All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

If facing issue after migrating single site to multisite indexer cluster. SF/RF not met after 5 days still fixup task increasing. Can any help to resolve this SF/RF issue ? 
Hi, I am getting below error when trying to save the data inputs [all 5] which comes as part of Nutanix add-on. Has anyone seen this before and can suggest something?   Error- Encountered the foll... See more...
Hi, I am getting below error when trying to save the data inputs [all 5] which comes as part of Nutanix add-on. Has anyone seen this before and can suggest something?   Error- Encountered the following error while trying to save: Argument validation for scheme=nutanix_alerts: script running failed (PID 24107 killed by signal 9: Killed).  
Hi Team "Could you please let us know when the latest version of the Splunk OVA for VMware will be released?"
Hi all, I'm having issues comparing user field in Palo Alto traffic logs vs last user reported by Crowdstrike/Windows events.Palo-Alto traffic logs is showing a different user in logs initiating the... See more...
Hi all, I'm having issues comparing user field in Palo Alto traffic logs vs last user reported by Crowdstrike/Windows events.Palo-Alto traffic logs is showing a different user in logs initiating the traffic during the time window compared to Crowd strike last user login reported for same endpoint. Has anyone you know faced similar issue ?   Thanks 
Using below props, but we don't see logs reporting to Splunk,   We are assuming that | (pipe symbol) works as a delimiter and we cannot use it in props.  Just want to know is this props are correct ... See more...
Using below props, but we don't see logs reporting to Splunk,   We are assuming that | (pipe symbol) works as a delimiter and we cannot use it in props.  Just want to know is this props are correct [tools:logs] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s\|\d{2}:\d{2}:\d{2}.\d{3}\s\| TIME_PREFIX=^ TIME_FORMAT=%Y-%m-%d | %H:%M:%S.%3N MAX_TIMESTAMP_LOOKAHEAD=28 Sample logs:   2022-02-22 | 04:00:34:909 | main stream logs | Staticapp-1 - Restart completed 2022-02-22 | 05:00:34:909 | main stream applicationlogs | Staticapp-1 - application logs (total=0, active=0, waiting=0) completed 2022-02-22 | 05:00:34:909 | main stream applicationlogs | harikpool logs-1 - mainframe script (total=0, active=0, waiting=0) completed      
I would like to clean up the messaging I'm sending to Slack for splunk alerts.  I've tried markdown [text](http://url) which doesn't work and renders the text exactly as displayed here.  I've also ... See more...
I would like to clean up the messaging I'm sending to Slack for splunk alerts.  I've tried markdown [text](http://url) which doesn't work and renders the text exactly as displayed here.  I've also tried <text|http://url> which renders verbatim also.  Is there anyway to have slack hide URLs behind text like a normal hyperlink?  My alerts look really awful with huge links back to slack searches and dashboards.  TYIA
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to some... See more...
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to something?    Thank you! 
I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18,000 IP address.  We created a lookup table with all the IP addresses and ran it,... See more...
I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18,000 IP address.  We created a lookup table with all the IP addresses and ran it, but the search times out. Then we tried to split the lookup tables into 8 different tables and each table was a panel in our dashboard. A few dashboards will run when we do it this way, but then the rest time out.  An idea we had was to either create a drop down tab to only run the searches when we specify, or create a search that runs one lookup table and then will only start the next search when the other stops.  Is there a simpler way to do this? Ideally it would all be one search but it just seems to be too much for our resources.  
I am trying to create use cases and searching the indexes but i get index search not found error message. All my logs are not showing up anywhere
Hi guys, Is there any documentation available out there to setup the Cisco Security Cloud app? Specific requirements, "failed to create an input" and similar errors etc. Qzy
App 'Infoblox DDI' started successfully (id: 1725978494606) on asset: 'infoblox-enterprise'(id: 25) Loaded action execution configuration Logging into device Configured URL: https://10.247.53.30 ... See more...
