All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

request     {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"event":{"resource":"/v1/","path":"/data/v1/","httpMethod":"GET","queryStringParameters":{"identif... See more...
request     {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"event":{"resource":"/v1/","path":"/data/v1/","httpMethod":"GET","queryStringParameters":{"identifier":"10"},"body":null,"requestContext":{"requestId":"","authorizer":{"principalId":"","integrationLatency":0},"domainName":""}},"msg":"init : data :invoke","time":"","v":0}       response       {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"requestType":"GET","entity":"entity","client":"","domain":"","queryParams":{"identifier":"10"},"responseTime":291,"msg":"init: data :responseTime","time":"","v":0}  
Hi @rfdickerson, The Python source code for Splunk's implementation of StateSpaceForecast is collectively in: $SPLUNK_HOMEetc/apps/Splunk_ML_Toolkit/bin/algos/StateSpaceForecast.py $SPLUNK_HOMEetc... See more...
Hi @rfdickerson, The Python source code for Splunk's implementation of StateSpaceForecast is collectively in: $SPLUNK_HOMEetc/apps/Splunk_ML_Toolkit/bin/algos/StateSpaceForecast.py $SPLUNK_HOMEetc/apps/Splunk_ML_Toolkit/bin/algos_support/statespace/* The StateSpaceForecast algorithm is similar to the Splunk predict command. If you're not managing your own Splunk instance, you can download the MLTK archive from Splunkbase and inspect the files directly. The holdback and forecast_k parameters function as described. You may want to look at the partial_fit parameter for more control over the window of data used to update your model dynamically before using apply and (eventually) calculating TPR and FPR.
Hi @Rakzskull, Splunk support can assist with migrations from DDAA (Splunk-provided S3) to DDSS (customer-provided S3).
What you have shared are formatted events, not the raw unformatted data. Please share the unformatted _raw field from your events.
I included this: | search PROJECTNAME="*" INVOCATIONID="*" RUNMAJORSTATUS="*" RUNMINORSTATUS="*" as a placeholder for filtering using Simple XML inputs. The most likely cause of the difference in ... See more...
I included this: | search PROJECTNAME="*" INVOCATIONID="*" RUNMAJORSTATUS="*" RUNMINORSTATUS="*" as a placeholder for filtering using Simple XML inputs. The most likely cause of the difference in the number of results is one of the fields above not being present after spath extracts fields. In your second search, the events missing from the first search would have Status=="Unknown". Have you compared the results at the event level to look for differences other than simple truncation?
Can you explain why you would want to install this on the heavy forwarder? I am trying to install on my SH but cant get the configurations to connect. Would installing on the HF make a difference?
i didnt see any appdynamics specific roles on the UK job market for the last year, but i'm still interested in working with both Splunk and Appdynamics as I have a lot of commercial experience of both.
Appreciate your reply @marnall. After updating the package to use the one built for AArch64, "_cffi_backend.cpython-39-aarch64-linux-gnu.so", the same error still appears.   One interesting obse... See more...
Appreciate your reply @marnall. After updating the package to use the one built for AArch64, "_cffi_backend.cpython-39-aarch64-linux-gnu.so", the same error still appears.   One interesting observation here, older versions of the package that we previously used appear in the error logs after running "splunk-appinspect inspect". These older versions were deleted and replaced with "_cffi_backend.cpython-39-aarch64-linux-gnu.so", and yet after rebuilding and running "inspect", they still appear in the error logs.  FAILURE: Found AArch64-incompatible binary file. Remove or rebuild the file to be AArch64-compatible. File: linux_x86_64/bin/lib/_cffi_backend.cpython-38-x86_64-linux-gnu.so File: linux_x86_64/bin/lib/_cffi_backend.cpython-38-x86_64-linux-gnu.so FAILURE: Found AArch64-incompatible binary file. Remove or rebuild the file to be AArch64-compatible. File: linux_x86_64/bin/lib/_cffi_backend.cpython-39-x86_64-linux-gnu.so File: linux_x86_64/bin/lib/_cffi_backend.cpython-39-x86_64-linux-gnu.so Could this be an issue with Splunk Appinspect? What would be some possible explanations for why this is happening? 
