All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If you are not receiving any logs from this particular endpoint - it's the other side where you should look for answers. It should have more informations in its logs about why it closed the connectio... See more...
If you are not receiving any logs from this particular endpoint - it's the other side where you should look for answers. It should have more informations in its logs about why it closed the connection (there is also the possibility that both sides report the other side as responsible for closing the connection which would mean that you have some form of IPS or other network-level tool interfering with connectivity). Also it's not about your receivers connecting to the Windows UF (because there is no such connectivity). It's about logs on the receiver's side. BTW, adding Cribl to the mix complicates things. It might be a Cribl issue, not a UF one. Your error has nothing to do with sending the events. It might affect collecting the windows event logs but it has nothing to do with sending the collected logs. If it causes issues, create a separate thread for it as it's unrelated to the main problem at hand - connectivity to the downstream receivers.
You need to look for a different visualization. Bar chart, line chart and such are meant for showing discrete values, not time ranges. For starters - you can check out this app https://splunkbase.sp... See more...
You need to look for a different visualization. Bar chart, line chart and such are meant for showing discrete values, not time ranges. For starters - you can check out this app https://splunkbase.splunk.com/app/3120 (I'm not saying that's what fits your use case but that's at least one possible approach).
yes, we are not receiving logs in _internal index. And here we are collecting logs from Windows servers and forwarding to Splunk console via Cribl workers. And at source end we have validated the con... See more...
yes, we are not receiving logs in _internal index. And here we are collecting logs from Windows servers and forwarding to Splunk console via Cribl workers. And at source end we have validated the connections towards Cribl workers and its working. But still we are not receiving logs at Cribl end. As connectivity is unidirectional from Windows servers towards Cribl workers, we validated it and its fine.  We will validate the connectivity from Cribl workers towards Windows servers as well. If its not connecting, then its because of connectivity issue? if yes, what would be our next action on this?   But we found the error below in splunkd.log file. Can you confirm is it something related to permission issue which is restricting the Splunk UF to collect security logs from Windows servers? if yes, could you please suggest if we proceed with reinstallation with admin privilege would sort this issue? ERROR: ExeProcessor:  message from "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" -  WinEventCommonChannel- Did not bind to the closest domain controller, a further domain controller has been bound.
What you ask is effectively a Gantt chart visualization that Splunk search and dashboard doesn't support natively.  Checkout this viz app: https://splunkbase.splunk.com/app/3120. (Years ago I got so... See more...
What you ask is effectively a Gantt chart visualization that Splunk search and dashboard doesn't support natively.  Checkout this viz app: https://splunkbase.splunk.com/app/3120. (Years ago I got some help here for similar - a lot of filldown and stuff.  Using a prebuilt app is perhaps the best way to go for now.)
Hi @mythili , to acquire your requirement it isn't possible with the default visualizations, but you could try with the Splunk Timeline - custom visualization (https://splunkbase.splunk.com/app/3120... See more...
Hi @mythili , to acquire your requirement it isn't possible with the default visualizations, but you could try with the Splunk Timeline - custom visualization (https://splunkbase.splunk.com/app/3120) add-on, following the instructions about how to create your search. Ciao. Giuseppe
Good day guys, Need to know how SVCs are actually getting calculated? With examples please! I have already gone thru splunk docs n yt vids but still wanted to know how SVCs figure are getting concl... See more...
Good day guys, Need to know how SVCs are actually getting calculated? With examples please! I have already gone thru splunk docs n yt vids but still wanted to know how SVCs figure are getting concluded? Kindly suggest Thanks in advance
The question was not whether the deployment client part of the UF can connect to the DS because that's something that happens on a different port and using a different mechanism. The question is whet... See more...
The question was not whether the deployment client part of the UF can connect to the DS because that's something that happens on a different port and using a different mechanism. The question is whether you're getting any internal forwarder's logs into the _internal index. I suspect you don't. In that case you have to check the logs from the receiving side (indexer(s) probably) regarding connections from this UF.
Yes, we enabled the forwarding in UF installation and phoning home towards DS is happening and apps are pushed to UF successfully. And we tested connectivity and its successful. Still we are not able... See more...
Yes, we enabled the forwarding in UF installation and phoning home towards DS is happening and apps are pushed to UF successfully. And we tested connectivity and its successful. Still we are not able to see the logs in Splunk console. We are not sure whether there could be any issue at firewall or network level.  Can you assist us here?
