All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Verity_Partners  Since you are using a Splunk trial license and hitting the 500 MB daily indexing limit, 1. Disable Unnecessary FortiGate Logs 2. Use props.conf and transforms.conf to drop unwant... See more...
@Verity_Partners  Since you are using a Splunk trial license and hitting the 500 MB daily indexing limit, 1. Disable Unnecessary FortiGate Logs 2. Use props.conf and transforms.conf to drop unwanted events before indexing them. This can be done by defining transforms to filter out unnecessary logs. 3. Since your system is hitting violations overnight, create alerts to notify you before reaching the limit OR Monitor your license usage.  4. If you are using Splunk for testing, apply for a Developer License .  https://dev.splunk.com/enterprise/dev_license/  https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html 
When i ran the command its shows nothing, does that means 8000 port is not open? sudo firewall-cmd --list-ports [acnops_splunk@IEM***** ~]$ netstat -tulnp | grep 8000 (Not all processes could ... See more...
When i ran the command its shows nothing, does that means 8000 port is not open? sudo firewall-cmd --list-ports [acnops_splunk@IEM***** ~]$ netstat -tulnp | grep 8000 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 3679909/splunkd [acnops_splunk@IEMS****** ~]$   netstat -tulnp | grep 8000  
@andy2025  That introspection error means your script failed to load, could be a syntax error, etc. Check this, but it's an outdated version.  https://community.splunk.com/t5/All-Apps-and-Add-ons/Un... See more...
@andy2025  That introspection error means your script failed to load, could be a syntax error, etc. Check this, but it's an outdated version.  https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-initialize-modular-input-quot-upload-pcap-quot-after-6/m-p/262577 
@rukshar  It seems that Splunk Web (port 8000) is not open in the firewall. Please coordinate with the firewall or OS team and inform them about this. We recently encountered a similar issue, and af... See more...
@rukshar  It seems that Splunk Web (port 8000) is not open in the firewall. Please coordinate with the firewall or OS team and inform them about this. We recently encountered a similar issue, and after notifying the Linux team, they made some firewall-level changes at the OS level. Following those changes, we were able to access the Splunk Web successfully. sudo firewall-cmd --permanent --add-port=8000/tcp sudo firewall-cmd --reload Check if the port is open. sudo firewall-cmd --list-ports If you see 8000/tcp in the list, the port is now open. After opening the port, restart Splunk sudo su - splunk /opt/splunk/bin/splunk restart Check if Splunk Web is listening on port 8000:  netstat -tulnp | grep 8000 If firewalld is disabled but iptables is in use, you need to allow port 8000:  sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT sudo iptables-save | sudo tee /etc/sysconfig/iptables sudo systemctl restart iptables  
@rukshar  Check Splunk logs for any web service issues: cat /opt/splunk/var/log/splunk/web_service.log 
Hi @colinmchugo , If I understand correctly, you are looking for a solution like this. I'm sharing this approach so that anyone landing on this page can use this logic for comparing today's, yes... See more...
Hi @colinmchugo , If I understand correctly, you are looking for a solution like this. I'm sharing this approach so that anyone landing on this page can use this logic for comparing today's, yesterday's, and last week's hourly data. index = _internal log_level="*" component="*" earliest=-8d@d latest=@d | timechart count span=1h |timewrap 1d series=short |fields _time, s0,s1,s7 | rename s0 as Today, s1 as Yesterday, s7 as Lastweek If anyone finds this helpful, please upvote and share your karma! || Keep Splunking, Keep Securing! ️||    
@wdhaar Please follow the below instruction to install Splunk Enterprise. https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchTutorial/InstallSplunk 
Yes, i am doing curl for my web url only and the result is good. Any further help would really be appreciated. 
@splunklearner  1st stop splunk and after that sudo chown -R splunk:splunk /opt/splunk. Then start it again. In your example, you are trying to do that initialization as root. Only time when you sh... See more...
@splunklearner  1st stop splunk and after that sudo chown -R splunk:splunk /opt/splunk. Then start it again. In your example, you are trying to do that initialization as root. Only time when you should use user root is to enable boot-start (or start/stop/restart with systemd).  The error message shows that for some reason it tried to write some status information to /root/.splunk directory which didn't succeed as splunk is running as user splunk not as root. You should do sudo -u splunk then run those commands as user splunk.  /opt/splunk/bin/splunk reload deploy-server  
@splunklearner  Instead of using sudo -i, which logs you in as the root user, you should use the following command to switch to the Splunk user sudo su - splunk  
what to give instead of sudo -i while logging in? Please let me know @kiran_panchavat 
This is exactly what I was looking for. Really nice doc linked. Thanks
I signed in just to say I had this exact problem, and your question was exactly what I was looking for. Thank you. This forum post helped answer my issue.  jowenssi Reply was what I was looking for.... See more...
I signed in just to say I had this exact problem, and your question was exactly what I was looking for. Thank you. This forum post helped answer my issue.  jowenssi Reply was what I was looking for.     
sudo su splunk ./splunk reload deploy-server
Yes, you can update the configurations in `/opt/splunk/etc/deployment-apps` and push them to the clients. That should be sufficient. 
@splunklearner  It's basically: Splunk is not running as root (which is good), but you're logged in as root (which is not so good). When you try to login (which is required to reload the deployment... See more...
@splunklearner  It's basically: Splunk is not running as root (which is good), but you're logged in as root (which is not so good). When you try to login (which is required to reload the deployment server), Splunk saves your login (which would be a cookie if you we're using a browser) in a folder in your home directory (/root/.splunk/). But as Splunk does not run as root, it has no permissions to do that, therefore the error message. Solution: Do not work as root, especially not while editing files on a non-root Splunk, it will bring you into trouble. I'd suggest using a normal user, you could use the user Splunk is running at.
@rukshar  You need to update the URL: curl -v http://<serverip>:8000 Please replace it with your Splunk Web URL.
Thank you everyone that replied with helpful comments. I however discovered a math trick with logarithms to accomplish this far more succinctly. | eval log_value = ln(value_a) | stats sum(log_value... See more...
Thank you everyone that replied with helpful comments. I however discovered a math trick with logarithms to accomplish this far more succinctly. | eval log_value = ln(value_a) | stats sum(log_value) AS log_sum | eval product = exp(log_sum)
No i did not without a lot of works. 
Anytime I try to do anything with my deployment server I get this error: An error occurred: Could not create Splunk settings directory at '/root/.splunk' This includes the command -  ./splunk reloa... See more...
Anytime I try to do anything with my deployment server I get this error: An error occurred: Could not create Splunk settings directory at '/root/.splunk' This includes the command -  ./splunk reload deploy-server.  We have AWS EC2 instances hosted for all components and opening it via SSM and login via sudo -i. Tried to give sudo chown -R splunk:splunk /opt/splunk/bin.. still the same issue. And one more doubt - if we edit in etc/deployment-apps reload is enough right to distribute the updated configurations to manager? But when I restart configurations are reflecting in manager not sure why reload is throwing this error?