The other things that might be worth checking is any firewall rules on the VM. Run the following to see what rules are set, if it fails then its likely that the firewall isnt enabled so shouldnt be the issue. (Firewalld is the default for Amazon Linux I believe) sudo firewall-cmd --list-all  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @hk_baek , for my knowledge, the minimum reference hardware is the normal reference for Splunk:; 12 CPUs, 12 GB RAM and 300 GB hd. Then you should tune your installation to see if this specifica... See more...
Hi @hk_baek , for my knowledge, the minimum reference hardware is the normal reference for Splunk:; 12 CPUs, 12 GB RAM and 300 GB hd. Then you should tune your installation to see if this specifications are sufficient for the use that you will do. Obviously, this reference is to use DSDL without othe premium apps as ES or ITSI. You can find all the information and documentation at https://splunkbase.splunk.com/app/4607 Ciao. Giuseppe
Dear Splunk Community, I need some advice on how to get DB Connect configured. I'm hitting a brick wall trying to get it up and running. I believe I have done the driver installs, database connectio... See more...
Dear Splunk Community, I need some advice on how to get DB Connect configured. I'm hitting a brick wall trying to get it up and running. I believe I have done the driver installs, database connection settings, JDK install, and set environment variables correctly. I have gotten to the point where we can see login errors in the SQL server logs. With this, I know the servers are attempting to communicate. Here is the system setup: Splunk OS: Windows Splunk Version: 9.0.9 JDBC Drivers installed: 12.4 Connection settings: Tried both MS-SQL Generic and Windows Authentication Database OS: Windows Server 2016 (SQL 2019) Errors received from different attempts: Login failed for user xxx (On splunk) This driver is not configured to perform integrated authentication. (On splunk) Login failed for use <username> Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only. (On Windows SQL) My resources: https://lantern.splunk.com/Splunk_Platform/Product_Tips/Extending_the_Platform/Configuring_Splunk_DB_Connect The splunk documentation labyrinth. I would also like to add that I've gone through the labyrinth of documentation Splunk provides (it's overwhelming). Also, oddly enough, a friend with a very similar environment is having the same issue. Any advice would be much appreciated. And no, I will not install the JTDS drivers that some people recommended. It's open source and 10+ years old. Splunk's provided procedures and documentation that should work.   Thanks for your help. First time posting!   Kind Regards,
Hello, I'm planning to install and use the Splunk App for Data Science and Deep Learning(DSDL) in a closed network environment. I’m considering use cases involving deep learning and LLM-RAG archite... See more...
Hello, I'm planning to install and use the Splunk App for Data Science and Deep Learning(DSDL) in a closed network environment. I’m considering use cases involving deep learning and LLM-RAG architecture. Could you please share the minimum server specifications for testing, as well as the recommended specifications for production?
Dear Team,  We have obtained the ITSI installation package "splunk-it-service-intelligence-4193. spl" and installed it according to the installation guide on the official website“ https://docs.splun... See more...
Dear Team,  We have obtained the ITSI installation package "splunk-it-service-intelligence-4193. spl" and installed it according to the installation guide on the official website“ https://docs.splunk.com/Documentation/ITSI/4.20.0/Install/Install ”. In the end, the Splunk Enterprise platform only has the ITEM app. What is the reason for this? Please provide technical support. Thank you.
Hello, I set up an Amazon Linux 2 virtual machine in VirtualBox and successfully installed Splunk SOAR. I am trying to log into the web interface. The documentation says to go to the IP address that... See more...
Hello, I set up an Amazon Linux 2 virtual machine in VirtualBox and successfully installed Splunk SOAR. I am trying to log into the web interface. The documentation says to go to the IP address that I assigned to the Splunk SOAR using the custom HTTPS port. I know that I am using the correct port. When I run ifconfig, I see two IP addresses. I tried both with the port I chose for Splunk, but neither is working, and my browser says that the site cannot be reached. Any help would be appreciated.
The HTTP Event Collector won't do load balancing itself, so you will need to set up a load balancer in front of the indexers. One way you could set up the HEC token is to take a Splunk server with a... See more...
