All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Look at your condition match statements, e.g. your first one does <condition match="$row.Services$ != &quot;s3-bucket&quot;"> and then it sets S3_details="true" same for VPC and the other. So you ... See more...
Look at your condition match statements, e.g. your first one does <condition match="$row.Services$ != &quot;s3-bucket&quot;"> and then it sets S3_details="true" same for VPC and the other. So you probably want to change your matches to = rather than !=
I've set up a dev 9.2 Splunk environment. And I'm trying to use a self-signed cert to secure forwarding. But every time I attempt to connect the UF to the Indexing server it fails -_- I've tried ... See more...
I've set up a dev 9.2 Splunk environment. And I'm trying to use a self-signed cert to secure forwarding. But every time I attempt to connect the UF to the Indexing server it fails -_- I've tried a lot of permutations of the below. All ultimately ending with the forwarder unable to connect to the indexing server. I've made sure permissions are set to 6000 for cert and key. Made sure the Forwarder and Indexer have seperate common names. And created multiple cert types. But I'm at a bit of a loss as to what I need to do to get the forwarder and indexer to connect over a self signed certificate. Any help is incredibly appreciated. Below is some of what I've attempted. Trying to not make this post multiple pages long X) Simple TLS Configuration Generating Indexer Certs: openssl genrsa -out indexer.key 2048 openssl req -new -x509 -key indexer.key -out indexer.pem -days 1095 -sha256 cat indexer.pem indexer.key > indexer_combined.pem Note: I keep reading that the cert and key need to be 1 file. But I"m not sure on this. Generating Forwarder Certs: openssl genrsa -out forwarder.key 2048 openssl req -new -x509 -key forwarder.key -out forwarder.pem -days 1095 -sha256 cat forwarder.pem forwarder.key > forwarder_combined.pem Indexer Configuration: [SSL] serverCert = /opt/tls/indexer_combined.pem sslPassword = random_string requireClientCert = false [splunktcp-ssl:9997] compressed = true Outcome: Indexer listens on port 9997 for encrypted communications. Forwarder Configuration [tcpout] defaultGroup = splunkssl [tcpout:splunkssl] server = 192.168.110.178:9997 compressed = true [tcpout-server://192.168.110.178:9997] sslCertPath =/opt/tls/forwarder_combined.pem sslPassword = random_string sslVerifyServerCert = false Outcome: Forwarder fails to communicate with Indexer Logs from Forwarder: ERROR TcpInputProc [27440 FwdDataReceiverThread] - Error encountered for connection from src=192.168.110.26:33522. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Testing with openssl s_client: Command: openssl s_client -connect 192.168.110.178:9997 -cert forwarder_combined.pem -key forwarder.key Output: Unknown CA ( I didn't write the exact message in my notes, but it generally says the CA is unknown.) Note: Not sure if I need to add sslVersions = tls1.2, but that seems outside of the scope of the issue. Troubleshooting connect, running openssl s_client raw: Command: openssl s_client -connect 192.168.110.178:9997 Output received: CONNECTED(00000003) Can't use SSL_get_servername Full s_client message is here: https://pastebin.com/z9gt7bhz Further Troubleshooting Added Indexers self-signed certificate to forwarder ... sslPassword = random_string sslVerifyServerCert = true sslRootCAPath = /opt/tls/indexer_combined.pem Outcome: same error message. Testing with s_client: Command: openssl s_client -connect 192.168.110.178:9997 -CAfile indexer_combined.pem Connecting to 192.168.110.178 CONNECTED(00000003) Can't use SSL_get_servername Full s_client message is here: https://pastebin.com/BcDvJ2Fs
You can generally get there with SPL, e.g. here's a bit of a hack, which has a stab at it based on your data example | makeresults format=csv data="title,totalEventCount,frozenTimePeriodInSecs,count... See more...
