All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Once again - way too little information to help. How are we supposed to know what your environment looks like? We have just one IP. We don't know if it's in the same network you're trying to reach t... See more...
Once again - way too little information to help. How are we supposed to know what your environment looks like? We have just one IP. We don't know if it's in the same network you're trying to reach the machine from or in another one and your traffic is routed via gateway(s). We have no idea what you installed where and why. Did you do any troubleshooting at all? Did you check whether the Splunk process is running? Did you check if it is listening on the port? Did you check whether the traffic is reaching your server? Are you trying to run your Splunk instance on the same host, in a container, in a VM? If you want people to help you you need to let them and show that you've put some effort into this.
The index is not created on the CM. It is defined in an app which is pushed to indexers and the index is created there.
I have only been able to confirm that 192.168.10.10 is working by pinging it from my target machine, windows 10, which is on my homelab too. How do I check if splunk is running on port 8000? I guess ... See more...
I have only been able to confirm that 192.168.10.10 is working by pinging it from my target machine, windows 10, which is on my homelab too. How do I check if splunk is running on port 8000? I guess if I can show this, it would mean my splunk is the problem?
Hi @nellyma  Have you been able to confirm that Splunk is running on port 8000? Are you able to evidence this with the logs?  I presume 192.168.10.10 is your local machine? Are you able to access S... See more...
Hi @nellyma  Have you been able to confirm that Splunk is running on port 8000? Are you able to evidence this with the logs?  I presume 192.168.10.10 is your local machine? Are you able to access Splunk using 127.0.0.1?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
The problem was that the index was not created on the master. When the index created on the master server was pushed to all indexers, the OTX data was pulled and written to the index. Thank you for y... See more...
The problem was that the index was not created on the master. When the index created on the master server was pushed to all indexers, the OTX data was pulled and written to the index. Thank you for your help and feedback.
What is your network/server topology? Are other routes open to your server? What else have you tried?
What does AD have to do with anything? As for the rest of the question - too little information and too chaotic. We don't even know what OS you're using.
I'm trying to build Active directory in my homelab and I configured splunk to the ip address of 198.162.10.10 but it refuses to respond on the web to port 8000. I thought I misconfigured something an... See more...
I'm trying to build Active directory in my homelab and I configured splunk to the ip address of 198.162.10.10 but it refuses to respond on the web to port 8000. I thought I misconfigured something and deleted everything and did it all over and still same response. I have disabled all my firewalls, followed numerous YouTube tutorials and still no luck. This is my last resort. Can someone please help me?? What could be my problem? It says ERR_CONNECTION_TIMED_OUT
Hi To pass the usernames field from your Splunk action block to a decision or utility block in SOAR, use the custom output paths from the action result. In the decision block, reference the field a... See more...
Hi To pass the usernames field from your Splunk action block to a decision or utility block in SOAR, use the custom output paths from the action result. In the decision block, reference the field as action_result.data.*.usernames. The Splunk action block returns results as a list of dictionaries under action_result.data. The .*. wildcard iterates over each result, accessing the usernames field from each row. Field names are case-sensitive and must match exactly as returned by your SPL. If your SPL returns multiple rows, the path will return a list of values. The following docs pages may also be useful: https://docs.splunk.com/Documentation/SOAR/current/Playbook/SpecifyData https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/DataPath https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/Datapaths Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Gururaj1  Splunk UF should not have a python site-packages as UF installation does not include Python.  Please can you confirm what manifest file you have in /opt/splunkforwarder? If you are us... See more...
Hi @Gururaj1  Splunk UF should not have a python site-packages as UF installation does not include Python.  Please can you confirm what manifest file you have in /opt/splunkforwarder? If you are using 64-bit version it should be called splunkforwarder-9.4.1-e3bdab203ac8-linux-amd64-manifest. This manifest file does not contain reference to the Python libraries.  Please can you confirm the filename of the Splunk installation file you used to install the UF?  @kiran_panchavat please can you let me know the community posts you're referring to where people with Ubuntu are having issues with UF installs so I can see if there is an underlying common issue.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi you should install it only SH side. Personally I install it on MC (as it has connections to all other nodes) in onprem and in SCP in SH. It works both SCP and enterprise. You must remember that ... See more...
Hi you should install it only SH side. Personally I install it on MC (as it has connections to all other nodes) in onprem and in SCP in SH. It works both SCP and enterprise. You must remember that there is no separate app on side column, just call that SPL command in any of your other apps. This is extremely useful app and currently it one of apps which I install all environments for admin purpose. r. Ismo
While @ITWhisperer 's solution is a neat trick, I'd rethink the search. 1. You're searching for "**mrstrategy**". That's gonna be slow. 2. First you're using automatic json extraction, then you cal... See more...
While @ITWhisperer 's solution is a neat trick, I'd rethink the search. 1. You're searching for "**mrstrategy**". That's gonna be slow. 2. First you're using automatic json extraction, then you call spath.  3. Always be vigilant around "dedup" command. You're deduping on attributes then statsing on attributes and _time. You will only ever have one _time per attributes. And dedup will move processing to SH tier. 4. I have a hunch that you have some duplicate data which you want to get rid of in search time. Maybe it's worth reworking your ingestion process so you're not wasting license? 5. Unfortunately, as you must have noticed already - this is a very ugly data format (from Splunk's point of view). This whiole "keyname=key1,value=something" schema is very inconvenient for searching and processing since you firstly have to read, parse, and interpret all events to get to the "contents". So now you're bending over backwards to do something which should be easy as just writing a simple filter condition. Are you sure you don't have someone in your org to sit with and have a chat about the data format? Or about the ingestion process - maybe it's worth setting up something that wil, transform your data into something more reasonable?
