All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks @livehybrid . I'll ask our customers to try out your suggestions and will report back. I really appreciate your help!
@Kenny_splunk  Find sourcetypes that are consuming a lot of data, especially unnecessary logs Reduce retention or delete them if they are no longer needed. If multiple indexes contain similar dat... See more...
@Kenny_splunk  Find sourcetypes that are consuming a lot of data, especially unnecessary logs Reduce retention or delete them if they are no longer needed. If multiple indexes contain similar data, consolidate where possible.  
@Kenny_splunk  Use the tstats command to track index usage over time. This will help you identify peaks and patterns in data usage. Review and adjust your index retention policies to ensure th... See more...
@Kenny_splunk  Use the tstats command to track index usage over time. This will help you identify peaks and patterns in data usage. Review and adjust your index retention policies to ensure that data is stored only for as long as needed. This can help reduce storage costs. Review saved searches and reports to ensure they are still relevant and being used. Disable or delete those that are not needed. Optimize your searches by using efficient search commands and avoiding unnecessary subsearches. Use summary indexing and data models for faster results. Index Usage Over Time:    
@Joseph.McNellage were you ever able to resolve this issue? We are encountering the exact same thing and it appears to be a problem with ElasticSearch. I'm wondering if upgrading to the newest versio... See more...
@Joseph.McNellage were you ever able to resolve this issue? We are encountering the exact same thing and it appears to be a problem with ElasticSearch. I'm wondering if upgrading to the newest version might resolve the issue.
In the investigation panel for an incident in Splunk SOAR, there is a comment or command field under Activity.  If you copy and paste multiple lines of text that include blank lines in between sectio... See more...
In the investigation panel for an incident in Splunk SOAR, there is a comment or command field under Activity.  If you copy and paste multiple lines of text that include blank lines in between sections of text in the comment field, all formatting is lost and the text is all bunched together. However, if you select an incident from  the queue and select the Edit button, and paste the same lines of text in the "Add comment" field, the formatting is preserved. Is there any way to add a new line character or line break to the text to maintain the blank lines or prevent the text from bunching up?
@jiaminyun  When the index in Splunk becomes full, indexing will stop. It's important to monitor your index capacity to prevent it from getting full, as this can impact overall performance.  rest c... See more...
@jiaminyun  When the index in Splunk becomes full, indexing will stop. It's important to monitor your index capacity to prevent it from getting full, as this can impact overall performance.  rest command to check the index size.  eventcount command: on DMC, you can get the index size details. 
So we are starting a new project soon, and basically our boss is personally sending me an index (not internal) to investigate. Investigate as far as as far as usage. We are trying to optimize the ... See more...
So we are starting a new project soon, and basically our boss is personally sending me an index (not internal) to investigate. Investigate as far as as far as usage. We are trying to optimize the env and cut whats not being used, or checking to see what is being overused. KO'S, data intake, etc. Any good practices, processes or tips you can lend? this would be the most perfect learning opportunity. Im excited, but nervous.
How much syntax has changed from splunklib (which ran on Python 2.x) to splunk-sdk (which runs on Python 3.x)? Just seems like a lot of the tutorials and info on Splunk API is super outdated. Is nobo... See more...
How much syntax has changed from splunklib (which ran on Python 2.x) to splunk-sdk (which runs on Python 3.x)? Just seems like a lot of the tutorials and info on Splunk API is super outdated. Is nobody doing this anymore? Currently mainly interested in running a search and getting results into Pandas using Python. Also breaking up a search into multiple smaller time spans if the time period is too long and/or the return data set too large.   I have old code from the splunklib Python 2.0 days but basically just starting over and using it as reference.  
Can you please check syntax and everything is correct? I have used the same thing in my terminal and after this I am writing command in my search and reporting search bar that is  index="mycloud" s... See more...
Can you please check syntax and everything is correct? I have used the same thing in my terminal and after this I am writing command in my search and reporting search bar that is  index="mycloud" sourcetype="httpevent" | table message props.conf [source::http: LogStash] sourcetype = httpevent TRANSFORMS-00 = securelog_set_default_metadata TRANSFORMS-01 = securelog_override_raw transforms.conf [securelog_set_default_metadata] INGEST_EVAL = host = json_extract(_raw, "host.name") [securelog_override_raw] INGEST_EVAL = _raw = json_extract(_raw, "message")
Hi @rahulkumar , as I said, in the message field there's the original _raw field, in other words the original event. So you have to restore the original event deleting the additional fields in the ... See more...
Hi @rahulkumar , as I said, in the message field there's the original _raw field, in other words the original event. So you have to restore the original event deleting the additional fields in the json structure otherwise the standard add-ons don't read them in a correct way. The configurations I hinted makes this restore: they extract metedata from the json fieldas and restore in _raw the original event. You cannot use spath because the parsers work on the _raw field, for this reason you have to configure the original event restore using props.conf and transforms.conf. Ciao. Giuseppe
so if i am getting below data This below using spath for message field: 2025-02-11 20:20:46.192 [com.bootstrapserver.runtim] DEBUG Stability run result com.cmp.bootstrapserver.runtime.internal.... See more...
so if i am getting below data This below using spath for message field: 2025-02-11 20:20:46.192 [com.bootstrapserver.runtim] DEBUG Stability run result com.cmp.bootstrapserver.runtime.internal.api.RStability@36464gf 2025-02-11 20:20:46 [com.bootstrapserver.runtim] DEBUG Stability run result :com.cmp.bootstrapserver.runtime.interndal.api.RStability@373638cgf This below using props and transforms for message field:   2025-02-11 20:20:46.192 [com.bootstrapserver.runtim] DEBUG Stability run result com.cmp.bootstrapserver.runtime.internal.api.RStability@36464gf 2025-02-11 20:20:46 [com.bootstrapserver.runtim] DEBUG Stability run result :com.cmp.bootstrapserver.runtime.interndal.api.RStability@373638cgf Both way got same data so is it correct or wrong? or it should be different after using transforms and props i need to know this first and if not then what?
