All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

In Cluster Master : I find the below search  splunk btool server list --debug | grep -i local/apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf [clustering] /apps/splunk/spl... See more...
In Cluster Master : I find the below search  splunk btool server list --debug | grep -i local/apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf [clustering] /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf available_sites = site1 /apps/splunk/splunk/etc/system/local/server.conf maintenance_mode = false /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf master_uri = clustermaster:one /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf mode = master /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf multisite = true /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf pass4SymmKey = ************** /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf replication_factor = 2 /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf search_factor = 1 /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf site_replication_factor = origin:1, total:2 /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf site_search_factor = origin:1, total:2 /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf [clustermaster:one] /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf master_uri = https:webaddress:8089 /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf multisite = true /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf pass4SymmKey = ***************** /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf [general] /apps/splunk/splunk/etc/system/local/server.conf pass4SymmKey = **************** /apps/splunk/splunk/etc/system/local/server.conf serverName = webaddress /apps/splunk/splunk/etc/apps/100_gnw_cluster_master_base/local/server.conf site = site1 /apps/splunk/splunk/etc/system/local/server.conf [kvstore] /apps/splunk/splunk/etc/apps/100_gnw_license_master/local/server.conf [license] /apps/splunk/splunk/etc/apps/100_gnw_license_master/local/server.conf master_uri = https:webaddress:8089 /apps/splunk/splunk/etc/system/local/server.conf [lmpool:auto_generated_pool_download-trial] /apps/splunk/splunk/etc/system/local/server.conf description = auto_generated_pool_download-trial /apps/splunk/splunk/etc/system/local/server.conf quota = MAX /apps/splunk/splunk/etc/system/local/server.conf slaves = * /apps/splunk/splunk/etc/system/local/server.conf stack_id = download-trial /apps/splunk/splunk/etc/system/local/server.conf [lmpool:auto_generated_pool_forwarder] /apps/splunk/splunk/etc/system/local/server.conf description = auto_generated_pool_forwarder /apps/splunk/splunk/etc/system/local/server.conf quota = MAX /apps/splunk/splunk/etc/system/local/server.conf slaves = * /apps/splunk/splunk/etc/system/local/server.conf stack_id = forwarder /apps/splunk/splunk/etc/system/local/server.conf [lmpool:auto_generated_pool_free] /apps/splunk/splunk/etc/system/local/server.conf description = auto_generated_pool_free /apps/splunk/splunk/etc/system/local/server.conf quota = MAX /apps/splunk/splunk/etc/system/local/server.conf slaves = * /apps/splunk/splunk/etc/system/local/server.conf stack_id = free /apps/splunk/splunk/etc/system/default/server.conf alert_store = local /apps/splunk/splunk/etc/system/default/server.conf suppression_store = local /apps/splunk/splunk/etc/system/default/server.conf conf_replication_summary.includelist.refine.local = (system|(apps/*)|users(/_reserved)?/*/*)/(local/...|metadata/local.meta) /apps/splunk/splunk/etc/system/local/server.conf [sslConfig] /apps/splunk/splunk/etc/system/local/server.conf sslPassword = ***********************   In Deployment Server : I find the below Search /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf [clustering] /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf master_uri = clustermaster:one /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf mode = searchhead /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf [clustermaster:one] /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf master_uri = https://webaddress:8089 /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf multisite = true /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf pass4SymmKey = ************************* /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf [general] /apps/splunk/splunk/etc/system/local/server.conf pass4SymmKey = ************************* /apps/splunk/splunk/etc/system/local/server.conf serverName = webaddress /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf site = site1 /apps/splunk/splunk/etc/system/local/server.conf [kvstore] /apps/splunk/splunk/etc/system/local/server.conf [license] /apps/splunk/splunk/etc/system/local/server.conf master_uri = https://webaddress:8089 /apps/splunk/splunk/etc/system/local/server.conf [lmpool:auto_generated_pool_download-trial] /apps/splunk/splunk/etc/system/local/server.conf description = auto_generated_pool_download-trial /apps/splunk/splunk/etc/system/local/server.conf quota = MAX /apps/splunk/splunk/etc/system/local/server.conf slaves = * /apps/splunk/splunk/etc/system/local/server.conf stack_id = download-trial /apps/splunk/splunk/etc/system/local/server.conf [lmpool:auto_generated_pool_forwarder] /apps/splunk/splunk/etc/system/local/server.conf description = auto_generated_pool_forwarder /apps/splunk/splunk/etc/system/local/server.conf quota = MAX /apps/splunk/splunk/etc/system/local/server.conf slaves = * /apps/splunk/splunk/etc/system/local/server.conf stack_id = forwarder /apps/splunk/splunk/etc/system/local/server.conf [lmpool:auto_generated_pool_free] /apps/splunk/splunk/etc/system/local/server.conf description = auto_generated_pool_free /apps/splunk/splunk/etc/system/local/server.conf quota = MAX /apps/splunk/splunk/etc/system/local/server.conf slaves = * /apps/splunk/splunk/etc/system/local/server.conf stack_id = free /apps/splunk/splunk/etc/system/default/server.conf alert_store = local /apps/splunk/splunk/etc/system/default/server.conf suppression_store = local /apps/splunk/splunk/etc/system/default/server.conf conf_replication_summary.includelist.refine.local = (system|(apps/*)|users(/_reserved)?/*/*)/(local/...|metadata/local.meta) /apps/splunk/splunk/etc/system/local/server.conf [sslConfig] /apps/splunk/splunk/etc/system/local/server.conf sslPassword = *************************
Hello,  instance principal authentication not working in OC19 realm. Any plan to support OC19? The debug log contains: 2024-09-03 08:16:14,077 DEBUG http://x.x.x.x:80 "GET /opc/v2/identity/interme... See more...
Hello,  instance principal authentication not working in OC19 realm. Any plan to support OC19? The debug log contains: 2024-09-03 08:16:14,077 DEBUG http://x.x.x.x:80 "GET /opc/v2/identity/intermediate.pem HTTP/1.1" 200 None 2024-09-03 08:16:14,413 DEBUG Starting new HTTP connection (1): x.x.x.x:80 2024-09-03 08:16:14,416 DEBUG http://x.x.x.x:80 "GET /opc/v2/instance/region HTTP/1.1" 200 14 2024-09-03 08:16:14,416 DEBUG Unknown regionId 'eu-frankfurt-2', will assume it's in Realm OC1 2024-09-03 08:16:14,636 DEBUG http://x.x.x.x:80 "GET /opc/v2/identity/cert.pem HTTP/1.1" 200 None 2024-09-03 08:16:14,646 DEBUG http://x.x.x.x:80 "GET /opc/v2/identity/key.pem HTTP/1.1" 200 1675 2024-09-03 08:16:14,692 DEBUG http://x.x.x.x:80 "GET /opc/v2/identity/intermediate.pem HTTP/1.1" 200 None 2024-09-03 08:16:14,695 DEBUG Starting new HTTPS connection (1): auth.eu-frankfurt-2.oraclecloud.com:443 Thank you! NagyG
I have events from Trellix Hx appliance and i need to adjust _time of the log events   because it coming as 9/3/20 and we are on 9/3/2024  how can this be changeable.   thanks
Hi @Meett    I did update the SSL certificate Splunk is using which is basically the combination of server cert + intermediate cert + root CA cert.   But still same errors.  
I think I got the attention, because it's on the top on the list. But why should I create another duplicate question? This one describes exactly what I need, and it's still not resolved. Also, guide... See more...
I think I got the attention, because it's on the top on the list. But why should I create another duplicate question? This one describes exactly what I need, and it's still not resolved. Also, guidelines say: "If no one else has asked your question, navigate to https://community.splunk.com  and click Ask a Question, next to the search bar."
Hi @cbreitenstrom Which Splunk and Add-on version are you using? there can be multiple reason for 500 ERRORs in UI.
ok for me. i just put this line into my js: mvc.Components.get("default").unset("myToken"); thanks a lot.
hi @PaulPanther, after doing so as you suggested, I am trying to read the JSONResultsReader object like this- for item in reader:     if(isinstance(item, dict)):         for key in item:        ... See more...
hi @PaulPanther, after doing so as you suggested, I am trying to read the JSONResultsReader object like this- for item in reader:     if(isinstance(item, dict)):         for key in item:             if(key == '<...>'):                 A = str(item[key])                 print('A is :',A)   The above code was working till yesterday. Now it does not enter the 1st for loop anymore.
