All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That is odd. I don't know how AppInspect works internally so I could not say for sure it is an issue with AppInspect. Are you able to find any mention of these files with text searches? It is indeed ... See more...
That is odd. I don't know how AppInspect works internally so I could not say for sure it is an issue with AppInspect. Are you able to find any mention of these files with text searches? It is indeed very strange that it would complain about these files after they are deleted and replaced.
Excellent. Always good to give it a restart to refresh everything.
I recommend checking the internal logs for the forwarder. It may contain error messages that indicate why /opt/log/ is not logging. You can use various keywords: index=_internal host=<forwardername>... See more...
I recommend checking the internal logs for the forwarder. It may contain error messages that indicate why /opt/log/ is not logging. You can use various keywords: index=_internal host=<forwardername> log_level=ERROR /opt/log/
that worked thank you!
Try something like this | eval resp_bytes=if(resp_bytes=0, "0B",if(resp_bytes<1000000,round(resp_bytes/1024,2) . "KB",if(resp_bytes>1000000,round(resp_bytes/1024/1024,2) . "MB", null)))
Thanks, but those links don't help that much. I also tried to replicated the CI/CD workflow (security_content/.github/workflows/build.yml at develop · splunk/security_content · GitHub) locally by do... See more...
Thanks, but those links don't help that much. I also tried to replicated the CI/CD workflow (security_content/.github/workflows/build.yml at develop · splunk/security_content · GitHub) locally by doing: pip install contentctl git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti contentctl build --enrichments Without any success.
Hello, I am trying to write a search query for responding byte sizes that is a catch all. Currently I have: index=index  8.8.8.8 | stats sum(resp_bytes) as resp_bytes | eval resp_bytes=if(resp_by... See more...
Hello, I am trying to write a search query for responding byte sizes that is a catch all. Currently I have: index=index  8.8.8.8 | stats sum(resp_bytes) as resp_bytes | eval resp_bytes=if(resp_bytes=0, "0B",if(resp_bytes<1000000,resp_bytes/1024 . "KB",if(resp_bytes>1000000,resp_bytes/1024/1024 . "MB", null)))  I have tested this and it works, but now i am trying to add in a "round" to the 2nd decimal spot. and Im not sure where it would go.  
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues.  Distributed environment consists of below components with Splunk free  licences - 4 Inde... See more...
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues.  Distributed environment consists of below components with Splunk free  licences - 4 Indexers (part of an Indexer Cluster) - 1 Cluster Manager (for managing the indexer cluster) - 2 Universal Forwarders (UFs) sending data - 1 DS/LM/MC (Deployment Server + License Manager + Monitoring Console combined on one server) - 1 Search Head (for searching and dashboards)    I am facing an issue to enable Splunk monitoring for /opt/log directory. I have checked that /var/log can be monitored successfully whereas Splunk forwarder is failed to monitor /opt/log directory. I have checked permission issue other things but no luck 
Hi @narenpg  You need to use FIELD_NAMES in your props to set the field names in this case,: eg FIELD_NAMES=name,count,count_perc,region   for this test CSV:   "name","count","count%","region"... See more...
Hi @narenpg  You need to use FIELD_NAMES in your props to set the field names in this case,: eg FIELD_NAMES=name,count,count_perc,region   for this test CSV:   "name","count","count%","region" "John Smith","245","12.3%","North" "Mary Johnson","189","9.5%","South" "James Williams","167","8.4%","East" "Sarah Davis","156","7.8%","West" "Michael Brown","143","7.2%","North" "Jennifer Wilson","134","6.7%","South" "Robert Taylor","128","6.4%","East" "Elizabeth Anderson","112","5.6%","West" "David Martinez","98","4.9%","North" "Susan Thompson","87","4.4%","South"   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
@User3  Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors Troubleshooting common errors - Spl... See more...
@User3  Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors Troubleshooting common errors - Splunk Documentation [BUG] - Build Failing Everytime · Issue #2894 · splunk/security_content   
@Karthikeya  Pls have a look https://www.youtube.com/watch?v=njniDvVqWik  https://www.youtube.com/watch?v=YY_Qk8EqzQw 
@Karthikeya  To install Java on your Splunk instances running in AWS, follow these steps based on your instance’s OS: For Amazon Linux / RHEL / CentOS Update the package manager: sudo yum updat... See more...