@FQzy   You can check the _internal logs to find the specific error related to "failed to create input" in the app by using the following search query: index=_internal source=*cisco*. You can also f... See more...
@FQzy   You can check the _internal logs to find the specific error related to "failed to create input" in the app by using the following search query: index=_internal source=*cisco*. You can also filter the logs by setting the log level to "error." For troubleshooting any add-ons, refer to the "Troubleshoot Add-ons" document available in the Splunk Documentation. Troubleshoot add-ons - Splunk Documentation. You can provide internal error to developer team for future investigation. Also, @PickleRick response was not generated using any AI. 
hey there!!
Right-click on the chart area and choose Select Data. Click Add and enter Duration as the series name. Select cells E5:E11 as the series values and click OK. The Edit Series window will reappear. Cli... See more...
Right-click on the chart area and choose Select Data. Click Add and enter Duration as the series name. Select cells E5:E11 as the series values and click OK. The Edit Series window will reappear. Click OK. Click OK on the Select Data Source window. The duration will be added to the chart.
Hi all,  I am trying to show the connected duration, which is calculated using transaction command in a timechart. When I try below query, the entire duration shows in the earliest timestamp(start... See more...
Hi all,  I am trying to show the connected duration, which is calculated using transaction command in a timechart. When I try below query, the entire duration shows in the earliest timestamp(start time) as a single column. I would like to show the connected duration in a column chart, with area between start and end time colored.  For example, if device was connected from 20th August to 23rd August, I want the column to extend across these days. Currently, the entire duration is shown on the 20th date alone. Kindly let me know your suggestions to implement this. Query: | transaction dvc_id startswith="CONNECTED" endswith="DISCONNECTED" | timechart sum(duration) by connection_protocol
Anyway I tried the CLI manner and it works. So not sure why there is an issue on the browser though.    
Thanks for the suggestion. I don't think the Domain Controllers from two different client setups out of a number of clients that we look after would be considered a large environment - it's not been ... See more...
Thanks for the suggestion. I don't think the Domain Controllers from two different client setups out of a number of clients that we look after would be considered a large environment - it's not been every DC, just a few random ones. One setup has about 300 workstations / accounts talking to a DC, another is a management zone, with a 100 or so accounts and a small quantity of servers for providing services.
Hello, I am running Splunk Enterprise 9.2.2. I am trying to install Python for Scientific Computing for Windows as I am running it on a Windows Server.  Python for Scientific Computing (for Windo... See more...
Hello, I am running Splunk Enterprise 9.2.2. I am trying to install Python for Scientific Computing for Windows as I am running it on a Windows Server.  Python for Scientific Computing (for Windows 64-bit) | Splunkbase However, I am getting the following errors when I try installing the application. I tried with the tgz file, and also with the extracted tar file but both has the same issue. It looks like the webpage at https://localhost:8000/en-US/manager/appinstall/_upload might be having issues, or it may have moved permanently to a new web address. ERR_CONNECTION_ABORTED Is it due to the file size being overly huge? And what could be the solution? Thanks
I have a Splunk cloud instance that receives log from Linux server that has a Splunk Heavy Forwarder on it. I am trying to update the Forwarder to 9.3.x, but found online I should step to 9.2.x firs... See more...
I have a Splunk cloud instance that receives log from Linux server that has a Splunk Heavy Forwarder on it. I am trying to update the Forwarder to 9.3.x, but found online I should step to 9.2.x first. It appears on the server that it's updated, and running the Splunk 9.2.0 as expected. I am also seeing metric.log files being shown on my cloud instance. But none of the other logs I have pushing from this server are showing up. When I check the Splunk app CMC, it appears that the update has taken and is now showing in compliance. I am not sure what I am doing wrong, or what logs you might need to help further figure out where the issue is. I only have about 6 months of Splunk experience so forgive me if this is a silly question.
You deserve all the kudos.  We had app and custom did the trick. 
We ended up disabling fapolicyd and testing the install again. It worked. After it was configured, we enabled fapolicyd and is still working.
@PickleRick Thank you for the prompt response. I still don't see how I can get the Status in GCP for the Kubernetes pods?  
I want to get the date when the Splunk admin credential got changed, is there any way to get it?