All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Looking for help with Log Observer Connect. I've got Splunk on AWS EC2. In 0lly, I've followed the Set Up Service Account instructions and have secured the web and management port with a self-signe... See more...
Looking for help with Log Observer Connect. I've got Splunk on AWS EC2. In 0lly, I've followed the Set Up Service Account instructions and have secured the web and management port with a self-signed cert. This part is working. I have confirmed the details regarding the indexes, capabilities (including indexes_list_all), resources and tokens. When I attempt the Set Up Observability Cloud step, I fill in the account details and upload or paste the first cert in the chain (myCACertificate.pem, based on the instructions at https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/ConfigureandinstallcertificatesforLogObserver?ref=hk), but I get: Unable to create Splunk Enterprise client. The Splunk Exnterprise _internal index doesn't appear to show any errors related to this. I've been very specific about the details; the only odd aspect is the IP address as the CN for the cert. Any ideas would be greatly appreciated.  
Exactly what I needed and all I had to do was substitute my field names.  Worked like a charm.  Karma for you.  Thanks !
Developer guide does not provide any evidence of loading different icons based on selected theme.  The documentation states the order the Icons are loaded which are triggered based on quality of disp... See more...
Developer guide does not provide any evidence of loading different icons based on selected theme.  The documentation states the order the Icons are loaded which are triggered based on quality of display and location in the app. https://dev.splunk.com/enterprise/docs/developapps/createapps#Add-icons-to-your-app File name Image size (pixels) Placement Example image appIcon_2x.png 72 x 72 App list on the Splunk Web home page for high-resolution displays   appIcon.png 36 x 36 App list on the Splunk Web home page for standard-resolution displays   appIconAlt_2x.png 72 x 72 App menus for Splunk bar and search bar for high-resolution displays   appIconAlt.png 36 x 36 App menus for Splunk bar and search bar for standard-resolution displays   appLogo.png 160 x 40 (maximum size) App bar on standard-resolution displays — appLogo_2x.png 320 x 80 (maximum size) App bar on high-resolution displays —
 Hello AppDynamics Community Team.  I'm trying to disable the Appd Agent to get more licenses free. Our team's strategy is removing the APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY so that the agent canno... See more...
 Hello AppDynamics Community Team.  I'm trying to disable the Appd Agent to get more licenses free. Our team's strategy is removing the APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY so that the agent cannot connect with AppD UI, avoiding license consumption. Is that a good approach? Is it work?  The idea is to get more licenses to disable applications that for now are not necessary de AppD. When these licenses are free, we use them to enable AppD for the application we need AppD instrumented. Thanks! 
The documentation for outputs.conf.spec specifically mentions RFC3164 so I don't believe Splunk has the configuration to support RFC5424 the way you want. Honestly I would look at a packet capture a... See more...
The documentation for outputs.conf.spec specifically mentions RFC3164 so I don't believe Splunk has the configuration to support RFC5424 the way you want. Honestly I would look at a packet capture at the destination from a good source and a relayed via Splunk HF to confirm.  However, I wouldn't get your hopes up that Splunk will relay the way you want.
How are you getting the original data? Splunk has many great features but it's not a fully-blown syslog receiver/processor. If you're receiving them using syslog as well it would probably be better t... See more...
How are you getting the original data? Splunk has many great features but it's not a fully-blown syslog receiver/processor. If you're receiving them using syslog as well it would probably be better to use rsyslog/syslog-ng to receive the event and forward it from there (and send another copy to Splunk over HEC)
Which version were you upgrading from?
While the search is technically more or lese correct, its performance will depend on the use case and with a big lookup you might hit search limits. Another possible approach would be <your_base_se... See more...
While the search is technically more or lese correct, its performance will depend on the use case and with a big lookup you might hit search limits. Another possible approach would be <your_base_search> | lookup my.csv src_ip OUTPUT matchsrc_ip | lookup my.csv dest_ip OUTPUT matchdest_ip | where isnull(matchsrc_ip) AND isnull(matchdest_ip)
The issue has been resolved by re-installing the Splunk enterprise.  
