All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi everyone,  we are currently in a migration project and want to process NetFlow data within Splunk. For this purpose, we are using Splunk Stream and the associated apps (Add-On for Stream Forwarde... See more...
Hi everyone,  we are currently in a migration project and want to process NetFlow data within Splunk. For this purpose, we are using Splunk Stream and the associated apps (Add-On for Stream Forwarders/Add-On for Stream Wire Data) and we are receiving a lot of data from the respective system. Unfortunately, many fields in this data remain empty, even though they can be read from the same system using the current NetFlow tool. We selected every possible field from the configuration within the GUI changed the NetFlow version from 5 to 9 and IPFIX without any positive outcome. The fields which are interessting for us are the following: interface name app app_desc protocol (tcp or udp)   Are there any additional configuration options available or did anyone experienced this issue ?   Thanks in advance 
Is there any particular reason for using Python splunk-sdk over standard restful API libraries or tools (such as Python requests library)? Using standard Python, you should be able to import data int... See more...
Is there any particular reason for using Python splunk-sdk over standard restful API libraries or tools (such as Python requests library)? Using standard Python, you should be able to import data into pandas with 3 lines:   response = requests.get(url) data = response.json() pd.DataFrame(data)   What does splunk-sdk have that Python requests does not?   Thanks!
understood, so my el basicallly hands me an index today and tells me to investigate it. My anxiety is going through the roof. Please...and tips and advice and best practice?  
do anyone have an spare trial version license. I know its a very odd request . it will be really helpful if anyone can share 
Hi @Jeewan  I can understand your urgecny , I dont think you can get it immedialty. I would suggest to send an email to devinfo@splunk.com. or you might need to request new license. 
I'm having some issues with my on-prem deployment of Splunk SOAR 6.3.1and would like to revert to 6.2.2. Should I just follow the steps for upgrading even though I'm reverting to a previous version? ... See more...
I'm having some issues with my on-prem deployment of Splunk SOAR 6.3.1and would like to revert to 6.2.2. Should I just follow the steps for upgrading even though I'm reverting to a previous version? https://docs.splunk.com/Documentation/SOARonprem/6.2.2/Install/UpgradeSOARInstance
Thanks! I must have missed that one field by not wrapping it. Glad to know it didn't matter in this case, though lol. I'll make sure to look into how I can use FOREACH going forward.   You've been ... See more...
Thanks! I must have missed that one field by not wrapping it. Glad to know it didn't matter in this case, though lol. I'll make sure to look into how I can use FOREACH going forward.   You've been a great help!
Hi Team,  is there a way get immediate Splunk Developer/ Trial license. I was using the the developer license and its expired I need it for some more time for today. is there a way to get it  c... See more...
Hi Team,  is there a way get immediate Splunk Developer/ Trial license. I was using the the developer license and its expired I need it for some more time for today. is there a way to get it  can somebody pls provide the Splunk Developer/ Trial license #Splunk Trial account 
I am setting up Cloud360 45c version in my dev environment which is standalone server. I have configured all the files and look ups but when i am trying to run the main.py script it is giving me belo... See more...
I am setting up Cloud360 45c version in my dev environment which is standalone server. I have configured all the files and look ups but when i am trying to run the main.py script it is giving me below error: splunk@s-9ee55895 scripts]$ /opt/splunk/bin/splunk cmd python3 main.py METRIC Traceback (most recent call last):   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/../../lib/pandas/core/indexes/base.py", line 3361, in get_loc     return self._engine.get_loc(casted_key)   File "pandas/_libs/index.pyx", line 76, in pandas._libs.index.IndexEngine.get_loc   File "pandas/_libs/index.pyx", line 108, in pandas._libs.index.IndexEngine.get_loc   File "pandas/_libs/hashtable_class_helper.pxi", line 5198, in pandas._libs.hashtable.PyObjectHashTable.get_item   File "pandas/_libs/hashtable_class_helper.pxi", line 5206, in pandas._libs.hashtable.PyObjectHashTable.get_item KeyError: 'enabled'   The above exception was the direct cause of the following exception:   Traceback (most recent call last):   File "main.py", line 12, in <module>     from aws_manager import Cloud360_AWS_Manager   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/aws_manager.py", line 10, in <module>     import aws_detail_structure_processor as DetailStructureProcessor   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/aws_detail_structure_processor.py", line 50, in <module>     raw_metric_catalog_df = raw_metric_catalog_df[raw_metric_catalog_df['enabled'] == 0]   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/../../lib/pandas/core/frame.py", line 3458, in __getitem__     indexer = self.columns.get_loc(key)   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/../../lib/pandas/core/indexes/base.py", line 3363, in get_loc     raise KeyError(key) from err KeyError: 'enabled' Can anyone help me what i am missing here ?
