We are planning upgrade our clustered deployment (SH-C + IDX-C) from 8.0.5 to 8.2.1 In case we plan to migrate the KVStore engine to WiredTiger, do we have to mandatorily go through the v8.1 step as mentioned in https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/MigrateKVstore ?  Per my understanding, the steps for this method stands like this Upgrade cluster from 8.0.5 to 8.1.5  Migrate the KV store after an upgrade to Splunk Enterprise 8.1 in a clustered deployment Upgrade cluster from 8.1.5 to 8.2.1 In case we decide not to use WiredTiger for now and complete the upgrade to 8.2.1, can we migrate the KV  Store to WiredTiger at a later point of time?  To elaborate, will the following work:  Upgrade cluster from 8.0.5 to 8.2.1  At a later time, migrate the KV Store as instructed in Migrate the KV store after an upgrade to Splunk Enterprise 8.1 in a clustered deployment We do not use KV Store at all now, apart from whatever internal functions that Splunk Enterprise uses it for (no ITSI or ES as well), but want to plan ahead in case we use it in the future.  Thanks in advance!

Hi, I am trying to upload a custom CSV for Threat Intel within ES. It's a collection of multiples types of IOC's, (domain, url, hash etc) and is in the following column format. There are 343 Hash values, 20 domains and 8 URL's. Upload goes without any issues and ES collects domains and URL's right away. But Hash values seem to be ignored. Here are the file details under Threat Artifacts. When I check Threat Intel Audit, it seems to be writing to File Intel as well but hash count never gets populated in ES. What could be going wrong here? Splunk version: 8.1.1 ES Version: 6.4.0 Thanks, ~ Abhi

Hi, I need to track the number of times and duration where the CPU used percent is above a threshold number. The search below shows a server that exceeds the threshold for 3 periods over the last 3 days.  What I want to get is a result that shows me the number of times the threshold has been exceeded and for how long. I have tried using 'streamstats' and 'bin' but am not entirely sure how to achieve my goal. Thanks

I am trying to set up inputs on TA-Tenable add on and it fails with error "Argument validation for scheme=tenable_securitycenter: script running failed (killed by signal 9: Killed).". I installed "Tenable add-on for Splunk" version 3.1.0 on one of our heavy forwarder. Any suggestions what could be wrong here?

Hello everyone! I receive "Page not found" message when I try to search using REST API. My URL: [splunkhost]/en-US/services/search/jobs%20-d%20search="search%20index=enwiki"" Even such very common search gives nothing, although there is index=enwiki in system and I'm able to  search in it through webui. I was using https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTTUT/RESTsearches as a reference. What should I check?

I want to use the local images on my server in the Developing Views and Apps for Splunk Web But reality cannot be found I put the picture in radial_ meter/appserver/static/visualizations/radial_ Meter / icons, but the picture cannot be read

Hello, The Infrastructure overview in Splunk ITSI shows entities list like active, unstable, inactive and N/A. Can you help me what is reference point for all these status, in our environment it is showing many in N/A and unstable. But we are still receiving data for whichever showing N/A and unstable, also added recurring import using available modules. But still that is not reflecting as active. Please advise. Regards, Vj

Hello Experts, We need to have Capacity planning and availability reports, already Windows TA, Nix TA and vmware add-on forwarding the data to our Splunk Instance. Is there any default reports that available for capacity planning? How to achieve it?   Regards, Vj

After searching various posts around HTTP status codes, ended up posting new question   I would like to create alert if failures are 5% of total traffic.  My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403   Thanks in advance Pathik

Hello all, I have a dashboard and the source is json files. { "ID": "123", "TIME": "Jul 11, 2021, 08:55:54 AM", "STATUS": "FAIL", "DURATION": "4 hours, 32 minutes" } I have many tasks with ID and each task has json files. I want to plot a graph for MTTR( taken from each failed task to next successful task) for these tasks. Previously i was collecting data separately for the MTTR and the graph was plotted direclty from it. But now i have to calucalte MTTR from the above json files.(failed to passed task) and later i want to plot a graph for it. I tried writing a query for it but it's not working. source="*cc_as_sw_cx_kpi_GEEA_iB2_PSW_Int_csw_build_beta2_*" index="testing" sourcetype="_json" | transaction STATUS startswith="Status=FAIL" endswith="Status=SUCCESS"|stats avg(Duration) as avg_duration by STATUS | eval MTTR=tostring(avg_duration,"Duration") |timechart dc(MTTR) I know this not the proper query for it. can anyone please help me in this. I am trying this from few days and this was all i got. Thanks in advance.

Hi Can some one help me , how we can create the attached dashboard . I do know we have to use the Geostats command ,but how can we utilize it in the use-cases created . How can we get the longitude and latitude values from the use-cases . Can some one help with the query ?  

Hi, I have installed the MS Teams Add-on Version 1.1.2. Tested that the channel works and allowed access through firewall etc. This will just be used for Alerting in Splunk. We have a proxy that needs to be added to the config for this to work. Linux Search Head My question is, where do you actually enter the proxy details for the App? Thanks

After integration with ISE 2.4 successfully ,  I test action of quarantine for a device , phantoms shows it has been quarantined.  however I cannot find any changes on ISE.  ERS R/W has been enable Client MAC should be in list of ANC quarantine  ?   how can I do further troubleshooting

when the original syslog was forwarded to phantom, some key filed(like srcIP/dstIP) was missing artifact.   these key filed was in raw_data if we search artifiact in splunk. can phantom identify/parse these field and add artifact automatically ?