All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @apietersen  even I am seeing this for first time, howerver I would sugesst to try upgarde to 9.3.1 or 9.3.2  and Under splunk-->var--->log--->splunk  you can find migration log or splunkd.... See more...
Hi @apietersen  even I am seeing this for first time, howerver I would sugesst to try upgarde to 9.3.1 or 9.3.2  and Under splunk-->var--->log--->splunk  you can find migration log or splunkd.log  for any upagde realated errors 
Hi @Brelove818 , as you are a student, maybe pls check: https://www.splunk.com/en_us/about-us/splunk-pledge/academic-license-application.html   not sure of what to suggest for the first question, ... See more...
Hi @Brelove818 , as you are a student, maybe pls check: https://www.splunk.com/en_us/about-us/splunk-pledge/academic-license-application.html   not sure of what to suggest for the first question, lets wait for other's reply, thanks. 
This morning I did a repair on the v9.2.4 (with b9.2.4 of course) and tried to upgrade to v9.3.0 again Validating install messages during the process, so nothing to worry about I thought?? At the... See more...
This morning I did a repair on the v9.2.4 (with b9.2.4 of course) and tried to upgrade to v9.3.0 again Validating install messages during the process, so nothing to worry about I thought?? At the end again: "code execution script cannot proceed SSLEAY32.dll was not found. Reinstalling the program may fix this problem" - After this error it automatically starts a rollback, luckily, but I'm stuck on v9.2.4 now. Questions: What is a validating installation message, what is checked and what is not? Can I view/look into this code somewhere to check if it points to the right directory Is there a log file of the upgrade??? Has anyone had this problem before and/or does anyone know what I should do next? I am considering creating a support ticket. Have done several upgrades over the years to our Splunk Enterprise platform but never experienced this. Any suggestion or tip is welcome.
Hi meetmshah, Thank you for the response. But unfortunately, even after change issue persists.
That information is in the same manual.
@richgalloway  On each Splunk cloud REST API call from java service I want to create authentication token in the java service itself and use it for the splunk cloud search api.  So I need how to cr... See more...
@richgalloway  On each Splunk cloud REST API call from java service I want to create authentication token in the java service itself and use it for the splunk cloud search api.  So I need how to create authentication token like which endpoint I need to call for this and what all parameters are required to create auth JWT token, if you have a curl and you can share that would be very helpful.
@PickleRick I am using field name "TASKIDUPDATED" which is the combination of TASKID and UPDATED column and it is always dynamic in nature. I have given this field in the rising column and this field... See more...
@PickleRick I am using field name "TASKIDUPDATED" which is the combination of TASKID and UPDATED column and it is always dynamic in nature. I have given this field in the rising column and this field is changing in every run. Even after this, duplicate data is being ingested.
So glad to see nearly a decade on Splunk still has no way around this issue 🤯🤪 Unbelievable... How hard is it to return a 0 value if there are just no samples within a timespan?  
Hello @shivprasad Can you please have a check on below list -  1. Validate Splunk Service is Running - ./splunk status 2. Confirm for which range of IP addresses, port 8000 is Open 3. Validate If ... See more...
Hello @shivprasad Can you please have a check on below list -  1. Validate Splunk Service is Running - ./splunk status 2. Confirm for which range of IP addresses, port 8000 is Open 3. Validate If you’re using a VPC, ensure there’s an Internet Gateway attached and the route table includes a route for 0.0.0.0/0 pointing to the Internet Gateway 4. Try restarting Splunk service once - ./splunk restart   Also, Can you please confirm if there are any ERROR / WARN messages under - "/opt/splunk/var/log/splunk/splunkd.log" (Use tail command to validate)
Can you check if below works -    <form version="1.1" theme="light"> <label>Time Picker Input</label> <description>Replicate time picker issue</description> <fieldset submitButton="fals... See more...
