All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I believe this is another case of unclear documentation. The useSSL setting, as seen in the doc snippet you posted, does not say you don't need a cert, it says you don't need to set clientCert on th... See more...
I believe this is another case of unclear documentation. The useSSL setting, as seen in the doc snippet you posted, does not say you don't need a cert, it says you don't need to set clientCert on the forwarder if the receiver has requireClientCert = false. In other words, the 'useSSL' setting on the forwarder is telling that forwarder to use TLS authentication, which is different than just encrypting your logs with TLS, which uses the TLS cert from the receiver. If you wish to encrypt your logs but don't need the receiver to require client TLS certs to authenticate, you don't need the useSSL=true setting. The other settings you listed such as check CN and SAN that the receiver cert matches the indexer you listed, are not required since you told the client to not require a server cert when connecting. So there are 3 related but distinct TLS topics here: log encryption using TLS, the forwarder authenticating the server using TLS, and the receiver authenticating the forwarder using TLS. The .conf.spec docs are not clear about which settings are for which TLS function, making it confusing. useSSL = <true|false|legacy> * Whether or not the forwarder uses SSL to connect to the receiver, or relies on the 'clientCert' setting to be active for SSL connections. * You do not need to set 'clientCert' if 'requireClientCert' is set to "false" on the receiver.  
Can you try   https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Try this workaround   https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Try  https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Hi @splunklearner . could you share the two main searches in the two dashboards? Ciao. Giuseppe
Checkout alternative workaround. https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Hi @Hemant_h , if the structure of your events is fixed, you coult try something like this: | rex field=product_name "^(?<field1>\w+)\s[^\s]+\s[^\s]+\s[^\s]+\s[^\s]+\s(?<field2>[^ ]+)"  Ciao. Giu... See more...
Hi @Hemant_h , if the structure of your events is fixed, you coult try something like this: | rex field=product_name "^(?<field1>\w+)\s[^\s]+\s[^\s]+\s[^\s]+\s[^\s]+\s(?<field2>[^ ]+)"  Ciao. Giuseppe
If it's not related to windows restart, Checkout alternative workaround. https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Till date, we have seperate dashboards for seperate application teams. Now the ask is to create a common dashboard for all applications. Is it really possible? We have restricted users via index to ... See more...
Till date, we have seperate dashboards for seperate application teams. Now the ask is to create a common dashboard for all applications. Is it really possible? We have restricted users via index to refrain from other applications. We dont have any app_name specific in logs as well... Only index wise logs are segregated and sourcetype is also same. The log format for all applications is similar.  How can I achieve this? Should I extract app_name from the host we have and keep it in drop-down and involve index as well in drop-down?  Is it really possible? Please help me with your action plan for this.
How does it mess up the nexpose appliance?
We are a small Managed Service Provider (MSP) currently testing Splunk with a deployment on a Windows 2019 server using a trial version. After adding a remote device and integrating the Fortinet Fort... See more...
We are a small Managed Service Provider (MSP) currently testing Splunk with a deployment on a Windows 2019 server using a trial version. After adding a remote device and integrating the Fortinet FortiGate App for Splunk, the system functioned well initially. However, the next day, we noticed that the system encountered 5 violations in one night. Subsequently, when accessing the dashboard, we were greeted with the following message: "Error in 'rtlitsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store." Is there a way to resolve this issue without performing a full reinstall? Additionally, is there a way to set a limit on the amount of data being indexed to avoid triggering the violation? I have come across references to routing logs to the "nullQueue" and would appreciate feedback from the community on this approach or any other recommended solutions. Thank you in advance for your help!
Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still d... See more...
Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still don't have a role named 'Phantom'. Please, I would really appreciate a response." Let me know if you need anything else!
Hi, Thanks for the response. we don't have _time but we have Time column (Indexed time - it will be same for all events so we cant use Time column). My expectation is without timestamp events need t... See more...
Hi, Thanks for the response. we don't have _time but we have Time column (Indexed time - it will be same for all events so we cant use Time column). My expectation is without timestamp events need to be merged with previous events using any logic  need not save results and it will be used for some calculation and then it will be saved in saved search) Yes always this is the case for all logs, so i need to write a query to transform this, Please help on this  and share your comments
"Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still ... See more...
"Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still don't have a role named 'Phantom'. Please, I would really appreciate a response." Let me know if you need anything else!
Are these separate events? Do you already have any fields extracted? Please share your raw event data in code blocks using the </> button above to preserve formatting in the event.
Want to extract HIGCommercialAuto  and MLM-RS-H only from below logs in field product name. HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8... See more...
Want to extract HIGCommercialAuto  and MLM-RS-H only from below logs in field product name. HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-RS-H higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-R3-N higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16    
The events will have a value for _time. If you sort by this, are these events in the order you showed? Your events which do have timestamps in the event seem to have the same timestamp for the event... See more...
The events will have a value for _time. If you sort by this, are these events in the order you showed? Your events which do have timestamps in the event seem to have the same timestamp for the events either side of the events without timestamps. Is this always the case? For the events without timestamps, is each line in a different event of multiple events? Please provide more detail so we can see what needs to be done and work out a solution for you.
Hi @Dikshi, Do you see other kvstore errors in splunkd.log and mongod.log?
What is your question?  Have you checked mongod.log and splunkd.log?  What did they say?
I want to add an endpoint to the webhook allow list . I checked the for that. However, I cannot find "Webhook allow list" under Settings > Server settings. Can someone please help me with this. ... See more...
I want to add an endpoint to the webhook allow list . I checked the for that. However, I cannot find "Webhook allow list" under Settings > Server settings. Can someone please help me with this. where to find this option whether this option is available in Trail version or not ?   if there is any other alternative for this ? Splunk Cloud Version: 9.3.2408.107 Build: b802f6467976 Webhooks Input  Custom Alert Webhook