All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks, Kiran! I am reading up on this now.!
Now you're Splunking! Watch out for approximation errors! 2 * 3 * 4 = 24 exp(ln(2) + ln(3) + ln(4)) ~= 23.999999999999993
Is it this one? https://dev.splunk.com/observability/reference/api/incidents/latest#endpoint-create-single-muting-rule
Hi guys!  I am getting the following error message when trying to publishing a model which I created in "Experiments". I do not know what this should mean? Does anyone has an idea?    I wou... See more...
Hi guys!  I am getting the following error message when trying to publishing a model which I created in "Experiments". I do not know what this should mean? Does anyone has an idea?    I would appreciate your help!    Best regards!
@cdavidsonbp  Have a look at the content packs: https://docs.splunk.com/Documentation/ContentPackApp/latest/Overview/Overview#Available_content_packs  specifically https://docs.splunk.com/Documen... See more...
@cdavidsonbp  Have a look at the content packs: https://docs.splunk.com/Documentation/ContentPackApp/latest/Overview/Overview#Available_content_packs  specifically https://docs.splunk.com/Documentation/CPWindowsMon/1.3.0/CP/About  and https://docs.splunk.com/Documentation/CPWindowsDash/1.4.0/CP/About 
Hello, I am trying to find a way to report on all Applied Group Policy Objects for all of our domain joined computers. This would be similar to running the following command:         gpresult /r /s... See more...
Hello, I am trying to find a way to report on all Applied Group Policy Objects for all of our domain joined computers. This would be similar to running the following command:         gpresult /r /scope computer Is there a way that Splunk can gather all of this information as a report. I did see there was an app called Splunk App for Windows Infrastructure but it was EOLd. Is there anything new that would audit our computers? Thanks, Charlie
Found it. Adding onEventHandler={myHandler} wasn't enough.  I also had to add hasEventHandlers={true}.  Then it'll actually fire myHandler. <Pie onEventHandler={myHandler} hasEventHandlers={tru... See more...
Found it. Adding onEventHandler={myHandler} wasn't enough.  I also had to add hasEventHandlers={true}.  Then it'll actually fire myHandler. <Pie onEventHandler={myHandler} hasEventHandlers={true} ... />
@rukshar  Internally on the server, Splunk is running fine. Externally, if you cannot access http://<server-ip>:8000, the firewall may be blocking the connection. Contact your OS team to fix this. 
@Verity_Partners  Since you are using a Splunk trial license and hitting the 500 MB daily indexing limit, 1. Disable Unnecessary FortiGate Logs 2. Use props.conf and transforms.conf to drop unwant... See more...
@Verity_Partners  Since you are using a Splunk trial license and hitting the 500 MB daily indexing limit, 1. Disable Unnecessary FortiGate Logs 2. Use props.conf and transforms.conf to drop unwanted events before indexing them. This can be done by defining transforms to filter out unnecessary logs. 3. Since your system is hitting violations overnight, create alerts to notify you before reaching the limit OR Monitor your license usage.  4. If you are using Splunk for testing, apply for a Developer License .  https://dev.splunk.com/enterprise/dev_license/  https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html 
When i ran the command its shows nothing, does that means 8000 port is not open? sudo firewall-cmd --list-ports [acnops_splunk@IEM***** ~]$ netstat -tulnp | grep 8000 (Not all processes could ... See more...
When i ran the command its shows nothing, does that means 8000 port is not open? sudo firewall-cmd --list-ports [acnops_splunk@IEM***** ~]$ netstat -tulnp | grep 8000 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 3679909/splunkd [acnops_splunk@IEMS****** ~]$   netstat -tulnp | grep 8000  
@andy2025  That introspection error means your script failed to load, could be a syntax error, etc. Check this, but it's an outdated version.  https://community.splunk.com/t5/All-Apps-and-Add-ons/Un... See more...
@andy2025  That introspection error means your script failed to load, could be a syntax error, etc. Check this, but it's an outdated version.  https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-initialize-modular-input-quot-upload-pcap-quot-after-6/m-p/262577 
@rukshar  It seems that Splunk Web (port 8000) is not open in the firewall. Please coordinate with the firewall or OS team and inform them about this. We recently encountered a similar issue, and af... See more...
@rukshar  It seems that Splunk Web (port 8000) is not open in the firewall. Please coordinate with the firewall or OS team and inform them about this. We recently encountered a similar issue, and after notifying the Linux team, they made some firewall-level changes at the OS level. Following those changes, we were able to access the Splunk Web successfully. sudo firewall-cmd --permanent --add-port=8000/tcp sudo firewall-cmd --reload Check if the port is open. sudo firewall-cmd --list-ports If you see 8000/tcp in the list, the port is now open. After opening the port, restart Splunk sudo su - splunk /opt/splunk/bin/splunk restart Check if Splunk Web is listening on port 8000:  netstat -tulnp | grep 8000 If firewalld is disabled but iptables is in use, you need to allow port 8000:  sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT sudo iptables-save | sudo tee /etc/sysconfig/iptables sudo systemctl restart iptables  
@rukshar  Check Splunk logs for any web service issues: cat /opt/splunk/var/log/splunk/web_service.log 
Hi @colinmchugo , If I understand correctly, you are looking for a solution like this. I'm sharing this approach so that anyone landing on this page can use this logic for comparing today's, yes... See more...
Hi @colinmchugo , If I understand correctly, you are looking for a solution like this. I'm sharing this approach so that anyone landing on this page can use this logic for comparing today's, yesterday's, and last week's hourly data. index = _internal log_level="*" component="*" earliest=-8d@d latest=@d | timechart count span=1h |timewrap 1d series=short |fields _time, s0,s1,s7 | rename s0 as Today, s1 as Yesterday, s7 as Lastweek If anyone finds this helpful, please upvote and share your karma! || Keep Splunking, Keep Securing! ️||    
@wdhaar Please follow the below instruction to install Splunk Enterprise. https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchTutorial/InstallSplunk 
Yes, i am doing curl for my web url only and the result is good. Any further help would really be appreciated. 
@splunklearner  1st stop splunk and after that sudo chown -R splunk:splunk /opt/splunk. Then start it again. In your example, you are trying to do that initialization as root. Only time when you sh... See more...
@splunklearner  1st stop splunk and after that sudo chown -R splunk:splunk /opt/splunk. Then start it again. In your example, you are trying to do that initialization as root. Only time when you should use user root is to enable boot-start (or start/stop/restart with systemd).  The error message shows that for some reason it tried to write some status information to /root/.splunk directory which didn't succeed as splunk is running as user splunk not as root. You should do sudo -u splunk then run those commands as user splunk.  /opt/splunk/bin/splunk reload deploy-server  
@splunklearner  Instead of using sudo -i, which logs you in as the root user, you should use the following command to switch to the Splunk user sudo su - splunk  
what to give instead of sudo -i while logging in? Please let me know @kiran_panchavat 
This is exactly what I was looking for. Really nice doc linked. Thanks