Hi @Pellecrino , your search seems to be correct, I'd change the order of the commands, even if it should not be relevant: index=network_traffic NOT ( [ | inputlookup devices.csv | rename ip_addres... See more...
Hi @Pellecrino , your search seems to be correct, I'd change the order of the commands, even if it should not be relevant: index=network_traffic NOT ( [ | inputlookup devices.csv | rename ip_address AS src_ip | fields src_ip ] [ | inputlookup devices.csv | rename ip_address AS dest_ip | fields dest_ip ] ) Debug the issue running one by one the two conditions. Ciao. Giuseppe
Since upgrading to the new 4.0.4 release of the Lookup File Editor, the app no longer shows any lookups in the main interface.  The Status page says the REST handler is offline, and while the trouble... See more...
Since upgrading to the new 4.0.4 release of the Lookup File Editor, the app no longer shows any lookups in the main interface.  The Status page says the REST handler is offline, and while the troubleshooting page references that, it provides no recommendations aside from restarting Splunk. Well, we have restarted everything at least 3 times, but still cannot access our lookups.  What does a REST handler being offline even mean?  Is that a setting?  Can the Search Head just not see the REST interface?  We couldn't find any settings or conf files within the editor app that define a particular address.  The app resides on the search head, along with the lookups, so I can't imagine it is a firewall issue. This is the only error we are seeing in the internal logs: 09/16/2024 09:50:24 AM -0500 CDT ERROR Failed to handle request due to an unhandled exception Traceback (most recent call last):   File "D:\Splunk\etc\apps\lookup_editor\bin\lookup_editor\rest_handler.py", line 196, in handle     return function_to_call(request_info, **query)   File "D:\Splunk\etc\apps\lookup_editor\bin\lookup_editor_rest_handler.py", line 688, in post_file_size             lookup_author = res["entry"][i]["author"] KeyError: 'author' Help?
Hi @Dabbsy , I have never heard of a problem like this! Try using another support (eg. tgz instead of rpm), then wait until tomorrow because there is the new version 9.3.1 that probably will not h... See more...
Hi @Dabbsy , I have never heard of a problem like this! Try using another support (eg. tgz instead of rpm), then wait until tomorrow because there is the new version 9.3.1 that probably will not have the same problem. If this does not solve the problem, open a Case with Splunk Support. Ciao. Giuseppe
Hmm interesting - so for info in case anyone else gets the same issue. uninstalled splunk package rpm -e splunk.x86_64 then rpm -i -prefix=/hopt package_name.rpm did the trick. I had tried unin... See more...
Hmm interesting - so for info in case anyone else gets the same issue. uninstalled splunk package rpm -e splunk.x86_64 then rpm -i -prefix=/hopt package_name.rpm did the trick. I had tried uninstalling and then installing earlier, but that didn't work,  for some reason it needed the prefix option. bin directory now recreated and I can now start splunk :-).
Hi all, I've got a lookup file called devices.csv that contains 2 fields, hostname and ip_address. The index I'm searching has 2 fields, src_ip and dest_ip. I'd like to exclude results where ... See more...
Hi all, I've got a lookup file called devices.csv that contains 2 fields, hostname and ip_address. The index I'm searching has 2 fields, src_ip and dest_ip. I'd like to exclude results where both the src_ip and dest_ip fields match an IP address from my lookup file, it doesn't need to be the same IP, it just needs to be listed in that CSV. If either the src_ip field or the dest_ip field doesn't contain an IP address listed in the ip_address field I would expect to see it. I'm just looking for advice on whether this is the best way of querying the data. Current query: index=network_traffic AND NOT ([| inputlookup devices.csv | fields ip_address | rename ip_address AS src_ip] AND [| inputlookup devices.csv | fields ip_address | rename ip_address AS dest_ip])
Hi Splunkers, I am trying to configure rest api monitoring via splunk add-on builder but while configuring when i am trying to test the result i am receiving SSL error. Splunk-Add-on Builder Ve... See more...