@Karthikeya  To install Java on your Splunk instances running in AWS, follow these steps based on your instance’s OS: For Amazon Linux / RHEL / CentOS Update the package manager: sudo yum update -y Install OpenJDK (recommended) or Oracle JDK: For OpenJDK 11 (recommended for Splunk): sudo yum install -y java-11-openjdk If you need Java 8: sudo yum install -y java-1.8.0-openjdk Verify installation: java -version For Ubuntu/Debian Update the package manager: sudo apt update && sudo apt upgrade -y Install OpenJDK (recommended) or Oracle JDK: For OpenJDK 11 (recommended for Splunk): sudo apt install -y openjdk-11-jdk If you need Java 8: sudo apt install -y openjdk-8-jdk Verify installation: java -version For Amazon Linux 2023 Amazon Linux 2023 uses dnf instead of yum: sudo dnf install -y java-11-amazon-corretto Setting JAVA_HOME (if required) Find the Java installation path: sudo update-alternatives --config java or readlink -f $(which java) Add the JAVA_HOME path to /etc/environment: echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk' | sudo tee -a /etc/environment source /etc/environment  
@Karthikeya  Please check this https://stackoverflow.com/questions/77418759/how-do-i-install-java-in-an-ec2-instance 
Hy, By reading the documentation, it seems like the Splunk ESCU app is build with contentctl from its git content GitHub - splunk/security_content: Splunk Security Content. I tried with several r... See more...
Hy, By reading the documentation, it seems like the Splunk ESCU app is build with contentctl from its git content GitHub - splunk/security_content: Splunk Security Content. I tried with several release, the latest included: Release v5.1.0 · splunk/security_content · GitHub. The build constantly fail.  A whole bunch of: " Error: 1 validation error for Detection Value error, Found 1 issues when resolving references Security Content Object names: - Failed to find the following 'DataSource' " Did I miss something? I tried finding a switch to ignore the errors and build the app anyway without success. The dist directory remain empty. I used a clean Ubuntu 24.04.2 LTS and used : apt update apt full-upgrade reboot now apt update apt install pipx pipx ensurepath reboot now pipx install contentctl wget https://github.com/splunk/security_content/archive/refs/tags/v5.1.0.tar.gz tar -xzf v5.1.0.tar.gz cd security_content-5.1.0/ contentctl build
How to install java on my Splunk instance which hosted on AWS? Please guide me.
@Karthikeya  Step 1:- run java -version, It should show Java 8 (JRE 1.8) or above. Expected Output: Something like java version "1.8.0_351" or openjdk 11.0.2. This confirms Java is installed and th... See more...
@Karthikeya  Step 1:- run java -version, It should show Java 8 (JRE 1.8) or above. Expected Output: Something like java version "1.8.0_351" or openjdk 11.0.2. This confirms Java is installed and then  Step 2:- Restart splunk you would be able to see the data input option. 
facing the same issue now. can anyone help me? We have Splunk instances on AWS cloud. How to install Java on those instances?
Okay, I have more information. The problem seems to be related to timewrap. For example, if I pull three days and put them in a timechart using the downsampled line chart visualization, I see everyt... See more...
Okay, I have more information. The problem seems to be related to timewrap. For example, if I pull three days and put them in a timechart using the downsampled line chart visualization, I see everything displayed in UTC as expected. However, if I, say, throw a "| timewrap 1d"  in there, suddenly the visualization displays in local time while the statistics table continues to show UTC. I'm flat out of ideas, folks, so if anyone has any suggestions I'd be glad to hear them.
I have tried to get the index not used used any KO, but not getting all the details.  | rest /services/data/indexes | fields index | eval index=1 [index=_audit| stats count as accessed by index, ... See more...
I have tried to get the index not used used any KO, but not getting all the details.  | rest /services/data/indexes | fields index | eval index=1 [index=_audit| stats count as accessed by index, search ] | stats sum(accessed) as accessed, values(index) as index by  | fillnull accessed value=0 | where index=1 AND accessed=0 Total Index Index Not used in Any Knowledge Object Index has 0 data last 90 days 100 25 10
Have you tried not escaping the < and > chars ? I've read somewhere escaping a non-special char might not work here.