Hi, I have had this problem twice now on two different computers.    I install debian/ubuntu  Then I use the .deb file from splunk.com - the newest you get when you start your trial I then make a VM based on a distro of ubuntu/debian and install Everything workes fine, I use my own user, not the root user to install I follow the steps of https://www.bitsioinc.com/tutorials/install-splunk-linux/  Splunk starts and works fine. No problems..until I restart the VM. Then localhost:8000 and the external ip both stop working and splunk web gui is not possible to connect to. I use the same account both for installation and for login when restarting   What am I doing wrong? Other VM's don't report problems on the machine, its only splunk, and only after restarting of the vm. The VM itself has internet and works fine, its only splunk that has issues.   

Hi, hello, Splunk is not showing up miliseconds for JSON logs. I have find some Questions and Answers here in splunk community, but without success. Description: I have HFs, indexer cluster and search head cluster. HF props.conf [k8s:dev] #temporary removed to fix 123123 #INDEXED_EXTRACTIONS = JSON TIME_PREFIX = {\\"@timestamp\\":\\" TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N TRUNCATE = 200000 TRANSFORMS-discard_events = setnull_whitespace_indented,setnull_debug_logging SEDCMD-RemoveLogProp = s/("log":)(.*)(?="stream":)//   HF transforms.conf [setnull_java_stacktrace_starttab] SOURCE_KEY = field:log REGEX = ^\tat\s.* DEST_KEY = queue FORMAT = nullQueue [setnull_whitespace_indented] SOURCE_KEY = field:log REGEX = ^\s+.* DEST_KEY = queue FORMAT = nullQueue [setnull_debug_logging] SOURCE_KEY = field:log REGEX = .*?\sDEBUG\s DEST_KEY = queue FORMAT = nullQueue   Search props.conf   #workaround, see 123123 [k8s:dev] KV_MODE = json   Everything looks fine in web ADD DATA in HF and SEARCH too. But not when I search it.   I can insert only part of the JSON. {"log":"{\"@timestamp\":\"2021-08-03T09:00:57.539+02:00\",\"@version\":\"1\",\"message\":   Also when I am in HF ADD DATA and I remove TIME_PREFIX and TIME_FORMAT the miliseconds still appear, but when I a little bit "destroy" TIME_PREFIX there is error and file timestamp is used(I think its file timestamp). Question is: 1.what am I doing wrong?  2. Is it possible to configure TIME_PREFIX and TIME_FORMAT for KV_MODE on search? Because as I know they are used in HF during parsing. 3. Is it possible to configure KV_MODE?   Thank you very much for your suggestions.    

Hi , In one of my field I have data in below format , I want data to be displayed day wise, like time for each day separately  Any suggestions ? Mon-Sat: 10AM-9PM, Sun: 11AM-6PM Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 6pm Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM

Hi Splunkers,   I'm using splunk 8.2.1 with splunk stream 7.3 . I'm using the deployment server for the deployment of Splunk_TA_stream.  I'm getting Data to Splunk but the "Host" is set to "$decideOnStartup". On the other hand Stream Forward ID is set to the correct hostname.  I followed this Guide (https://docs.splunk.com/Documentation/StreamApp/7.3.0/DeployStreamApp/InstallSplunkAppforStreaminadistributeddeployment) but Step 5 of "Use the deployment server to distribute the Splunk Add-on for Stream Forwarders" did not work for me, so I copied the content of Splunk_TA_stream manual to deployment-apps.   Any Ideas?  

Hello Everyone, I have written props.conf in which i have added the below eval statement Eval-appname="newapp" and other Extract commands are also there. I have ingested the file and placed my app in an indexer for testing .I am unable to see the appname field on GUI but i am able to see the extracted fields extracted by EXTRACT command in the same props.conf. I have checked for app permissions and field permissions as well its set to "ALL Apps" Please help. in getting the calculated fields in GUI

I am trying to installation Splunk UF on one of linux machine and when i run the below command, it gives me No users exist error even i have tried from root user as well-> /opt/splunkforwarder/bin/splunk add forward-server indexe_ip_address:9997 -auth 'splunkuser:splunkpassword’ No users exist. Please set up a user. @woodcock 

Hi All, I need to extract  the fields from the below xml data tried xpath and xmlkv but not working as expected. <item> <field name="name">Johnson David</field> <field name="max_score">69.49894379732375</field> <field name="YP,YM,BM,J,CV,LI,CF,BB,GO">0.0,0.0,0.0,14.098001709571708,0.0,0.0,19.133111345911498,0.0,0.0</field> <field name="score">33.23111305548321</field> I have tried with below xpath but it just extracts name,max_score but not values. | xpath outfield=max_score "//field/@name"  

I have a table output from Splunk Query(Not posting original values of table due to sensitive data) Col_A   Col_B  Col_C Col_D 1          B           A           W 2          B           A           X 3          B            A            Y 4          B            A           Z   I want to apply a search in column Col_D and if any of the among above values from Col_D is not present in the column then add row in the table. Example : Input:  Col_A   Col_B  Col_C Col_D 2          B           A          X 3          B            A         Y   Expected Output :    Col_A   Col_B  Col_C Col_D 2          B           A          X 3          B            A         Y -          -           -           W not present -          -            -           Z not present

Hi    I'm trying to compare two fields against one field, can anyone please suggest how can I achieve this. Cluster           pronames1   pronames2    pronames3 CLUSTER1       PRO2                PRO1                 PRO1 CLUSTER1       PRO2                PRO2                 PRO2 CLUSTER1       PRO3                PRO4                 PRO4 CLUSTER1       PRO3                PRO4                 PRO3 CLUSTER1       PRO1                PRO5                 PRO5 CLUSTER1       PRO8                PRO2                 PRO8 here my intention is to compare   (pronames1 == pronames2) and (pronames1== pronames3) but all three fields are not in order. The expected result should be, display pronames2 and pronames3 not in pronames1 like below Cluster                      pronames2    pronames3 CLUSTER1                     PRO4                PRO4 CLUSTER1                     PRO5                PRO5 CLUSTER1                      n/a                    PRO8   @gcusello 

We have a requirement to support client certificates (mTLS) for the Splunk authentication mechanism with Event Collector Token. We just want to understand is there any way that customers can pass their certificates or supply secrets in a request along with the Event collector token for authentication.