The HTTP Event Collector won't do load balancing itself, so you will need to set up a load balancer in front of the indexers. One way you could set up the HEC token is to take a Splunk server with a web interface (probably not the indexers), go to Settings->Data inputs->HTTP Event Collector, then click the "New Token" button. Go through the menu specifying your desired input name, sourcetype, index, etc. This will generate an inputs.conf stanza for the HTTP input. You can then open the inputs.conf file and copy this stanza to each of your indexers to ensure they have the same token. (Remaining instructions assume your indexers are running Linux) For me, the inputs.conf file was generated in /opt/splunk/etc/apps/launcher/local, because I went to the HTTP Event Collector web interface from the main Splunk Enterprise screen. The stanza will look like this: (with different values, of course) [http://inputname] disabled = 0 host = yourhostname index = main indexes = main source = inputsourcetype token = fe2cfed6-664a-4d75-a79d-41dc0548b9de Of course, you should change the host value for each indexer or remove the host line so that the host value is decided on startup. Then, create a new file on each indexer at: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf Containing this text: [http] disabled = 0 This will enable the HTTP event collector on the indexers. You can check that the HTTP event listener is opening the port on the indexer by using netstat: netstat -apn | grep 8088
Assuming that you are able to edit the inputs.conf file, and that you have a definite value for env, service, and custom for each input stanza, then you could add meta tags to the input stanzas: _me... See more...
Assuming that you are able to edit the inputs.conf file, and that you have a definite value for env, service, and custom for each input stanza, then you could add meta tags to the input stanzas: _meta = env::<env value> service::<service value> custom::<custom value> I don't know if this works the same way with OTEL collectors.
When you don't include the UID, are there any differences in the field values? What pattern do you see in how it adds artifacts to containers? E.g. are there specific fields which determine the conta... See more...
When you don't include the UID, are there any differences in the field values? What pattern do you see in how it adds artifacts to containers? E.g. are there specific fields which determine the container that the artifact gets added to, or does it add artifacts to the most recently created container? Depending on how you would like it to behave, you could throttle the creation of new artifacts by using a outputlookup and NOT [|inputlookup] commands in your saved search used to forward events to SOAR, then use a time field to make sure the artifacts+containers are different.
This usually means that something in your playbook is referencing a term that does not exist, like a misnamed block or a nonexistent datapath. If you are certain that the error originates from this S... See more...
This usually means that something in your playbook is referencing a term that does not exist, like a misnamed block or a nonexistent datapath. If you are certain that the error originates from this Splunk app block, then you could try setting all of the inputs to be formatted text (as you did with the query input) so that SOAR does not think it could be a datapath.
The first thing to check is the splunkd.log on the problematic (sending) machine. It should tell you if the connection is established at all or if it's being actively rejected or anythin else.
@ejose  Check this  https://community.splunk.com/t5/Getting-Data-In/How-to-fix-Heavy-Forwarder-to-Splunk-Cloud-logs-forward-error/td-p/645998  https://community.splunk.com/t5/Getting-Data-In/How-t... See more...
@ejose  Check this  https://community.splunk.com/t5/Getting-Data-In/How-to-fix-Heavy-Forwarder-to-Splunk-Cloud-logs-forward-error/td-p/645998  https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TCPOutAutoLB-0-error/m-p/613119 
Just for the sake of completness - stats by _time is fairly useful if you manipulate your timestamps (usually by means of bin/bucket). With raw untouched _time it can be useful if you have several e... See more...
Just for the sake of completness - stats by _time is fairly useful if you manipulate your timestamps (usually by means of bin/bucket). With raw untouched _time it can be useful if you have several events emmited at the same time (and you can be 100% sure about that) and you have no other unique identifier to mark them by. But this is rather unlikely since separate events, even regarding the same "physical event" usually come from separate sources and are slightly offset in _time.
Just for clarification - this is a community-driven forum and while there are some Splunk Employees lurking here it's highly unlikely (unless maybe there is a grave error destroying your indexes or s... See more...
Just for clarification - this is a community-driven forum and while there are some Splunk Employees lurking here it's highly unlikely (unless maybe there is a grave error destroying your indexes or such) that someone will invest company time on this without a support ticket. And of course support portal where you can raise rickets is three blocks south from here