All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, We’re looking for guidance on the best way to ingest FortiMail Cloud logs into Splunk Cloud. Our current environment includes: Cloud: Splunk Cloud, Fortimail Cloud - Hosted On-premise: SC4S ... See more...
Hi, We’re looking for guidance on the best way to ingest FortiMail Cloud logs into Splunk Cloud. Our current environment includes: Cloud: Splunk Cloud, Fortimail Cloud - Hosted On-premise: SC4S serve, Heavy Forwarder and FortiAnalyzer on-prem   FortiMail Cloud is hosted by Fortinet, so we can’t just point it at our SC4S like we would for an on-prem appliance. We do have the option to send logs to our on-prem FortiAnalyzer, but we’re unsure if it’s better to: Route FortiMail Cloud logs → FortiAnalyzer on-prem → SC4S/HF → Splunk Cloud, Send FortiMail Cloud logs directly to SC4S via an external connection, or Use another recommended method (e.g., Fortinet APIs, log download scheduling, etc.) Has anyone implemented a similar setup for FortiMail Cloud? Any best practices or pitfalls to avoid—especially regarding secure transport, parsing, and CIM compliance? Thanks in advance!
Hi @kn450  Please could you look at the logs in $SPLUNK_HOME/var/log/splunk/splunkd.log - Are there any errors that might indicate why it failed to start?  Did this answer help you? If so, please... See more...
Hi @kn450  Please could you look at the logs in $SPLUNK_HOME/var/log/splunk/splunkd.log - Are there any errors that might indicate why it failed to start?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Yes, there is an "execute javascript" option for a step in your test.  You should be able to write some javascript to locate the element you want to click. Specifically the querySelector() or querySe... See more...
Yes, there is an "execute javascript" option for a step in your test.  You should be able to write some javascript to locate the element you want to click. Specifically the querySelector() or querySelectorAll() methods should help you do that.
Since no configs are telling splunk how to parse the data, it will pull in / read the entire contents of the file by default. That is my understanding. This monitor is set in a config file pushed to... See more...
Since no configs are telling splunk how to parse the data, it will pull in / read the entire contents of the file by default. That is my understanding. This monitor is set in a config file pushed to the uf. All I'm doing is telling splunk to go get that log. Not concerned with formatting / parsing right now. Is there anything that will stop / limit this incoming data?
Hi @bwheelerice1  My _internal search was really just a proof-of-concept. Just looking through your search, why are you using the "| where Indexes=proxy OR Indexes=aws"? It would be better to includ... See more...
Hi @bwheelerice1  My _internal search was really just a proof-of-concept. Just looking through your search, why are you using the "| where Indexes=proxy OR Indexes=aws"? It would be better to include this in the tstats where statement. If you do everything down to, and including '| where _time >= relative_time(now(), "-1d")' do you get results? If you get results here then it would suggest its working and then being filtered out by the further "where" command which limits based on the thresholds. If you're getting no results then could it be because the thresholds arent currently breached?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
If after applying the steps to secure Splunk Web using certificates (SSL/TLS), it gets stuck at: ``` Waiting for web server at https://127.0.0.1:8000 to be available............................... ``... See more...
If after applying the steps to secure Splunk Web using certificates (SSL/TLS), it gets stuck at: ``` Waiting for web server at https://127.0.0.1:8000 to be available............................... ``` but when you disable the certificates, it works normally,
Hi @kn450  Is this for the web port (8000)? Please check out https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/SecureSplunkWebusingasignedcertificate and https://docs.splunk.com/Documentat... See more...
Hi @kn450  Is this for the web port (8000)? Please check out https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/SecureSplunkWebusingasignedcertificate and https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/StepstosecuringSplunkwithTLS for more info on this.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @kn450  You should put the Cert/Intermediate(s)/CA in splunkWeb.pem but not the key, that should go in its own file (e.g. splunkWeb.key) and use the privKeyPath setting to set the location for th... See more...
Hi @kn450  You should put the Cert/Intermediate(s)/CA in splunkWeb.pem but not the key, that should go in its own file (e.g. splunkWeb.key) and use the privKeyPath setting to set the location for this. [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/apps/webTLS/certs/splunkWeb.key serverCert = /opt/splunk/etc/apps/webTLS/certs/splunkWeb.pem Note: You may use absolute paths when you configure these settings by prepending a / to the path. Non-absolute paths are relative to the Splunk installation directory ($SPLUNK_HOME). If you use a non-absolute path, do not add $SPLUNK_HOME to the path  If this does not work, please could you look in $SPLUNK_HOME/var/log/splunk/splunkd.log for any error logs which might indicate what is preventing it from starting?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
How enaple TLS in splunk platform from ca 
Hi @splunkville  The default configurations for a sourcetype can often be "good enough" for some logs, Splunk does a good job at determining timestamp extraction but if your logs contain multi-line ... See more...
Hi @splunkville  The default configurations for a sourcetype can often be "good enough" for some logs, Splunk does a good job at determining timestamp extraction but if your logs contain multi-line events, long lines (>10000 chars),multiple timestamps or anything like this then it might struggle or you might get mixed results. Its also worth noting that from a performance perspective its best to tweak these settings and incorporate the "Great 8" (See https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types) to ensure accuracy but also to improve performance of the data being ingested.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @splunkville , yes, in general, if you configure a monitor you read the file, but what's your issue and you question? Are you working on a Universal Forwarder or a stand alone Splunk server or w... See more...