You can generally get there with SPL, e.g. here's a bit of a hack, which has a stab at it based on your data example | makeresults format=csv data="title,totalEventCount,frozenTimePeriodInSecs,count,usedData _audit,771404957,188697600, , _configtracker,717,2592000, , _dsappevent,240,5184000, , _dsclient,232,5184000, , _dsphonehome,843820,604800, , _internal,7039169453,15552000, , _introspection,39100728,1209600, , _telemetry,55990,63072000, , _thefishbucket,0,2419200, , , , ,22309,_* , , ,1039,_audit , , ,2,_configtracker , , ,1340,_dsappevent , , ,1017,_dsclient , , ,1,_dsclient] , , ,709,_dsphonehome , , ,2089,_internal , , ,117,_introspection , , ,2,_metrics , , ,2,_metrics_rollup , , ,2,_telemetry , , ,2,_thefishbucket" | eval title=coalesce(title, usedData) | fields - usedData | stats values(*) as * by title | eventstats values(eval(if(match(title, "\*"), title."##".title."##".count, null()))) as wildcard_indexes | eval wildcard_indexes=mvmap(wildcard_indexes, replace(wildcard_indexes, "\*(.*##)?", ".*\1")) | eval count=count+sum(mvmap(wildcard_indexes, if(match(title, mvindex(split(wildcard_indexes, "##"), 0)) AND title!=mvindex(split(wildcard_indexes, "##"), 1), mvindex(split(wildcard_indexes, "##"), 2), 0))) | fields - wildcard_indexes
Free license didn’t contains cluster or distributed capabilities. So you cannot use free for this. Basically you maybe could convert multi site environment back to single instance environment before y... See more...
Free license didn’t contains cluster or distributed capabilities. So you cannot use free for this. Basically you maybe could convert multi site environment back to single instance environment before your license goes to old?
And quite probably those copies have moved into froze totally different time, based on situation on individual indexer. Moving it is always initiated by indexer not master.
Hi @johnansett  We had something similar after moving our on-prem Splunk to Splunk Cloud.  Our on prem indexed data needed to be searchable as it aged out. As a Splunk customer you should be ab... See more...
Hi @johnansett  We had something similar after moving our on-prem Splunk to Splunk Cloud.  Our on prem indexed data needed to be searchable as it aged out. As a Splunk customer you should be able to request a zero-ingest license from Splunk Support. This is better than a free or trail license as it gives all the benefit of a standard license (except no data ingestion) and does not need renewing every 6 weeks like a trail license does.  If you have a Splunk account manager then this is something you could discuss with them.  Hope that helps. 
provided you the query
Hey folks, been a while - I have a question I figured community would be better to answer:   We have a multisite cluster using SmartStore built in AWS.  We are not going to new Splunk but need to b... See more...
Hey folks, been a while - I have a question I figured community would be better to answer:   We have a multisite cluster using SmartStore built in AWS.  We are not going to new Splunk but need to be able to access the data for the next 7 years and thus want to age it out, but it may need to be searched from time-to-time.   I understand we can convert to a Free license. However, does the architecture impact that (namely, that there is cluster replication)? Or is it possible to have a single standalone instance with Splunk Free to search as needed?
I think , i got it now, thanks @bowesmana 
@phanTom  could you also check the openssl version for the 9.3.0 UF?
Close, but there is no "unless" - Splunk will not keep track of your frozen buckets whatever you do. The last moment Splunk cares about your data is when it moves it to frozen. After that you're comp... See more...
Close, but there is no "unless" - Splunk will not keep track of your frozen buckets whatever you do. The last moment Splunk cares about your data is when it moves it to frozen. After that you're completely on your own. That's also why if you want to get that data back into Splunk you have to move the frozen buckets into the thawed directory and manually rebuild them. So yes, you need to have some way to manually rotate frozen data. Your script is one of possible ways of handling that. Just be aware that 365 days from the move to frozen might happen not when you want, especially if you have some compliance-based requirements for data retention. It's probably better (but more troublesome) to base your retention script on timestamps from the bucket directory name. And last but not least - if you have a cluster, each node manages its own buckets so you might end up with several copies of the same bucket.
Right now, on a SOAR events/cases/playbooks menu page, a user can select a page size of 5, 10, 15, 25 or 50 which is the number of events, cases or playbooks to be displayed in a browser page. Is the... See more...