App 'Infoblox DDI' started successfully (id: 1725978494606) on asset: 'infoblox-enterprise'(id: 25) Loaded action execution configuration Logging into device Configured URL: https://10.247.53.30 Querying endpoint '/?_schema' to validate credentials Connectivity test succeeded Exception Occurred. 'str' object has no attribute 'formate'. Traceback (most recent call last): File "/opt/phantom/data/apps/infobloxddi_5ec38a6e-18c3-4cc3-ab47-2754b56aea50/infobloxddi_connector.py", line 349, in _make_rest_call content_type = request_obj.headers[consts.INFOBLOX_JSON_CONTENT_TYPE] File "/opt/phantom/data/usr/python39/lib/python3.9/site-packages/requests/structures.py", line 52, in __getitem__ return self._store[key.lower()][1] KeyError: 'content-type' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "lib3/phantom/base_connector.py/base_connector.py", line 3204, in _handle_action File "/opt/phantom/data/apps/infobloxddi_5ec38a6e-18c3-4cc3-ab47-2754b56aea50/infobloxddi_connector.py", line 1173, in finalize return self._logout() File "/opt/phantom/data/apps/infobloxddi_5ec38a6e-18c3-4cc3-ab47-2754b56aea50/infobloxddi_connector.py", line 444, in _logout status, response = self._make_rest_call(consts.INFOBLOX_LOGOUT, action_result) File "/opt/phantom/data/apps/infobloxddi_5ec38a6e-18c3-4cc3-ab47-2754b56aea50/infobloxddi_connector.py", line 357, in _make_rest_call self.debug_print("{}. {}".formate(message, error_message)) AttributeError: 'str' object has no attribute 'formate' Connectivity test succeeded
Dear community, it might be an odd question but i need to forward the splunkd.log to a foreign syslog server, therefore i was following the sample from here: https://docs.splunk.com/Documentation/... See more...
Dear community, it might be an odd question but i need to forward the splunkd.log to a foreign syslog server, therefore i was following the sample from here: https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Forwarding/Forwarddatatothird-partysystemsd So far i have configured the forwarder to forward testing.log (should be splunkd.log later) to the foreign syslog target     #inputs.conf [monitor:///opt/splunk/var/log/splunk/testing.log] disabled=false sourcetype=testing         #outputs.conf [tcpout] defaultGroup=idx-cluster indexAndForward=false [tcpout:idx-cluster] server=splunk-idx-cluster-indexer-service:9997 [syslog:my_syslog_group] server = my-syslog-server.foo:514       #transforms.conf [send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group     So far so good, testing.log appears on the syslog server but not just that, all other messages are forwarded too. Question: How can i configure the (heavy) forwarder to only send testing.log to the foreign syslog server and how can i make sure that testing.log does not getting indexed? In other words - testing.log should only be send to syslog. Many thanks in advance    
Splunk docs show all deployment components needing a minimum of x64, 12 cores, 12GB, 2GHZ My question is for a dedicated license server for a VERY small distributed system for training and developme... See more...
Splunk docs show all deployment components needing a minimum of x64, 12 cores, 12GB, 2GHZ My question is for a dedicated license server for a VERY small distributed system for training and development. I want a search head, and indexer and then separate LM, and DS.  The data volume is small, less than 2GB/day. Do I really need the full blown minimums for an LM that will have a single Dev License?  I wanted to put this onto an RPi, but ...... yeh ..... doesn't look like an option. I have a couple of low end NUC's that will be x64, but won't meet the minimums for cores or RAM. Would welcome any assistance or even mentoring on this project.
Hi, How can I combine a field value , if the other 3 field values are the same Ex:- If the field1 , field2 , field3 are same but the field4 is different and its creating a new row in my splunk ta... See more...
Hi, How can I combine a field value , if the other 3 field values are the same Ex:- If the field1 , field2 , field3 are same but the field4 is different and its creating a new row in my splunk table, I want to merge or combine the field4 values into one field value separated by commas if the field1 , field2 , field3 are same  
Hi Team,  I am facing the below error while testing in my local SPLUNK web v9 while connecting with Chronicle Instance. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed cer... See more...
