All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I am trying to write a search query for responding byte sizes that is a catch all. Currently I have: index=index  8.8.8.8 | stats sum(resp_bytes) as resp_bytes | eval resp_bytes=if(resp_by... See more...
Hello, I am trying to write a search query for responding byte sizes that is a catch all. Currently I have: index=index  8.8.8.8 | stats sum(resp_bytes) as resp_bytes | eval resp_bytes=if(resp_bytes=0, "0B",if(resp_bytes<1000000,resp_bytes/1024 . "KB",if(resp_bytes>1000000,resp_bytes/1024/1024 . "MB", null)))  I have tested this and it works, but now i am trying to add in a "round" to the 2nd decimal spot. and Im not sure where it would go.  
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues.  Distributed environment consists of below components with Splunk free  licences - 4 Inde... See more...
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues.  Distributed environment consists of below components with Splunk free  licences - 4 Indexers (part of an Indexer Cluster) - 1 Cluster Manager (for managing the indexer cluster) - 2 Universal Forwarders (UFs) sending data - 1 DS/LM/MC (Deployment Server + License Manager + Monitoring Console combined on one server) - 1 Search Head (for searching and dashboards)    I am facing an issue to enable Splunk monitoring for /opt/log directory. I have checked that /var/log can be monitored successfully whereas Splunk forwarder is failed to monitor /opt/log directory. I have checked permission issue other things but no luck 
Hi @narenpg  You need to use FIELD_NAMES in your props to set the field names in this case,: eg FIELD_NAMES=name,count,count_perc,region   for this test CSV:   "name","count","count%","region"... See more...
Hi @narenpg  You need to use FIELD_NAMES in your props to set the field names in this case,: eg FIELD_NAMES=name,count,count_perc,region   for this test CSV:   "name","count","count%","region" "John Smith","245","12.3%","North" "Mary Johnson","189","9.5%","South" "James Williams","167","8.4%","East" "Sarah Davis","156","7.8%","West" "Michael Brown","143","7.2%","North" "Jennifer Wilson","134","6.7%","South" "Robert Taylor","128","6.4%","East" "Elizabeth Anderson","112","5.6%","West" "David Martinez","98","4.9%","North" "Susan Thompson","87","4.4%","South"   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
@User3  Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors Troubleshooting common errors - Spl... See more...
@User3  Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors Troubleshooting common errors - Splunk Documentation [BUG] - Build Failing Everytime · Issue #2894 · splunk/security_content   
@Karthikeya  Pls have a look https://www.youtube.com/watch?v=njniDvVqWik  https://www.youtube.com/watch?v=YY_Qk8EqzQw 
@Karthikeya  To install Java on your Splunk instances running in AWS, follow these steps based on your instance’s OS: For Amazon Linux / RHEL / CentOS Update the package manager: sudo yum updat... See more...
@Karthikeya  To install Java on your Splunk instances running in AWS, follow these steps based on your instance’s OS: For Amazon Linux / RHEL / CentOS Update the package manager: sudo yum update -y Install OpenJDK (recommended) or Oracle JDK: For OpenJDK 11 (recommended for Splunk): sudo yum install -y java-11-openjdk If you need Java 8: sudo yum install -y java-1.8.0-openjdk Verify installation: java -version For Ubuntu/Debian Update the package manager: sudo apt update && sudo apt upgrade -y Install OpenJDK (recommended) or Oracle JDK: For OpenJDK 11 (recommended for Splunk): sudo apt install -y openjdk-11-jdk If you need Java 8: sudo apt install -y openjdk-8-jdk Verify installation: java -version For Amazon Linux 2023 Amazon Linux 2023 uses dnf instead of yum: sudo dnf install -y java-11-amazon-corretto Setting JAVA_HOME (if required) Find the Java installation path: sudo update-alternatives --config java or readlink -f $(which java) Add the JAVA_HOME path to /etc/environment: echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk' | sudo tee -a /etc/environment source /etc/environment  
@Karthikeya  Please check this https://stackoverflow.com/questions/77418759/how-do-i-install-java-in-an-ec2-instance 
Hy, By reading the documentation, it seems like the Splunk ESCU app is build with contentctl from its git content GitHub - splunk/security_content: Splunk Security Content. I tried with several r... See more...