this how i get the events   { event: { [-] body: null httpMethod: GET path:/data/v1/name queryStringParameters: { identifier: 106 } requestContext: { ... See more...
this how i get the events   { event: { [-] body: null httpMethod: GET path:/data/v1/name queryStringParameters: { identifier: 106 } requestContext: { authorizer: { integrationLatency: 0 principalId: some@example.com } domainName: domain } domainName: domain } resource: /v1/name } msg: data:invoke   { event: { [-] body: null httpMethod: GET path:/data/v1/name queryStringParameters: { identifier: 106 } requestContext: { authorizer: { integrationLatency: 0 principalId: some@example.com } domainName: domain } domainName: domain } resource: /v1/name } msg: data:invoke 2. {    client: same@example.com    domain: domain    entity: name    msg: responseTime    queryParams: {      identifier: 666    }    requestType: GET    responseTime: 114 }   { client: same@example.com domain: domain entity: name msg: responseTime queryParams: { identifier: 666 } requestType: GET responseTime: 114 }    
These are formatted versions of your events, please share the raw unformatted versions of your events (in a code block just like you did with the formatted versions).
You could create combined server/client cert and use it in both environments. Another excellent conf presentation about tls cert https://conf.splunk.com/files/2023/slides/SEC1936B.pdf Also this is n... See more...
You could create combined server/client cert and use it in both environments. Another excellent conf presentation about tls cert https://conf.splunk.com/files/2023/slides/SEC1936B.pdf Also this is nice tool for manage certs https://easy-rsa.readthedocs.io/en/latest/
Its also worth mentioning that the client might need additional configuration to validate the commonName if the DNS name you are connecting with is not the same as the common name on the certificate.... See more...
Its also worth mentioning that the client might need additional configuration to validate the commonName if the DNS name you are connecting with is not the same as the common name on the certificate. @isoutamo The lantern page (https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS) is very useful, Ive got that bookmarked now, thanks The leaf cert that is being used for the web SSL should be sufficient for the TCP Input cert as it is pretty much serving the same purpose (a server cert). Interestingly I have definitely been able to use a server cert in the past as a client certificate, although technically speaking I dont think that should be possible as the server should be checking for "Client Authentication" (OID 1.3.6.1.5.5.7.3.2) attributes. Anyway, @ptrsnk please keep us posted   Will
Hi  I have raw event data in Splunk, where the message contains “data invoke.” Should this message be considered as a count of requests made by a user or writing a query to count an API request when... See more...
Hi  I have raw event data in Splunk, where the message contains “data invoke.” Should this message be considered as a count of requests made by a user or writing a query to count an API request when the path matches a specific query string parameter. My goal is to display the total number of API requests made by any user on a dashboard, filtered by a selected date range. Is this the correct query to achieve that? index= source IN ("") "event" | spath input=_raw output=queryStringParameters path=queryStringParameters | table queryStringParameters | stats count No of request--how to get the total count for a request made based on date range selected below is my splunk log for       { event: { [-] body: null httpMethod: GET path:/data/v1/name queryStringParameters: { identifier: 106 } requestContext: { authorizer: { integrationLatency: 0 principalId: some@example.com } domainName: domain } domainName: domain } resource: /v1/name } msg: data:invoke }   2.Response Time-how to get the total count for a response time  based on date range selected below is the splunk log format I using below query index=* source IN ("*") *responseTime* | fields responseTime | table responseTime,total | addcoltotals labelfield=total label="Total" | search total!="" | fields - total   { client: same@example.com domain: domain entity: name msg: responseTime queryParams: { identifier: 666 } requestType: GET responseTime: 114 }     Should i set SLA based on below formaula or should i also need to add response time  passed sla =(total request -total failed request/total request)X100
Thank you  livehybrid, I will tryout your suggestions and respond back to you.