Excellent - post back here if you need any further help - I don't use the MISP app so not sure how it is expected to run but the _audit index should certainly give you some insight into those searche... See more...
Excellent - post back here if you need any further help - I don't use the MISP app so not sure how it is expected to run but the _audit index should certainly give you some insight into those searches Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @livehybrid,   I think that is a good place to start. I am going to tinker with that and report back. I have also challenged our success engineer at Splunk for any input, so I will report back w... See more...
Hi @livehybrid,   I think that is a good place to start. I am going to tinker with that and report back. I have also challenged our success engineer at Splunk for any input, so I will report back with those findings too.   Have a great day! Antoine
Is your intention to query Splunk using some external python code, or are you building a Splunk add-on and using the inbuilt Splunk python? You may gain some benefits from using the sdk if connectin... See more...
Is your intention to query Splunk using some external python code, or are you building a Splunk add-on and using the inbuilt Splunk python? You may gain some benefits from using the sdk if connecting to Splunk API from outside Splunk using the SDK, such as pagination, error catching, validation etc. It can also help abstract away from the particular API endpoints needed for interacting with the REST API and be maintained to reflect changes in Splunk through version updates to the SDK libraries. Let me know if you have a particular use-case and we can see if there is a particular benefit/drawback to using the SDK and/or requests library. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
@Sathish28  As @livehybrid  said, please check this.  [capability::change_authentication] * Lets a user change authentication settings through the authentication endpoints. * Lets the user reload ... See more...
@Sathish28  As @livehybrid  said, please check this.  [capability::change_authentication] * Lets a user change authentication settings through the authentication endpoints. * Lets the user reload authentication. and also,  This seems to work to reload it, and is available through the management port. curl -k -u admin:changeme https://splunkserver:8089/services/authentication/providers/services/_reload You can use this simple Splunk command to do this: ./splunk _internal call /authentication/providers/services/_reload -auth  QUERYING: 'https://127.0.0.1:8089/services/authentication/providers/services/_reload' Your session is invalid. Please login. Splunk username: Password: HTTP Status: 200. Content: <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>auth-services</title> <id>https://127.0.0.1:8089/services/authentication/providers/services</id> <updated>2014-04-02T08:39:45+02:00</updated> <generator build="163460" version="5.0.3"/> <author> <name>Splunk</name> </author> <link href="/services/authentication/providers/services/_reload" rel="_reload"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> </feed>  
Hi @noiiaz  You might be able to find the logs you are looking for in _audit, if you know the name of the search then try    index=_audit savedsearch_name=<yourSearchName> info=completed action=se... See more...
Hi @noiiaz  You might be able to find the logs you are looking for in _audit, if you know the name of the search then try    index=_audit savedsearch_name=<yourSearchName> info=completed action=search   Which should give you some more info about the search query, and useful info such as the number of events searches and results output (e.g. event_count=134, result_count=67) Would this help provide the info you are looking for? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
@SN1  Here is one conf presentation which you probably could use to check if there is local issue or where the issue could be. https://conf.splunk.com/files/2019/slides/FN1570.pdf
It looks like your user role doesnt have `change_authentication = enabled` which is required for this task. Do you have access to an admin account, or maybe a break-glass account that you can execut... See more...
It looks like your user role doesnt have `change_authentication = enabled` which is required for this task. Do you have access to an admin account, or maybe a break-glass account that you can execute the CLI reload with? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
@SN1  Even though telnet is connecting, there might still be network issues or firewall rules affecting the Splunk traffic. Ensure that there are no firewalls blocking the traffic between the forwa... See more...
@SN1  Even though telnet is connecting, there might still be network issues or firewall rules affecting the Splunk traffic. Ensure that there are no firewalls blocking the traffic between the forwarders and indexers. Make sure all your indexers are running and reachable. You can use the Splunk monitoring console to view the status of your indexers. Check the resource usage on your forwarders and indexers. High CPU or memory usage can sometimes cause forwarding issues. Then are you using an SSL certificate? If yes, check the validity and the password of your certificate and that the certificate is used on UFs and IDXs.
Recently we migrated a server from Virtual Machine to Physical server We use LDAP authentication for user access for Splunk The users were able to login but did not have the same privileges when mo... See more...
Recently we migrated a server from Virtual Machine to Physical server We use LDAP authentication for user access for Splunk The users were able to login but did not have the same privileges when moved from VM to physical server I am able to login into Splunk Web UI but as a admin I am not able to view with admin privileges, So i tried to run the below command in the search head server  ./splunk reload auth I got the below error Authorization Failed: b'<?xml version="1.0" encoding="UTF-8"?>\n<response>\n  <messages>\n    <msg type="ERROR">You (user=88888888) do not have permission to perform this operation (requires capability: change_authentication).</msg>\n  </messages>\n</response>\n' Client is not authorized to perform requested action