Hi @splunkville , yes, in general, if you configure a monitor you read the file, but what's your issue and you question? Are you working on a Universal Forwarder or a stand alone Splunk server or what else? Please, share more datails about your issue. Ciao. Giuseppe
Even then, the HISTCONTROL variable has to be set before running the command you don't want showing in history.  Also, contrary to what I keep reading from Google results, this variable doesn't seem ... See more...
Even then, the HISTCONTROL variable has to be set before running the command you don't want showing in history.  Also, contrary to what I keep reading from Google results, this variable doesn't seem to be automatically set, or at least not on the various Linux distros I've used.
Monitor set to pull in a watched log that has no props/transforms configs applied. This would ingest the entire file contents, correct? 
  Hello everyone, I’m encountering an issue when trying to enable secure HTTPS access on Splunk Web using an SSL certificate issued by a trusted external CA. What I did: Placed the SSL certif... See more...
  Hello everyone, I’m encountering an issue when trying to enable secure HTTPS access on Splunk Web using an SSL certificate issued by a trusted external CA. What I did: Placed the SSL certificate file (splunkWeb.pem) in the following path: $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem Edited the web.conf file with the following settings:   ini CopyEdit [settings] enableSplunkWebSSL = true serverCert = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem privKeyPath = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem   Restarted the Splunk service. Issue: After restarting, Splunk hangs during startup and the web interface does not become available over HTTPS. Questions: Are there additional steps required when using an external SSL certificate? Is the web.conf configuration correct, especially regarding the privKeyPath pointing to the same .pem file as serverCert? Should the private key be in a separate file from the certificate? Any advice or similar experiences would be greatly appreciated. Thank you in advance for your help!
Hi @OGS  You need to disable replication_port://9887 by either setting a disabled=true flag or ensuring it does not exist anywhere in your configuration - you can use btool to check: $SPLUNK_HOME/... See more...
Hi @OGS  You need to disable replication_port://9887 by either setting a disabled=true flag or ensuring it does not exist anywhere in your configuration - you can use btool to check: $SPLUNK_HOME/bin/splunk cmd btool server list --debug replication_port If you have replication_port *and* replication_port-ssl enabled then this might conflict.  Other things to note: serverCert must contain the server cert plus private key; sslPassword (if set) must be the private key’s passphrase (not the CA’s). sslRootCAPath must include the full trust chain (root + any intermediates). The names in sslCommonNameToCheck must match the CN/SANs in the peer certificates.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Cerum  At this time there isnt a Splunk app for OpenAI Enterprise Compliance - If you already have access to the OpenAI Compliance API (https://chatgpt.com/admin/api-reference) then you could lo... See more...
Hi @Cerum  At this time there isnt a Splunk app for OpenAI Enterprise Compliance - If you already have access to the OpenAI Compliance API (https://chatgpt.com/admin/api-reference) then you could look at using the Splunk UCC Framework to build a custom app to poll the logs. UCC gives a good starting point so if you're familiar with Python then you may be able to get something running quite quickly.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @SSEAL  Regarding FIPS - Check out https://help.splunk.com/en/appdynamics-on-premises/analytics/25.4.0/analytics/configure-analytics/configure-the-analytics-agent-for-fips-compliance and see if t... See more...
Hi @SSEAL  Regarding FIPS - Check out https://help.splunk.com/en/appdynamics-on-premises/analytics/25.4.0/analytics/configure-analytics/configure-the-analytics-agent-for-fips-compliance and see if this helps. Regarding Smartcard auth - This isnt something natively supported however you might have some success by using an idP which would act as the broker for the authentication - Check out https://docs.appdynamics.com/accounts/en/global-account-administration/access-management/configure-single-sign-on-through-saml for details on configurating SSO, from here you would need to determine if one of the idP can support your smartcard auth process. Do you already use an idP with your smartcards that can support SAML?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
This is a challenge because how different users might define "unused" and because there is no tag to say if data is "used" or not.  A good starting place, at least for Splunk Cloud users, is the "Und... See more...
This is a challenge because how different users might define "unused" and because there is no tag to say if data is "used" or not.  A good starting place, at least for Splunk Cloud users, is the "Underutilized source type(s)" alert in the CMC. Other users will need to craft a search that scrubs logs for sourcetype references and another search that compares those references to a list of all sourcetypes on the system.  It won't be perfect, either.  See .conf24 session PLA1837B for more info and SPL to get you started.
The settings for tls should be set the same way as they are on management port. Your configuration looks more or less correct. What do you mean by "doesn't work"? Remember that you need to have a wor... See more...
The settings for tls should be set the same way as they are on management port. Your configuration looks more or less correct. What do you mean by "doesn't work"? Remember that you need to have a working CA for mTLS to work. Self-signed certs most probably won't work.
What do you mean by "unused data"? And what granularity do you have in mind? You can search the Answers archives for similar questions - the general answers is there is no 100% sure way to find inde... See more...
What do you mean by "unused data"? And what granularity do you have in mind? You can search the Answers archives for similar questions - the general answers is there is no 100% sure way to find indexes/hosts/sources which are searched (and thus those which are not).