Hello Splunk Admins, What solutions you use to get notified on mobile about internal Splunk issues in out of office hours? I mean when e.g. splunkd goes down on indexers, data is not indexed anymore for any reason etc. We need something free of charge. There is no other team except of us who needs to be notified about the issue. I have heard about Splunk On Call solution but seems to be a bit complex. Anyone having any experience with it? Hope to get some inspirations Many greetings, Justyna

Hi Splunkers. I'm trying to integrate Bitdefender Gravityzone (Cloud) with Splunk on-premises, I have used the official documentation from the Bitdefender website: https://www.bitdefender.com/business/support/en/77211-171475-splunk.html but I'm stuck in the "Enable the Splunk integration" step; In the beginning, I have tried using the "Enable the Splunk integration manually" method,  I have put everything in place and run the command in the documentation, but ended up with an error stating that "The web server with this URL must support TLS 1.2, at least" as shown in the below screenshot: I have reviewed the documenting again in this link: https://www.bitdefender.com/business/support/en/77209-135319-setpusheventsettings.html Under the "Important" note: "Event Push Service requires the HTTP collector running on the third-party platforms to support SSL with TLS 1.2 or higher, to send events successfully." But here is the thing, I think that HEC by default only supports TLSv1.2 despite sslVersions=*   $ cat /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf [http] disabled=1 port=8088 enableSSL=1 dedicatedIoThreads=2 maxThreads = 0 maxSockets = 0 useDeploymentServer=0 # ssl settings are similar to mgmt server sslVersions=*,-ssl2 allowSslCompression=true allowSslRenegotiation=true ackIdleCleanup=true   I have tried to use: sslVersions=tls1.2 but nothing happened, it still shows the same issue. Can someone please help me figure out how to solve this TLS issue? Afterward, I have tried to use the "Enable the Splunk integration by running a script" method, aging I have put everything in place and run the script, but ended up with an error stating that:   FAIL - server response: <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx</center> </body> </html>   as shown in the below screenshot: Any Idea why this happens? Much thanks.

Hi  We are planning to decommission splunk enterprise in our environment. We need to stop sending data to splunk . How should we proceed , from where we should start? Can we find any SOP for this decommision process. But we want to store the indexed data for more than 365 days .  This is new task we are handling for the first time , any proper guidance will be much appreciated.   Thanks in advance.

Splunk must be restarted for changes to take effect. Contact Splunk Cloud Support to complete the restart. But does not have the permission to raise a support ticket because still in the trial stage. thanks  

Hello Team, We are having the Splunk  cloud licensed server, How to do rest api request calls to Splunk cloud from postman? management port is already enabled on Splunk. still I am getting timeout error. Pl

Hi all, Im trying to access the API from PostMan, but  getting the error 401. My question is the user / pass this should be the user I use to connect to the URL or I have to user the API cliente? thanks. 

I'm getting a bit annoyed at throttling for each, as although it works - it has a habit of resetting itself if I need to tweak the SPL,  or cron time... almost tempted to populate a kvstore and take control...  anyone else ?  does editing the savedsearches.conf allow you or the advanced edit option allow you to get round what I perceive as annoying behavior

  Can you please help me understand if Google Workspace Add-on equivalent update for G suite for Splunk add-on? Because, we used g suite earlier, after seeing that the app had been updated we installed and configured Google Workspaces. But, sourcetypes and the way events are parsed are not similar to gsuite. Thanks in advance

Pretty much the title. I tried messing with the user interface navigation settings and the closest I can get is making the glass table lister the default page. But this also alters the user interface like so:   This would be a separate issue. My main concern is making a specific glass table the default page when opening ITSI. Any help would be greatly appreciated.

Hello, Below is the existing stanza in the inputs.conf [monitor:///var/log] whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out) blacklist=(lastlog|anaconda\.syslog) disabled = 1 I also want to add the following folder to be blacklist /var/log/dynatrace and any logs within the folder/sub folders. Can you please explain how this can be done? Is the syntax below correct? blacklist=(lastlog|anaconda\.syslog)|(dynatrace) Appreciate your experience and help.

I'm trying to centralize our app information on our HFs. Each HF has the following scheduled search set up: | rest /services/apps/local | search disabled=0 | table splunk_server label title version update.version check_for_updates | collect index="meta_apps" The index "meta_apps" exists on the HF and on Splunk Cloud. However, I don't see these results in Splunk Cloud. What am I missing?

Hi, My team and I are currently developing a website which needs to pull data from Splunk and insert it into visualizations on the home page on the website. As the title suggests, we are currently using React and NodeJS and due to our absolute lack of Splunk experience we are a bit bogged down so please forgive me if this is a potentially dumb question.  We are trying to use the Splunk JavaScript SDK in Node to establish a connection and pull data from Splunk. we have tried absolutely everything  at this point but cannot establish a connection and perform a simple service.login through the SDK. We have tried this with postman and it appears to be working just fine on that side of things. For Example:  We have tried using the code from Server Side Javascript but when running it, it throws the following error:         throw err; ^ { response: { headers: {}, statusCode: 600 }, status: 600, data: undefined, error: Error: connect ECONNREFUSED ::1:8089 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1195:16) { errno: -4078, code: 'ECONNREFUSED', syscall: 'connect', address: '::1', port: 8089 } } Node.js v17.9.0                OR this error :                throw err; ^ { response: { headers: {}, statusCode: 600 }, status: 600, data: undefined, error: Error: write EPROTO 04490000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:355: at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) { errno: -4046, code: 'EPROTO', syscall: 'write' } } Node.js v17.9.0                 Can anyone please help? Any help would be greatly appreciated