Hy, By reading the documentation, it seems like the Splunk ESCU app is build with contentctl from its git content GitHub - splunk/security_content: Splunk Security Content. I tried with several release, the latest included: Release v5.1.0 · splunk/security_content · GitHub. The build constantly fail.  A whole bunch of: " Error: 1 validation error for Detection Value error, Found 1 issues when resolving references Security Content Object names: - Failed to find the following 'DataSource' " Did I miss something? I tried finding a switch to ignore the errors and build the app anyway without success. The dist directory remain empty. I used a clean Ubuntu 24.04.2 LTS and used : apt update apt full-upgrade reboot now apt update apt install pipx pipx ensurepath reboot now pipx install contentctl wget https://github.com/splunk/security_content/archive/refs/tags/v5.1.0.tar.gz tar -xzf v5.1.0.tar.gz cd security_content-5.1.0/ contentctl build
How to install java on my Splunk instance which hosted on AWS? Please guide me.
@Karthikeya  Step 1:- run java -version, It should show Java 8 (JRE 1.8) or above. Expected Output: Something like java version "1.8.0_351" or openjdk 11.0.2. This confirms Java is installed and th... See more...
@Karthikeya  Step 1:- run java -version, It should show Java 8 (JRE 1.8) or above. Expected Output: Something like java version "1.8.0_351" or openjdk 11.0.2. This confirms Java is installed and then  Step 2:- Restart splunk you would be able to see the data input option. 
facing the same issue now. can anyone help me? We have Splunk instances on AWS cloud. How to install Java on those instances?
Okay, I have more information. The problem seems to be related to timewrap. For example, if I pull three days and put them in a timechart using the downsampled line chart visualization, I see everyt... See more...
Okay, I have more information. The problem seems to be related to timewrap. For example, if I pull three days and put them in a timechart using the downsampled line chart visualization, I see everything displayed in UTC as expected. However, if I, say, throw a "| timewrap 1d"  in there, suddenly the visualization displays in local time while the statistics table continues to show UTC. I'm flat out of ideas, folks, so if anyone has any suggestions I'd be glad to hear them.
I have tried to get the index not used used any KO, but not getting all the details.  | rest /services/data/indexes | fields index | eval index=1 [index=_audit| stats count as accessed by index, ... See more...
I have tried to get the index not used used any KO, but not getting all the details.  | rest /services/data/indexes | fields index | eval index=1 [index=_audit| stats count as accessed by index, search ] | stats sum(accessed) as accessed, values(index) as index by  | fillnull accessed value=0 | where index=1 AND accessed=0 Total Index Index Not used in Any Knowledge Object Index has 0 data last 90 days 100 25 10
Have you tried not escaping the < and > chars ? I've read somewhere escaping a non-special char might not work here.
For Error 1 (Modular Input): Verify the script exists and is executable. Install Java if missing and ensure it’s in the PATH. Test the script manually and adjust permissions or dependencies as nee... See more...
For Error 1 (Modular Input): Verify the script exists and is executable. Install Java if missing and ensure it’s in the PATH. Test the script manually and adjust permissions or dependencies as needed.  How to do this? can you please guide me... how to install java on my AWS Splunk instance?  
@Karthikeya For Error 1 (Modular Input): Verify the script exists and is executable. Install Java if missing and ensure it’s in the PATH. Test the script manually and adjust permissions or depe... See more...
@Karthikeya For Error 1 (Modular Input): Verify the script exists and is executable. Install Java if missing and ensure it’s in the PATH. Test the script manually and adjust permissions or dependencies as needed.  For Error 2 (KV Store): Check mongod.log and splunkd.log for details. Validate and renew server.pem if expired. Fix permissions or reinitialize KV Store if necessary.  
Hi @livehybrid, I did'nt modify the serverName on my instance. If i search "index=_internal source=*splunkd.log" - I would see the 2  sources in the interested fields. I had configured the f... See more...
Hi @livehybrid, I did'nt modify the serverName on my instance. If i search "index=_internal source=*splunkd.log" - I would see the 2  sources in the interested fields. I had configured the forwarding of the data from UF and the main instance both using port 9997. In real time uf and server should not be on the same machine right? Thanks..
I am trying to ingest a csv file which has headers with double quotes " and %. They are separated by comma. But after ingestion if two field names has same name except one has # and the other one has... See more...
I am trying to ingest a csv file which has headers with double quotes " and %. They are separated by comma. But after ingestion if two field names has same name except one has # and the other one has % then it merges both of them into one field while using table output. How to fix this issue. If splunk does`nt support csv headers then i have to remove before ingesting them. Any ideas.
I left out a character.  Try my updated query.
Hi @Karthikeya  I think it would be worth focussing on the KV Store issue first as that might (although might not!) rectify your other issue if the app relies on the KV Store. Have you made any oth... See more...
Hi @Karthikeya  I think it would be worth focussing on the KV Store issue first as that might (although might not!) rectify your other issue if the app relies on the KV Store. Have you made any other recent changes to the KV Store or Splunk version? Are there any logs in splunkd.log ($SPLUNK_HOME/var/log/splunk/splunkd.log) which might indicate what the issue with KV Store is? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will