Well, that's not gonna be easy. With this many results not only you can't use append but also eventstats is not a good idea. Unfortunately, the less precise you are about your use case the more pro... See more...
Well, that's not gonna be easy. With this many results not only you can't use append but also eventstats is not a good idea. Unfortunately, the less precise you are about your use case the more probability that you will get a "no can do" answer. Maybe you should work on your extractions and/or initial filtering, maybe it's one of the rare cases where adding indexed field would help... we don't know. We are not aware what problem you're trying to solve.
@Gururaj1  The error you're encountering while trying to install or validate the Splunk Universal Forwarder (version 9.4.1) on Ubuntu 20.04 LTS (Focal Fossa, amd64) suggests issues with the installa... See more...
@Gururaj1  The error you're encountering while trying to install or validate the Splunk Universal Forwarder (version 9.4.1) on Ubuntu 20.04 LTS (Focal Fossa, amd64) suggests issues with the installation process, specifically related to missing Python site-packages directories and possibly a corrupted or incomplete download/installation.   The error about missing /opt/splunkforwarder/lib/python3.7/site-packages and python3.9/site-packages suggests that Splunk’s bundled Python environment is either not installed correctly or not being detected. Splunk Universal Forwarder typically bundles its own Python environment, so this issue is likely due to a corrupted installation rather than a system Python issue.   https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installanixuniversalforwarder    Even if I read of many problems using Ubuntu reported by the Community members. I don't have special reccomandations: only follow all the installation steps documented at https://docs.splunk.com/Documentation/Splunk/9.0.5/Installation/InstallonLinux  https://docs.splunk.com/Documentation/Forwarder/9.0.5/Forwarder/Installanixuniversalforwarder  but it's a very simple procedure.  
The only reason we created accelerated model is so that we can "return" 1 million events in few seconds.  Therefore, I'm not sure append fits this. original non-working scenario due to huge index=a ... See more...
The only reason we created accelerated model is so that we can "return" 1 million events in few seconds.  Therefore, I'm not sure append fits this. original non-working scenario due to huge index=a index=a OR index=b stats (where matched in 2 indexes) by FieldA   Need to make work index=b OR | tstats  values..... stats (where matched in 2 indexes??) by FieldA  
Here is my orignal query.  I have to mask a lot of code and evals. Sorry.  Probably ignore that i do eventstats and than stats as im doing a lookup which im not showing and getting columns there. Qu... See more...
Here is my orignal query.  I have to mask a lot of code and evals. Sorry.  Probably ignore that i do eventstats and than stats as im doing a lookup which im not showing and getting columns there. Question is: if index=A is now Accelerated model.  How can i join results of index query with tstats results without using sub-searches or anything that would limit it.   (index=a OR (index=b DistinguishedName IN ("ou=a" "ou=b") | eventstats values(src_ip) as SourceIP dc(index) as idx values(OU) as OU by Account_Name | search idx=2 | where index="a" | stats dc(src_ip) as IP earliest(T) as FirstOccurance latest(T) as LatestOccurance values(OU) as Location count by Account_Name  
wow. just. wow. took me a week to find this 
Getting error while downloading forwarder in  Ubuntu, 20.04 LTS, amd64 focal image built on 2025-04-08 Reinstalled, tried a bunch of commands to check for any issues, but could not find any solution... See more...
Getting error while downloading forwarder in  Ubuntu, 20.04 LTS, amd64 focal image built on 2025-04-08 Reinstalled, tried a bunch of commands to check for any issues, but could not find any solution. Tried different versions of the ubuntu architecture, still the same. This is stopping my instance to run splunk [ Allowed http traffic, firewall port open..etc] cd /opt/splunkforwarder/bin/ splunk validate files Setting up splunkforwarder (9.4.1) ... find: ‘/opt/splunkforwarder/lib/python3.7/site-packages’: No such file or directory find: ‘/opt/splunkforwarder/lib/python3.9/site-packages’: No such file or directory find: ‘/opt/splunkforwarder/lib/python3.7/site-packages’: No such file or directory find: ‘/opt/splunkforwarder/lib/python3.9/site-packages’: No such file or directory complete
Hi @splunklearner  If you arent on Splunk Cloud and you're team say it isnt possible (for whatever reason) to use Push based approach then I would recommend using the Splunk Add-on for Microsoft Clo... See more...
Hi @splunklearner  If you arent on Splunk Cloud and you're team say it isnt possible (for whatever reason) to use Push based approach then I would recommend using the Splunk Add-on for Microsoft Cloud Services app. This aligns with the recommendations here: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub...  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
There's no need to edit props or transforms for Ingest Actions as they can be configured easily using the UI.  In fact, use of the UI is recommended to avoid errors in the ruleset config.  If you nee... See more...
There's no need to edit props or transforms for Ingest Actions as they can be configured easily using the UI.  In fact, use of the UI is recommended to avoid errors in the ruleset config.  If you need to edit the config files for Splunk Cloud, do so in a custom app and upload the app to your Splunk Cloud search head. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Data/DataIngest#Deploy_a_ruleset_on_an_indexer_cluster