All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm having a similar issue with the Egnyte Collaborate TA - https://splunkbase.splunk.com/app/5653.  When trying to use the add-on - I keep getting the following error:  “01-22-2025 16:45:55.409 +0... See more...
I'm having a similar issue with the Egnyte Collaborate TA - https://splunkbase.splunk.com/app/5653.  When trying to use the add-on - I keep getting the following error:  “01-22-2025 16:45:55.409 +0000 ERROR PersistentScript [1693337 PersistentScriptIo] - From {/opt/splunk/bin/python3.9 /opt/splunk/etc/apps/TA-egnyte-connect/bin/TA_egnyte_connect_rh_settings.py persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#TA-egnyte-connect#configs/conf-ta_egnyte_connect_settings, user=proxy.” The issue is I'm running Splunk Cloud - and don't have the ability to modify local conf files. Any ideas on how to get this resolved for Slunk Cloud customers? Cheers.
Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events:     (1) Logons (Success/Fail... See more...
Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events:     (1) Logons (Success/Failure)     (2) Logoffs (Success) 2. Security Relevant File and Objects events:     (1) Create (Success/Failure)     (2) Access (Success/Failure)     (3) Delete (Success/Failure)     (4) Modify (Success/Failure)     (5) Permission Modification (Success/Failure)     (6) Ownership Modification (Success/Failure) 3. Export/Writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 4. Import/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 5. User and Group Management events:     (1) User add, delete, modify, disable, lock (Success/Failure)     (2) Group/Role add, delete, modify (Success/Failure) 6. Use of Privileged/Special Rights events:     (1) Security or audit policy changes (Success/Failure)     (2) Configuration changes (Success/Failure) 7. Admin or root-level access (Success/Failure) 8. Privilege/Role escalation (Success/Failure) 9. Audit and security relevant log data accesses (Success/Failure) 10. System reboot, restart and shutdown (Success/Failure) 11. Print to a device (Success/Failure) 12. Print to a file (e.g., pdf format) (Success/Failure) 13. Application (e.g., Adobe, Firefox, MS Office Suite) initialization   Are there templated Splunk search commands for these? And if so, could you point me to them? Many thanks!
I don't have admin rights in Splunk. Is there an easy way to enforces this in the search query? 
issues had been resolved. I did the props.conf and transforms.conf on the search heads alone, it didn't work. I also both props.conf and transforms.conf on the heavyforwarder, then it works. thank... See more...
issues had been resolved. I did the props.conf and transforms.conf on the search heads alone, it didn't work. I also both props.conf and transforms.conf on the heavyforwarder, then it works. thank you for your helps!!!
I don't have admin rights in Splunk. Is there an easy way to enforces this in the search query? 
Hi @FAnalyst  The answers provided so far look to either look at forwarders sending data to your Splunk indexers, or look at allowlist configurations in serverclasses, however I believe you are look... See more...
Hi @FAnalyst  The answers provided so far look to either look at forwarders sending data to your Splunk indexers, or look at allowlist configurations in serverclasses, however I believe you are looking for the host and IP of deployment clients when they connect? If that is the case then try the below search:   | tstats latest(_time) as lastPhoneHome WHERE index=_dsphonehome earliest=-24h latest=now by data.clientId | append [| tstats latest(_time) as lastRestart where index=_dsclient earliest=0 latest=now by data.name, data.build, data.clientId, data.splunkVersion data.package, data.hostname] | stats latest(*) AS * by data.clientId | eval lastPhoneHomeFriendly=strftime(lastPhoneHome,"%d/%m/%Y %H:%M:%S")   This was tested on SPlunk 9.3 but I believe should work from <9.2 Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @shabamichae , yes, you can do it. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hello I got the same question that was also asked in 2017.(The solution is outdated and doesn't work anymore) "With a SAAS controler, how can i get a clear report of how many licences are consumed... See more...
Hello I got the same question that was also asked in 2017.(The solution is outdated and doesn't work anymore) "With a SAAS controler, how can i get a clear report of how many licences are consumed by application ? I dont need the speed dials that tell me how many licenses are consumed total. What i need is the license count per actual application that i have created in appDynamics. We need this to figure out what is the cost per application." have it been implemented or its there a way in 2024 to get this?
@FAnalyst  Try this  index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections | dedup sourceHost | table sourceHost fwdType
@FAnalyst  You should be able to get list of whitelist servers using following query. | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname |... See more...
@FAnalyst  You should be able to get list of whitelist servers using following query. | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname You can put it to in a lookup file or just use the rest query itself and compare it against deployment/server/clients to know which clients that are configured in serverclass.conf but not sending phonehome. Something like this | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname | eval state="configured" | append [| rest /services/deployment/server/clients | table title | rename title as hostname | eval state="phonehome" ] | stats values(state) as state by hostname | where mvcount(state)=1 AND state="configured"  
Thanks
@FAnalyst  Use the below search to get an exportable list of deployment clients. | rest splunk_server=local /services/deployment/server/clients | table hostname utsname | sort utsname Another ... See more...
@FAnalyst  Use the below search to get an exportable list of deployment clients. | rest splunk_server=local /services/deployment/server/clients | table hostname utsname | sort utsname Another way to find forwarders is to search the internal index for incoming TCP connections. index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections | dedup sourceHost | table sourceHost fwdType   To see all hosts that send data, not just forwarders, count the hosts found in all indexes. | tstats count where index=* host=* by host  
thank you for your answer ,I tried the search you shared is does not show the IP  address of the hosts , also the number does not match the number showing in the forwarder management dashboard 
You can serch using following searches: | tstats values(splunk_server) as Host, values(clientip) as IP from _internal where index=_internal sourcetype=splunkd by host or  index=_internal sou... See more...
You can serch using following searches: | tstats values(splunk_server) as Host, values(clientip) as IP from _internal where index=_internal sourcetype=splunkd by host or  index=_internal sourcetype=splunkd | stats values(clientip) as IP by host Enjoy,  
@att35If you find the provided solution satisfactory, please proceed with accepting it.
I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and... See more...
I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and the IP address , also there is no option for export in that dashboard , there is another similar dashboard in the monitoring console named forwarder_deployment but does not show the IP address only the host name , can you help with that ?
@shabamichae  Yes, you can run the Deployment Server, License Master, and Monitoring Console on the same Splunk instance using the same port (default port 8089 for management). However, there are a ... See more...
@shabamichae  Yes, you can run the Deployment Server, License Master, and Monitoring Console on the same Splunk instance using the same port (default port 8089 for management). However, there are a few things to consider: Resource Efficiency: Good for lab environments or small deployments where resources are limited. Simpler Management: easier to manage since all roles are on a single instance.
@gcusello  So, if I get you correctly, In the practical Lab exam, I can run Deployment Server, License Master and the Monitoring Console on the same instance with same port
Thanks @kiran_panchavat  So, if I get you correctly, In the practical Lab exam, I can run Deployment Server, License Master and the Monitoring Console on the same instance with same port
o, sorry for the late reply. If I run that one -current_member_uri     I get below issue Node splsearch01 is already part of cluster id=2A5DDFE0-B873-4201-8B68-D2ACB4873DA7. To add a new member... See more...
o, sorry for the late reply. If I run that one -current_member_uri     I get below issue Node splsearch01 is already part of cluster id=2A5DDFE0-B873-4201-8B68-D2ACB4873DA7. To add a new member via this node use new_member_uri. Run 'splunk help add shcluster-member' for more info.