Find the solution, host work as an HF. As my data is cooked once so it takes the parsing configuration of this HF, i need to create an HF seperately for this kind of host  
Hello, I am currently working in a SOC, and I want to test rules in Splunk ES using the BOTSv2 dataset. How can I configure all the rules for it?
I'm attempting to call a REST API with a button click and display its JSON response on the dashboard. I'm using the following code as a reference. However, I'm not getting any results, and I can see ... See more...
I'm attempting to call a REST API with a button click and display its JSON response on the dashboard. I'm using the following code as a reference. However, I'm not getting any results, and I can see this message in the developer tools console tab: "Error handling response: TypeError: Cannot read properties of undefined (reading 'mmrConsoleLoggingEnabled')"
Hey @kvm ,  Not an Dynatrace SSL, but from ERRORs you added it looks like at network level its causing some issue, if you have CACert chain configured at Splunk level then you should add same Cert... See more...
Hey @kvm ,  Not an Dynatrace SSL, but from ERRORs you added it looks like at network level its causing some issue, if you have CACert chain configured at Splunk level then you should add same Cert to locations i mentioned.
Hi @Meett ,   Can you try to add SSL CA Chain to below location  - By this do you mean Dynatrace SSL certificate to update in the Splunk Add-on ? Please confirm.
Sorry its not complete. Can you help me with complete query to achieve above result. First need to get Final status then display the final status count based on dropdown selection like department, Lo... See more...
Sorry its not complete. Can you help me with complete query to achieve above result. First need to get Final status then display the final status count based on dropdown selection like department, Location, Company.    I have given the sample.csv raw data. Can you give me single value count query to  get the final status count for servers and then again display the the count based on department, location or company dropdown selection.    
Hi Community, I got trouble when want to activate Use Case "User Login to Unauthorized Geo" it said Error because it said i don't have "sse_host_to_country" and "gdpr_user_category" lookup data.  ... See more...
Hi Community, I got trouble when want to activate Use Case "User Login to Unauthorized Geo" it said Error because it said i don't have "sse_host_to_country" and "gdpr_user_category" lookup data.  In this case im using ES Content Updates v 4.0.0 but i have my labs with ES Content Updates 4.38.0 but when i check it it don't have any sse_host_to_country OR gdpr_user_category lookup files. Already searching it in google and i don't have any answer. Maybe this community have enough experience about this.  Thanks     
Thanks... but already tried that.  This was an upgrade from 9.2 to 9.3 so shouldn't have been necessary, but tried it anyway.   No affect.  Splunk support has been working on this for 3 weeks now.  O... See more...
Thanks... but already tried that.  This was an upgrade from 9.2 to 9.3 so shouldn't have been necessary, but tried it anyway.   No affect.  Splunk support has been working on this for 3 weeks now.  Only having the problem on 1 of 4 Deployment Servers
Hi regarza, What was the outcome of this issue?
Your search (mentioned in the initial post) | search department="$department$" Company="$Company$" Location="$Location$" will filter the events as you require, however, these tokens need a value, o... See more...
Your search (mentioned in the initial post) | search department="$department$" Company="$Company$" Location="$Location$" will filter the events as you require, however, these tokens need a value, otherwise your search will be waiting for input. The value (if not otherwise selected) should be "*". This is what I mean about adding this to your dynamic list of options for your dropdowns. Your dropdowns need unique values for location, department and company. This is what the dedup is doing for each of the dropdowns. How is it that this is not satisfying your requirement?
@PickleRick  Thanks for your kind reply.  I'll try to fix the points you mentioned. If you think there's anything else that needs fixing, just let me know—I’d appreciate any feedback
Is it just one index you're not seeing data from or are there more of them? Does your role have access to this index? Did you verify (like tstats count over"all time") that there is any data in the... See more...
Is it just one index you're not seeing data from or are there more of them? Does your role have access to this index? Did you verify (like tstats count over"all time") that there is any data in the index at all? Does your SH even search from the indexers (read - is your environment properly configured regarding distributed searching).