Can you check if below works -    <form version="1.1" theme="light"> <label>Time Picker Input</label> <description>Replicate time picker issue</description> <fieldset submitButton="false"> <input type="dropdown" token="item" searchWhenChanged="true"> <label>Select Item</label> <choice value="table1">TABLE-1</choice> <choice value="table2">TABLE-2</choice> <choice value="table3">TABLE-3</choice> <change> <condition value="table1"> <set token="tab1">"Table1"</set> <unset token="tab2"></unset> <unset token="tab3"></unset> </condition> <condition value="table2"> <set token="tab2">"Table2"</set> <unset token="tab1"></unset> <unset token="tab3"></unset> </condition> <condition value="table3"> <set token="tab3">"Table3"</set> <unset token="tab1"></unset> <unset token="tab2"></unset> </condition> <condition> <unset token="tab1"></unset> <unset token="tab2"></unset> <unset token="tab3"></unset> </condition> </change> </input> <input type="time" token="time" searchWhenChanged="true"> <label>Select Time</label> <change> <set token="is_time_selected">true</set> </change> </input> </fieldset> <row depends="$tab1$ $is_time_selected$"> <panel> <table> <title>Table1</title> <search> <query> | makeresults | eval Table = "Table1" | eval e_time = "$time.earliest$", l_time = "$time.latest$" | table Table e_time l_time </query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row depends="$tab2$ $is_time_selected$"> <panel> <table> <title>Table2</title> <search> <query> | makeresults | eval Table = "Table2" | eval e_time = "$time.earliest$", l_time = "$time.latest$" | table Table e_time l_time </query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row depends="$tab3$ $is_time_selected$"> <panel> <table> <title>Table3</title> <search> <query> | makeresults | eval Table = "Table3" | eval e_time = "$time.earliest$", l_time = "$time.latest$" | table Table e_time l_time </query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>   Please hit Karma, if this helps!  
Hello @Kenny_splunk we would need to call individual rest endpoints and append results. Like, /data/props, /data/transforms. Did a quick ChatGPT and found below search -  | rest /servicesNS/-/<app_n... See more...
Hello @Kenny_splunk we would need to call individual rest endpoints and append results. Like, /data/props, /data/transforms. Did a quick ChatGPT and found below search -  | rest /servicesNS/-/<app_name>/data/props | append [| rest /servicesNS/-/<app_name>/data/transforms] | append [| rest /servicesNS/-/<app_name>/data/macros] | append [| rest /servicesNS/-/<app_name>/saved/searches] | append [| rest /servicesNS/-/<app_name>/data/ui/views] | append [| rest /servicesNS/-/<app_name>/data/ui/nav] | append [| rest /servicesNS/-/<app_name>/data/ui/manager] | append [| rest /servicesNS/-/<app_name>/data/ui/panels] | append [| rest /servicesNS/-/<app_name>/data/collections/config] | fields title, eai:acl.owner, eai:acl.app, eai:acl.sharing | search eai:acl.app="<app_name>" | table title, eai:acl.owner, eai:acl.sharing | sort eai:acl.owner, title    Replace <app_name> with specific app name (like search).   Please hit Karma, if this helps!
I downloaded splunk Enterprise on EC2 at /opt folder using tgz file. unzipped it using tar.  then started it on port no 8000. it shows i succesfully started at 8000. But after enabling 8000 port in ... See more...
I downloaded splunk Enterprise on EC2 at /opt folder using tgz file. unzipped it using tar.  then started it on port no 8000. it shows i succesfully started at 8000. But after enabling 8000 port in ec2 security gruops and using the public ip of ec2 with :8000 I can't access the webpage. I just shows this site can't be reached. please help me.
Thanks, Is there any temporary solution? older universal forwader version? Collecting with script is blocked by Apple. 
Thanks @PickleRick for the detailed ideas. 1) one issue - the transforms conf file was saved as transforms.conf.txt (thanks to windows ! ), corrected it.  2) now the search query is:    | mak... See more...