Hi there are different cert types which contains different options. Basically it depends which kind of web server certificate you have, can you use it also for server’s management cert. If it’s pure... See more...
Hi there are different cert types which contains different options. Basically it depends which kind of web server certificate you have, can you use it also for server’s management cert. If it’s pure client certificate (web can be that) then it didn’t work as server needs server certificate. You can read more e.g. from https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS —— Leaf (client/server) certificates Leaf means that the certificate is unable to sign any additional certificates. They are often referred to as client or server certificates because that’s generally what they represent, but these are not technical TLS terms. Splunk platform systems use server certificates, meaning the certificate should represent the system(s) in the Subject Alternative Name (SAN) line and Common Name (CN) value. Splunk platform allows wildcard CN/SANs to be used. You can also put multiple hosts in the SAN, but this can become difficult to manage or update compared to a wildcard. Universal forwarders (or web browsers, if desired) use client certificates. These are called client certificates because they don’t need to represent (the CN/SAN) the system they’re installed on. They only need to be signed by an issuer that the Splunk platform server trusts. You might hear these referred to as forwarder certificates in the Splunk ecosystem. You’ll also often hear the term “(full) certificate chain” when reading about TLS. A certificate chain is a leaf certificate that has the proper issuer certificates under it in a single file. In Splunk we automatically create the chain by using the client/serverCert and sslRootCAPath values automatically, so you should not create a "full chain certificate". You should place the server/client certificate and private key in one file, and all of your issuer certificates in another file. r. Ismo
Hi @ptrsnk  First of all, I dont think the "privKeyPath" key is a valid key in inputs.conf. Infact you should just be using serverCert and giving the path to your full certificate chain (in PEM form... See more...
Hi @ptrsnk  First of all, I dont think the "privKeyPath" key is a valid key in inputs.conf. Infact you should just be using serverCert and giving the path to your full certificate chain (in PEM format), including key and CA. yourCert.pem <YourSSLCert> <YourPrivateKey> <YourCertCA> You will also need to specify sslPassword if you are using an encrypted private key for your cert. For more information check out the inputs.conf spec page at https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Inputsconf There is also another useful answer at https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483077 with more context and suggestions. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will  
We have an existing Splunk 9.1.3 Enterprise environment and run Splunkweb at port 8000 using an outside CA signed certificate for https.  A partner wants to stream syslog data to our Splunk using a s... See more...
We have an existing Splunk 9.1.3 Enterprise environment and run Splunkweb at port 8000 using an outside CA signed certificate for https.  A partner wants to stream syslog data to our Splunk using a secure connection.  I added the following to inputs.conf located in system/local. [tcp-ssl:6514] sourcetype = syslog index=syslog disabled = 0 [SSL] privKeyPath = /opt/splunk/etc/auth/splunkweb/2024/splprkey.key serverCert = /opt/splunk/etc/auth/splunkweb/2024/prcert.pem requireClientCert = false After a restart ,I used openssl to test the connection.  Port 8000 worked normally as expected; the certificate was returned and I could see the TLS negotiation in Wireshark   The openssl  connection to port 6154 did not work .  A connection was made and openssl did send a "Client Hello" which was visible in Wireshark,  but other than an ACK the Splunk server never sent anything further. Based on an article I read, I also copied the certificate path to the server.conf file, but that didn't change anything.  What am I missing? Is it incorrect to assume the same cert could be used for different ports? Any assistance appreciated! Thanks,
I found that deploying a Splunk Heavy Forwarder and defining trust and permissions through an Instance Role to be effective for this.
+1 on thay. Generally you should avoid putting anything in system/local. Those settings have the highest priority and cannot be overriden by apps (with an exception for indexer cluster apps pushed f... See more...
+1 on thay. Generally you should avoid putting anything in system/local. Those settings have the highest priority and cannot be overriden by apps (with an exception for indexer cluster apps pushed from manager into peer-apps so you cannot manage those settings easily without physically touching the server.
Hello, Does this help? https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-check-my-license-usage-at-the-account-level/ta-p/34492