Hi Team,  I am facing the below error while testing in my local SPLUNK web v9 while connecting with Chronicle Instance. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106) I have created a python app to upload it in Splunk.  Have created a request_fn where below line of code is being executed - requests.get(host + url, verify=False, **kwargs) I made sure that SSL verification is disabled in Python code (above verify=False) and also I have disabled it from splunk settings - Server Settings > General > Https SSL set to NO  Enable SSL (HTTPS) in Splunk Web? - NO   also Have checked the webconf file where SSL is set to 0 (no) [settings] enableSplunkWebSSL = 0 But still when my SPLUNK LOCAL WEB is trying to make the http request it is giving SSL error -  [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106) Does anybody has any clue or faced the same issue ?
Hi All, Hope you all are doing well. I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow. So we are using ... See more...
Hi All, Hope you all are doing well. I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow. So we are using ServiceNow Security Operation Integration to manually create incidents in ServiceNow for notables. We have a new ask from SOC to update the notables when the incidents are being created and closed in ServiceNow. We are using Splunk enterprise and wanted to know what endpoints we need to provide so that we can achieve reverse communication. I have created a user in splunk who has access to edit notables but i am not sure what endpoint i need to provide, is it just the url of my instance or do i need to add any services as well. Please let me know if you have any other questions. Thanks in advance.
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user ... See more...
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user clicks on a point in the line chart. Despite using the 'point.click' event, it doesn't seem to work as expected. Has anyone faced a similar issue or can anyone suggest what might be going wrong here? Any guidance or examples would be greatly appreciated. Thanks in advance for your help!
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user... See more...
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user clicks on a point in the line chart. Despite using the 'point.click' event, it doesn't seem to work as expected. Has anyone faced a similar issue or can anyone suggest what might be going wrong here? Any guidance or examples would be greatly appreciated. Thanks in advance for your help!   Here is the relevant part of my code: import React, { useEffect, useState} from 'react'; import Line from '@splunk/visualizations/Line'; const MemoryUtilizationLine = () => { const handleEvent = (e)=>{ console.log(e) } return <div className=' m-2 pie-border-style'> <Line pointClick ={handleEvent} options={{}} dataSources={{ primary: { requestParams: { offset: 0, count: 20 }, data: { fields: [ { name: '_time', }, { name: 'count', type_special: 'count', }, { name: 'percent', type_special: 'percent', }, ], columns: [ [ '2018-05-02T18:10:46.000-07:00', '2018-05-02T18:11:47.000-07:00', '2018-05-02T18:12:48.000-07:00', '2018-05-02T18:13:49.000-07:00', '2018-05-02T18:15:50.000-07:00', ], ['600', '525', '295', '213', '122', '19'], ['87.966380', '50.381304', '60.023780', '121.183272', '70.250513', '90.194752'], ], }, meta: { totalCount: 20 }, }, }} />
Hi, My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin. A few conditions and restrictions: - Team 1 sho... See more...
Hi, My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin. A few conditions and restrictions: - Team 1 should remain admins of the cluster but not of the dedicated search head. - Team 2 should not be able to search certain indexes nor change that setting by any means. In short, there are a few indexes which we do not want Team 2 to see nor tamper the settings to get access to, but we would like them to be admins of their own search head. any suggestions?      
下記の事項について、ご存じの方が居られましたら、 お手数をお掛け致しますが、ご教授お願い致します。 やりたい事 ーーーーーーーーーー 特定の日付を選択後、 Splunk画面に表示されている複数のレポート(カード)内のグラフが 選択した日付のデータのみ表示するようフィルタを掛けたい 詰まっている事・知りたい事 ーーーーーーーーーー Spunk画面上で、特定の日付を選択させる方... See more...
下記の事項について、ご存じの方が居られましたら、 お手数をお掛け致しますが、ご教授お願い致します。 やりたい事 ーーーーーーーーーー 特定の日付を選択後、 Splunk画面に表示されている複数のレポート(カード)内のグラフが 選択した日付のデータのみ表示するようフィルタを掛けたい 詰まっている事・知りたい事 ーーーーーーーーーー Spunk画面上で、特定の日付を選択させる方法が分からない。 日付や日時の範囲選択させる入力・選択ボックスを実装配置できる機能があることは分かったのですが、 シンプルにカレンダーから1つの日付を選択してグラフをフィルタさせるといった実装方法が知りたいです。jQueryなどコーディングが必要になるのでしょうか。 お手数をお掛け致しますが、ご教授お願い致します。