Thanks @PickleRick for the detailed ideas. 1) one issue - the transforms conf file was saved as transforms.conf.txt (thanks to windows ! ), corrected it.  2) now the search query is:    | makeresults | eval _raw="இடும்பைக்கு" | lookup ucd_category_lookup _raw output count   3) and the result is:  Error in 'lookup' command: Cannot find the source field '_raw' in the lookup table 'ucd_category_lookup'. The search job has failed due to an error. You may be able view the job in the Job Inspector. 4) by that "Cannot find the source field '_raw' in the lookup table 'ucd_category_lookup',  i believe, the _raw field should be embedded inside the python script, but i am not sure.  Any help appreciated, karma points for sure. thanks.     
Hi @pwoehl welcome to the community.  1) This app S3SPL Add-on for Splunk is a new app (at least for me), not sure how to help you.  2) whatever happens, Splunk should update something to the inter... See more...
Hi @pwoehl welcome to the community.  1) This app S3SPL Add-on for Splunk is a new app (at least for me), not sure how to help you.  2) whatever happens, Splunk should update something to the internal logs. As you say no internal logs, in this case, looks like something wrong from your configs end.  3) if i am in your place, best idea i would do is to get some ideas/support from datapunctum directly: https://docs.datapunctum.com/s3spl/s3spl-faq 4) lets wait for other Splunkers to provide some more ideas, thanks.     
both @PickleRick and @andrewb_splunk given good details to this query. so i dont know which one to "accept as answer".. so i am accepting my own    thanks. 
I am using S3SPL from datapunctum and am trying to get some data to be search. In the internal index there are no errors logged. I have setup my ingest actions with .json or .ndjson and also config... See more...
I am using S3SPL from datapunctum and am trying to get some data to be search. In the internal index there are no errors logged. I have setup my ingest actions with .json or .ndjson and also configured my prefix correctly to reflect the timestamp. I am using minio      root@esprimo-piere:/opt/splunk/etc/apps/splunk_ingest_actions/local# cat outputs.conf [rfs:splunk] batchSizeThresholdKB = 131072 batchTimeout = 30 compression = none dropEventsOnUploadError = false format = json format.json.index_time_fields = true format.ndjson.index_time_fields = true partitionBy = day path = s3://splunk/ remote.s3.access_key = XXXX remote.s3.encryption = none remote.s3.endpoint = https://localhost:9000 remote.s3.secret_key = XXX remote.s3.signature_version = v4 remote.s3.supports_versioning = false remote.s3.url_version = v1       root@esprimo-piere:/opt/splunk/etc/apps/SA-DP-s3spl/local# cat s3spl_bucket.conf [s3spl_bucket://splunk] aws_access_key = XXXXX aws_secret_key = ******** bucket_ia = True bucket_name = splunk endpoint_url = https://localhost:9000 max_events_per_file = -1 max_files_read = -1 max_total_events = 1000 prefix = /year=${_time:%Y}/month=${_time:%m}/day=${_time:%d}/ timezone = Europe/Berlin verify_ssl = False      
You can find out about how to create and use authentication tokens in the Securing Splunk Cloud Platform manual.
This thread is resolved.  For betters chances of a reply, please post a new question.
Hi,  From java service I want to call Splunk Cloud REST API endpoints. I need help in how to create authentication token for splunk cloud and then pass that token while calling search endpoints t... See more...
Hi,  From java service I want to call Splunk Cloud REST API endpoints. I need help in how to create authentication token for splunk cloud and then pass that token while calling search endpoints to execute the query and get the results back. When logging into my <org-name>.splunkcloud.com in browser it is done via SSO. Can anybody please provide sample curl which I can use, I went through documentation, but I didn't get much, I'm new to this, any help is highly appreciated. #splunkcloud @splunkclouduser @splunkcloudnoob  Thanks.