Hi Splunkers, I am trying to configure rest api monitoring via splunk add-on builder but while configuring when i am trying to test the result i am receiving SSL error. Splunk-Add-on Builder Version:4.3.0 Splunk Enterprise Version:9.1.1 What could be done to mitigate this SSL error? Awaiting quick help and response Pasting the error herewith: 2024-09-16 15:28:49,569 - test_rest_api - [ERROR] - [test] HTTPError reason=HTTP Error HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) when sending request to url=https://endpoints.office.com/version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 method=GET Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 722, in urlopen chunked=chunked, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 404, in _make_request self._validate_conn(conn) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 1060, in _validate_conn conn.connect() File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connection.py", line 429, in connect tls_in_tls=tls_in_tls, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket sock, context, tls_in_tls, server_hostname=server_hostname File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) File "/splunk/lib/python3.7/ssl.py", line 428, in wrap_socket session=session File "/splunk/lib/python3.7/ssl.py", line 878, in _create self.do_handshake() File "/splunk/lib/python3.7/ssl.py", line 1147, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/adapters.py", line 497, in send chunked=chunked, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/connectionpool.py", line 802, in urlopen method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2] File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/urllib3/util/retry.py", line 594, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 230, in _retry_send_request_if_needed uri=uri, body=body, method=method, headers=headers File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 219, in _send_internal verify=self.requests_verify, File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/requests/adapters.py", line 517, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/engine.py", line 308, in _send_request response = self._client.send(request) File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 296, in send url, request.method, request.headers, request.body File "/splunk/etc/apps/TA-o365_rest_api/bin/ta_o365_rest_api/aob_py3/cloudconnectlib/core/http.py", line 243, in _retry_send_request_if_needed raise HTTPError(f"HTTP Error {err}") from err cloudconnectlib.core.exceptions.HTTPError: HTTP Error HTTPSConnectionPool(host='endpoints.office.com', port=443): Max retries exceeded with url: /version?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) 2024-09-16 15:28:49,570 - test_rest_api - [INFO] - [test] This job need to be terminated. 2024-09-16 15:28:49,570 - test_rest_api - [INFO] - [test] Job processing finished 2024-09-16 15:28:49,571 - test_rest_api - [INFO] - [test] 1 job(s) process finished 2024-09-16 15:28:49,571 - test_rest_api - [INFO] - [test] Engine executing finished 
I'm upgrading splunk enterprise to 9.3 using the rpm file, but when I run  rpm -U splunk-9.3.0-51ccf43db5bd.x86_64.rpm it installs all the folders, but removes the bin directory, so I can't then st... See more...
I'm upgrading splunk enterprise to 9.3 using the rpm file, but when I run  rpm -U splunk-9.3.0-51ccf43db5bd.x86_64.rpm it installs all the folders, but removes the bin directory, so I can't then start splunk. i've searched through the communities, and a few people seem to have hit the issue on windows, but not linux. how can I get around this issue? thanks Dabbsy
Hi, I have an App that has a set of icons that work fine on light mode, but if I switch to dark mode, they become invisible. If I add the lighter icons and dark mode, then the icons become invisible... See more...
Hi, I have an App that has a set of icons that work fine on light mode, but if I switch to dark mode, they become invisible. If I add the lighter icons and dark mode, then the icons become invisible in light mode. Is there a way to have both sets of icons and have them change based on the active mode?
Hi @alferone , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
This looks more like a permissions issue, probably for authorizing instance principal authentification in your OCI deployment.
Good day, I'm trying to setup the HF to forward to an additional syslog target which expects the RFC5424 (Grafana Alloy) so far the HF is reaching the syslog target but then the target complains abo... See more...
Good day, I'm trying to setup the HF to forward to an additional syslog target which expects the RFC5424 (Grafana Alloy) so far the HF is reaching the syslog target but then the target complains about missing priority and I'm not sure if this because of the RFC5424 vs RFC3164 I've tried the following outputs.conf option: [syslog:my_syslog_group] disabled = false server = grafana-alloy.svc.cluster.local:51898 type = tcp #other tested variant priority = <NO_PRI> priority = <34> #tested with or without timeformat timestampformat = %b %e %H:%M:%S How can i make sure that the HF syslog forward is using the RFC5424 format?