Right now, on a SOAR events/cases/playbooks menu page, a user can select a page size of 5, 10, 15, 25 or 50 which is the number of events, cases or playbooks to be displayed in a browser page. Is there a way to change that setting, for example, can SOAR display 100 events in one page? Thank you.
When I attempted to configure the input to use the service principal, I started to get the following error message:   <?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Cod... See more...
When I attempted to configure the input to use the service principal, I started to get the following error message:   <?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Code><Message>Public access is not permitted on this storage account. RequestId:3d827a38-b01e-003e-7d90-46bd5c000000 Time:2024-12-04T21:05:06.5396465Z</Message></Error> Are there other items that I must reconfigure to get the service principal configured?  
Hello, Than your for your answer but it doesn't work. panel 1 : <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--... See more...
Hello, Than your for your answer but it doesn't work. panel 1 : <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--> <query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*" | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") |search Services!=Other | lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name | table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime | dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check" |fillnull value="N/A" |search $ResourceName$ $Services$ $Status$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="count">100</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <format type="color" field="Status"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <drilldown> <condition match="$row.Services$ != &quot;s3-bucket&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;S3_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> <condition match="$row.Services$ != &quot;vpc&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;VPC_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> <condition match="$row.Services$ != &quot;ec2&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;EC2_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> </drilldown> </table> </panel> </row> panel 2: <row> <panel depends="$S3_details$"> <title>S3 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$VPC_details$"> <title>VPC DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$EC2_details$"> <title>EC2 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$SERVICES_details$"> <title>SERVICES DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> </row> But it does'nt work, when I select the vpc filter, I arrive at the S3_details view, instead of arriving at VPC_details when I select the s3-bucket filter, I go to VPC_details instead of S3_details when I select the ec2 filter, I end up on S3_details instead of EC2_details 
Answering my own question here - it needs to have dates to display results. In the end, I wrote the results to a summary index in a scheduled search using | collect index=test_summary addtime=true. 
Thank you @bowesmana  Its working perfectly  after adding the <done> section shared by you in the response.
Thanks for the response @gcusello   I will try the HTML button and an external JS approach shared in the link.
In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  Ther... See more...
In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  There is no scrolling on the viz no matter the size of the panel.  I don't believe the behavior you want is possible.
@isoutamo @PickleRick  you mean that Once logs transition to frozen storage, they are typically outside Splunk's control unless you have configured specific mechanisms to manage them.  can I  han... See more...
@isoutamo @PickleRick  you mean that Once logs transition to frozen storage, they are typically outside Splunk's control unless you have configured specific mechanisms to manage them.  can I  handle frozen storage  using Automate Deletion of Old Frozen Data Example: Delete Frozen Data Older Than 1 Year #!/bin/bash # Path to the frozen storage directory FROZEN_DIR="/data/splunk_frozen" # Log file for the operation LOGFILE="/var/log/splunk_frozen_cleanup.log" # Retention period in days (365 days = 1 year) RETENTION_DAYS=365 # Find and delete directories older than the retention period echo "$(date): Starting cleanup of frozen data in $FROZEN_DIR" >> "$LOGFILE" find "$FROZEN_DIR" -type d -mtime +$RETENTION_DAYS -exec rm -rf {} \; -exec echo "$(date): Deleted {}" >> "$LOGFILE" \; echo "$(date): Cleanup complete" >> "$LOGFILE"  
I'll just reply to myself here: The issue was that the hostname for some reason doesn't resolve properly in the inputs.conf file. It is supposed to automatically insert the actual hostname, but it d... See more...
I'll just reply to myself here: The issue was that the hostname for some reason doesn't resolve properly in the inputs.conf file. It is supposed to automatically insert the actual hostname, but it doesn't. I created the file "$SPLUNK_HOME/etc/system/default/inputs.conf" (as it didn't exist yet) and entered the following lines (replace [HOSTNAME] with the name of your host system running Splunk):   [default] host = [HOSTNAME]    This should override the default configuration in "$SPLUNK_HOME/etc/system/local/inputs.conf". Afterwards, everything worked correctly