Telnet will tell you if a network connection can be made, but won't say if the Splunk-to-Splunk protocol is working or not. Have you confirmed all forwarders are running?  Do they have the right out... See more...
Telnet will tell you if a network connection can be made, but won't say if the Splunk-to-Splunk protocol is working or not. Have you confirmed all forwarders are running?  Do they have the right outputs.conf settings?  Are their certificates valid? Have you looked at each forwarder's splunkd.log file to see what connection errors are being reported? Do you replace forwarders often?  If so, Splunk probably still expects to hear from the old ones and this message may be a false positive.
Unfortunately the ACS logs are not currently available in the indexes within your cloud stack, however you may be able to get specific information from Splunk support if you need something looking in... See more...
Unfortunately the ACS logs are not currently available in the indexes within your cloud stack, however you may be able to get specific information from Splunk support if you need something looking in to, for example to find out who made/when a change was made. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi, I would like to see a log of when and by whom the ACS API was called. I thought I could check the “_internal” index in Splunk Cloud, but I couldn't. Is there any way to get the ACS API logs?
@myitlab42000Could you check with your IT team to see if the email is there? Sometimes, you may need to request them to release it if it gets blocked.
Hi I have already had a developper license in past, all was good with the same email. But my last request in january 2025, i don't received any developper lience to renew my period, even waiting se... See more...
Hi I have already had a developper license in past, all was good with the same email. But my last request in january 2025, i don't received any developper lience to renew my period, even waiting several days. thank you
I checked my my spam folder and all the sub folders of my mail account, but nothing. I have the same problem with my developper license request. Thank you
Hi, I checked my my spam folder and all the sub folders of my mail account, but nothing. Thank you
@rrovers Can you check this https://community.splunk.com/t5/Alerting/Why-is-my-savedsearches-conf-configuration-not-honoring-the/td-p/114606 
@L_Petch  The total vCPU count across all Splunk Enterprise  count towards the vCPU licensed capacity. If you have a 24 vCPU license, this means that the combined total of vCPUs assigned to all your... See more...
@L_Petch  The total vCPU count across all Splunk Enterprise  count towards the vCPU licensed capacity. If you have a 24 vCPU license, this means that the combined total of vCPUs assigned to all your Splunk Enterprise instances should not exceed 24. This is not a per-VM allocation but an aggregate limit across your deployment. please refer to Splunk's official documentation on How Splunk Enterprise licensing works - Splunk Documentation https://www.splunk.com/en_us/legal/licensed-capacity.html?locale=en_us  https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/TypesofSplunklicenses  https://conf.splunk.com/files/2020/slides/PLA1520C.pdf 
I made a savedsearch with a simple search in it.  As a condition I selected  "if number of events" "is greater than" with the value "0" although no events are selected the alert is triggered and... See more...
I made a savedsearch with a simple search in it.  As a condition I selected  "if number of events" "is greater than" with the value "0" although no events are selected the alert is triggered and an email is set. Does anyone else also have this problem?  There is a workaround to use "if condition is met" but it doesn't seem logical to me that the option "if number of events" doesn't work properly.
Hello,   Apologies as this has probably been asked before. With the Splunk vCPU licensing is the license per cluster or VM. For example if you have a 24 vCPU license is this the CPU usage allowance... See more...
Hello,   Apologies as this has probably been asked before. With the Splunk vCPU licensing is the license per cluster or VM. For example if you have a 24 vCPU license is this the CPU usage allowance for the whole cluster or 24 vCPU per VM?