All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi I have already had a developper license in past, all was good with the same email. But my last request in january 2025, i don't received any developper lience to renew my period, even waiting se... See more...
Hi I have already had a developper license in past, all was good with the same email. But my last request in january 2025, i don't received any developper lience to renew my period, even waiting several days. thank you
I checked my my spam folder and all the sub folders of my mail account, but nothing. I have the same problem with my developper license request. Thank you
Hi, I checked my my spam folder and all the sub folders of my mail account, but nothing. Thank you
@rrovers Can you check this https://community.splunk.com/t5/Alerting/Why-is-my-savedsearches-conf-configuration-not-honoring-the/td-p/114606 
@L_Petch  The total vCPU count across all Splunk Enterprise  count towards the vCPU licensed capacity. If you have a 24 vCPU license, this means that the combined total of vCPUs assigned to all your... See more...
@L_Petch  The total vCPU count across all Splunk Enterprise  count towards the vCPU licensed capacity. If you have a 24 vCPU license, this means that the combined total of vCPUs assigned to all your Splunk Enterprise instances should not exceed 24. This is not a per-VM allocation but an aggregate limit across your deployment. please refer to Splunk's official documentation on How Splunk Enterprise licensing works - Splunk Documentation https://www.splunk.com/en_us/legal/licensed-capacity.html?locale=en_us  https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/TypesofSplunklicenses  https://conf.splunk.com/files/2020/slides/PLA1520C.pdf 
I made a savedsearch with a simple search in it.  As a condition I selected  "if number of events" "is greater than" with the value "0" although no events are selected the alert is triggered and... See more...
I made a savedsearch with a simple search in it.  As a condition I selected  "if number of events" "is greater than" with the value "0" although no events are selected the alert is triggered and an email is set. Does anyone else also have this problem?  There is a workaround to use "if condition is met" but it doesn't seem logical to me that the option "if number of events" doesn't work properly.
Hello,   Apologies as this has probably been asked before. With the Splunk vCPU licensing is the license per cluster or VM. For example if you have a 24 vCPU license is this the CPU usage allowance... See more...
Hello,   Apologies as this has probably been asked before. With the Splunk vCPU licensing is the license per cluster or VM. For example if you have a 24 vCPU license is this the CPU usage allowance for the whole cluster or 24 vCPU per VM? 
OK, let's suppose M is 4 and N is 10, so a user could have two periods of continuous access of 4 days each within the 10 day period. What would the output look like then? Or is it that M*2 > N is al... See more...
OK, let's suppose M is 4 and N is 10, so a user could have two periods of continuous access of 4 days each within the 10 day period. What would the output look like then? Or is it that M*2 > N is always true?
@tdth  Yes, implementing CIS benchmarks to harden your Red Hat 9 servers can potentially impact your Splunk deployment if not carefully managed. What specific hardening measures are you planning... See more...
@tdth  Yes, implementing CIS benchmarks to harden your Red Hat 9 servers can potentially impact your Splunk deployment if not carefully managed. What specific hardening measures are you planning to apply? It's best to first implement CIS hardening in a UAT environment and thoroughly test its impact before deploying it in production.  
The expected output is: Assuming the start time is from January 1st, 2025 to January 6th, 2025, output: The earliest access time and latest access end time of the user, the username, department, and t... See more...
The expected output is: Assuming the start time is from January 1st, 2025 to January 6th, 2025, output: The earliest access time and latest access end time of the user, the username, department, and the number of times the account has been accessed So the second output from January 2, 2025 to January 7, 2025: The earliest access time and latest access end time of the user, the username, department, and the number of times the account has been accessed The following results follow this pattern...
So, what would your expected output look like in this instance?
Hello @KKuser Have you tried adding the events in the Investigation? - https://docs.splunk.com/Documentation/ES/8.0.2/User/StartInvestigation You can add multiple notable events in Investigation and... See more...
Hello @KKuser Have you tried adding the events in the Investigation? - https://docs.splunk.com/Documentation/ES/8.0.2/User/StartInvestigation You can add multiple notable events in Investigation and write down notes as well. Also, if you want to create Notable events from any raw event, you can simply click on Edit Event and Create Notable event right from the search. Please let me know if you have any questions on the same.
Hi @SplunkUser001 , where did you installed the add-on? it must be installed in the Forwarder and on the Search Head. Ciao. Giuseppe
Assuming M is 4 times (M represents the number of times the user accesses, assuming that the same account is accessed multiple times per day), N is 6 days (i.e. the period, assuming the data starts fr... See more...
Assuming M is 4 times (M represents the number of times the user accesses, assuming that the same account is accessed multiple times per day), N is 6 days (i.e. the period, assuming the data starts from the 1st, outputs a result on the 6th day, outputs a result on the 7th day, and so on), if the user accesses the same account for 5 consecutive days, it is counted as 5 times. Sliding is 6N+1N until the end.
1
Hi @Praz_123    You may be able to create a simple app to push out to your instances which runs a modular input to capture this, but in terms of out-of-the-box functionality, unfortunately this isn... See more...
Hi @Praz_123    You may be able to create a simple app to push out to your instances which runs a modular input to capture this, but in terms of out-of-the-box functionality, unfortunately this isnt available at the moment. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will  
Hi @jkamdar , cases as your is usually caused by a misconfiguration, for this reason I hint to better analyze your btool result, not using grep, The issue could be caused by two inputs or by a tran... See more...
Hi @jkamdar , cases as your is usually caused by a misconfiguration, for this reason I hint to better analyze your btool result, not using grep, The issue could be caused by two inputs or by a transformation in props.conf. Ciao. Giuseppe
Hi I am getting this error. Root Cause(s): More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all r... See more...
Hi I am getting this error. Root Cause(s): More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all running, and that any SSL certificates being used for forwarding are correct i have used telnet as well and it is getting connected.
Hi @rahulkumar , the results using INDEXED_EXTRACTIONWS=JSON or spath should be the same. The advantage of the first one is that it's automatic and you don't need to use spath command at every sear... See more...
Hi @rahulkumar , the results using INDEXED_EXTRACTIONWS=JSON or spath should be the same. The advantage of the first one is that it's automatic and you don't need to use spath command at every search. The problem without transforming message in _raw is that the standard add-ons usually don't run with this data structure because it's different than the one they are waiting for. Ciao. Giuseppe
How can i find ulimit value/status for all server in monitoring console.