All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

If you use Splunk Enterprise or SplunkCloud, you can guard against loss of data when forwarding by enabling the indexer acknowledgment capability. With indexer acknowledgment, the forwarder will rese... See more...
If you use Splunk Enterprise or SplunkCloud, you can guard against loss of data when forwarding by enabling the indexer acknowledgment capability. With indexer acknowledgment, the forwarder will resend any data that the receiver does not acknowledge as "received". You enable indexer acknowledgment on the forwarder, in the outputs.conf file. See how acknowledgement works. See how acknowledgement failure is handled. However if the forwarder is restarted/stopped while waiting for indexer acknowledgment, in most of the cases unacknowledged data is not resend upon forwarder restart/start. That is because indexer acknowledgment is just an agreement  between the output processor and the target server.  There are 4 major input types: File inputs(monitor/batch mode) Modular inputs Network inputs(TCP/UDP) HTTP inputs(http receiver endpoints/http event collector) Only the file input in the monitor mode can resend data if the forwarder is restarted/stopped while waiting for indexer acknowledgment.   Acknowledgement is sent back to the forwarder after replication factor is met. That means for rep factor 3, source indexer waits on acknowledgement from 2 replication target indexers. Inputs on forwarders are not aware of the indexer acknowledgement process. Latency increases when the target server is not an indexer as the intermediate tier will wait for acknowledgement before acknowledging back to edge forwarder. For more information, see the outputs.conf spec file.
how can i troubleshoot when using a dashboard to export data, the data exported has numerous NULL values where there should be actual data in the table output in splunk    ... See more...
how can i troubleshoot when using a dashboard to export data, the data exported has numerous NULL values where there should be actual data in the table output in splunk    
I want to start of by saying I am extremely new to splunk, so please bear with me, I'm not sure at all if I'm on the right track so please feel let me know if I need to try something else. I have t... See more...
I want to start of by saying I am extremely new to splunk, so please bear with me, I'm not sure at all if I'm on the right track so please feel let me know if I need to try something else. I have two Cisco ASA5506s are used as firewalls. Searching for either of their hostnames only yields results for about 17 days or so. So if today is the 1st day, it will overwrite the 17th day to record tomorrows logs. Since all I was doing was just trying to get a total view of how many total entries it's pulling from all indexes I wasn't sure which index could be the reason why it's not logging past 17 days. Poking around I found that the _syslog and _metrics indexes both only had logs 14-15 days old. So that lead me to modify the indexes.conf file, however this did not help log the firewalls past 17 days. What else should I be looking for? These devices see millions of hits daily, so that could possibly be contribiting to this as well.     Previous: Indexes.conf [default] serviceSubtaskTimingPeriod = 30 serviceInactiveIndexesPeriod = 60 enableRealtimeSearch = true timePeriodInSecBeforeTsidxReduction = 604800 serviceMetaPeriod = 25 defaultDatabase = main rotatePeriodInSecs = 60 rtRouterThreads = 0 enableTsidxReduction = false maxHotIdleSecs = 0 bucketRebuildMemoryHint = auto suspendHotRollByDeleteQuery = false maxHotSpanSecs = 7776000 suppressBannerList = maxBucketSizeCacheEntries = 0 hotBucketTimeRefreshInterval = 10 maxHotBuckets = 3 processTrackerServiceInterval = 1 maxDataSize = auto maxRunningProcessGroups = 8 minRawFileSyncSecs = disable enableDataIntegrityControl = false minStreamGroupQueueSize = 2000 maxMetaEntries = 1000000 throttleCheckPeriod = 15 tstatsHomePath = volume:_splunk_summaries\$_index_name\datamodel_summary tsidxReductionCheckPeriodInSec = 600 maxBloomBackfillBucketAge = 30d datatype = event syncMeta = true partialServiceMetaPeriod = 0 frozenTimePeriodInSecs = 188697600 maxGlobalDataSizeMB = 0 quarantinePastSecs = 77760000 compressRawdata = true coldToFrozenScript = coldPath.maxDataSizeMB = 0 enableOnlineBucketRepair = true repFactor = 0 rtRouterQueueSize = 10000 maxTimeUnreplicatedWithAcks = 60 assureUTF8 = false maxTimeUnreplicatedNoAcks = 300 rawChunkSizeBytes = 131072 memPoolMB = auto homePath.maxDataSizeMB = 0 warmToColdScript = maxWarmDBCount = 300 minHotIdleSecsBeforeForceRoll = auto coldToFrozenDir = maxTotalDataSizeMB = 500000 maxConcurrentOptimizes = 6 maxRunningProcessGroupsLowPriority = 1 streamingTargetTsidxSyncPeriodMsec = 5000 journalCompression = gzip quarantineFutureSecs = 2592000 splitByIndexKeys = sync = 0 serviceOnlyAsNeeded = true [_audit] bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\audit\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\audit\thaweddb tstatsHomePath = volume:_splunk_summaries\audit\datamodel_summary homePath = $SPLUNK_DB\audit\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 5120 rtRouterQueueSize = [_internal] bucketRebuildMemoryHint = 0 syncMeta = 1 maxHotSpanSecs = 432000 compressRawdata = 1 coldPath = $SPLUNK_DB\_internaldb\colddb minHotIdleSecsBeforeForceRoll = 0 maxDataSize = 1000 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_internaldb\thaweddb tstatsHomePath = volume:_splunk_summaries\_internaldb\datamodel_summary homePath = $SPLUNK_DB\_internaldb\db rtRouterThreads = enableTsidxReduction = 0 maxTotalDataSizeMB = 25600 frozenTimePeriodInSecs = 188697600 rtRouterQueueSize = [_introspection] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\_introspection\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_introspection\thaweddb homePath = $SPLUNK_DB\_introspection\db rtRouterThreads = maxDataSize = 1024 maxTotalDataSizeMB = 5120 frozenTimePeriodInSecs = 1209600 rtRouterQueueSize = [_telemetry] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\_telemetry\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_telemetry\thaweddb homePath = $SPLUNK_DB\_telemetry\db rtRouterThreads = maxDataSize = 256 maxTotalDataSizeMB = 500 frozenTimePeriodInSecs = 63072000 rtRouterQueueSize = [_thefishbucket] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\fishbucket\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\fishbucket\thaweddb tstatsHomePath = volume:_splunk_summaries\fishbucket\datamodel_summary homePath = $SPLUNK_DB\fishbucket\db rtRouterThreads = maxDataSize = 500 maxTotalDataSizeMB = 500 frozenTimePeriodInSecs = 188697600 rtRouterQueueSize = [history] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\historydb\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\historydb\thaweddb tstatsHomePath = volume:_splunk_summaries\historydb\datamodel_summary homePath = $SPLUNK_DB\historydb\db rtRouterThreads = maxDataSize = 10 maxTotalDataSizeMB = 500 frozenTimePeriodInSecs = 604800 rtRouterQueueSize = [main] enableOnlineBucketRepair = 1 bucketRebuildMemoryHint = 0 syncMeta = 1 minHotIdleSecsBeforeForceRoll = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\defaultdb\colddb maxHotBuckets = 10 maxDataSize = auto_high_volume maxConcurrentOptimizes = 6 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\defaultdb\thaweddb tstatsHomePath = volume:_splunk_summaries\defaultdb\datamodel_summary homePath = $SPLUNK_DB\defaultdb\db rtRouterThreads = enableTsidxReduction = 0 maxHotIdleSecs = 86400 maxTotalDataSizeMB = 10240 rtRouterQueueSize = [splunklogger] disabled = true bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\splunklogger\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\splunklogger\thaweddb homePath = $SPLUNK_DB\splunklogger\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 500 rtRouterQueueSize = [summary] bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\summarydb\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\summarydb\thaweddb tstatsHomePath = volume:_splunk_summaries\summarydb\datamodel_summary homePath = $SPLUNK_DB\summarydb\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 500 rtRouterQueueSize = [volume:_splunk_summaries] path = $SPLUNK_DB   Modified indexes.conf: [default] serviceSubtaskTimingPeriod = 30 serviceInactiveIndexesPeriod = 60 enableRealtimeSearch = true timePeriodInSecBeforeTsidxReduction = 604800 serviceMetaPeriod = 25 defaultDatabase = main rotatePeriodInSecs = 60 rtRouterThreads = 0 enableTsidxReduction = false maxHotIdleSecs = 0 bucketRebuildMemoryHint = auto suspendHotRollByDeleteQuery = false maxHotSpanSecs = 7776000 suppressBannerList = maxBucketSizeCacheEntries = 0 hotBucketTimeRefreshInterval = 10 maxHotBuckets = 3 processTrackerServiceInterval = 1 maxDataSize = auto maxRunningProcessGroups = 8 minRawFileSyncSecs = disable enableDataIntegrityControl = false minStreamGroupQueueSize = 2000 maxMetaEntries = 1000000 throttleCheckPeriod = 15 tstatsHomePath = volume:_splunk_summaries\$_index_name\datamodel_summary tsidxReductionCheckPeriodInSec = 600 maxBloomBackfillBucketAge = 30d datatype = event syncMeta = true partialServiceMetaPeriod = 0 frozenTimePeriodInSecs = 188697600 maxGlobalDataSizeMB = 0 quarantinePastSecs = 77760000 compressRawdata = true coldToFrozenScript = coldPath.maxDataSizeMB = 0 enableOnlineBucketRepair = true repFactor = 0 rtRouterQueueSize = 10000 maxTimeUnreplicatedWithAcks = 60 assureUTF8 = false maxTimeUnreplicatedNoAcks = 300 rawChunkSizeBytes = 131072 memPoolMB = auto homePath.maxDataSizeMB = 0 warmToColdScript = maxWarmDBCount = 300 minHotIdleSecsBeforeForceRoll = auto coldToFrozenDir = maxTotalDataSizeMB = 500000 maxConcurrentOptimizes = 6 maxRunningProcessGroupsLowPriority = 1 streamingTargetTsidxSyncPeriodMsec = 5000 journalCompression = gzip quarantineFutureSecs = 2592000 splitByIndexKeys = sync = 0 serviceOnlyAsNeeded = true [_audit] bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\audit\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\audit\thaweddb tstatsHomePath = volume:_splunk_summaries\audit\datamodel_summary homePath = $SPLUNK_DB\audit\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 5120 rtRouterQueueSize = [_internal] bucketRebuildMemoryHint = 0 syncMeta = 1 maxHotSpanSecs = 432000 compressRawdata = 1 coldPath = $SPLUNK_DB\_internaldb\colddb minHotIdleSecsBeforeForceRoll = 0 maxDataSize = 1000 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_internaldb\thaweddb tstatsHomePath = volume:_splunk_summaries\_internaldb\datamodel_summary homePath = $SPLUNK_DB\_internaldb\db rtRouterThreads = enableTsidxReduction = 0 maxTotalDataSizeMB = 51200 frozenTimePeriodInSecs = 188697600 rtRouterQueueSize = archiver.enableDataArchive = 0 metric.enableFloatingPointCompression = 1 selfStorageThreads = tsidxWritingLevel = [_introspection] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\_introspection\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_introspection\thaweddb homePath = $SPLUNK_DB\_introspection\db rtRouterThreads = maxDataSize = 1024 maxTotalDataSizeMB = 5120 frozenTimePeriodInSecs = 1209600 rtRouterQueueSize = [_telemetry] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\_telemetry\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_telemetry\thaweddb homePath = $SPLUNK_DB\_telemetry\db rtRouterThreads = maxDataSize = 256 maxTotalDataSizeMB = 500 frozenTimePeriodInSecs = 63072000 rtRouterQueueSize = [_thefishbucket] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\fishbucket\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\fishbucket\thaweddb tstatsHomePath = volume:_splunk_summaries\fishbucket\datamodel_summary homePath = $SPLUNK_DB\fishbucket\db rtRouterThreads = maxDataSize = 500 maxTotalDataSizeMB = 500 frozenTimePeriodInSecs = 188697600 rtRouterQueueSize = [history] bucketRebuildMemoryHint = 0 syncMeta = 1 compressRawdata = 1 coldPath = $SPLUNK_DB\historydb\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\historydb\thaweddb tstatsHomePath = volume:_splunk_summaries\historydb\datamodel_summary homePath = $SPLUNK_DB\historydb\db rtRouterThreads = maxDataSize = 10 maxTotalDataSizeMB = 500 frozenTimePeriodInSecs = 604800 rtRouterQueueSize = [main] enableOnlineBucketRepair = 1 bucketRebuildMemoryHint = 0 syncMeta = 1 minHotIdleSecsBeforeForceRoll = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\defaultdb\colddb maxHotBuckets = 10 maxDataSize = auto_high_volume maxConcurrentOptimizes = 6 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\defaultdb\thaweddb tstatsHomePath = volume:_splunk_summaries\defaultdb\datamodel_summary homePath = $SPLUNK_DB\defaultdb\db rtRouterThreads = enableTsidxReduction = 0 maxHotIdleSecs = 86400 maxTotalDataSizeMB = 10240 rtRouterQueueSize = [splunklogger] disabled = true bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\splunklogger\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\splunklogger\thaweddb homePath = $SPLUNK_DB\splunklogger\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 500 rtRouterQueueSize = [_syslog] bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\_syslog\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_syslog\thaweddb tstatsHomePath = volume:_splunk_summaries\_syslog\datamodel_summary homePath = $SPLUNK_DB\_syslog\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 10240 frozenTimePeriodInSecs = 7776000 rtRouterQueueSize = [_metrics] bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\_metrics\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\_metrics\thaweddb tstatsHomePath = volume:_splunk_summaries\_metrics\datamodel_summary homePath = $SPLUNK_DB\_metrics\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 10240 frozenTimePeriodInSecs = 7776000 rtRouterQueueSize = [summary] bucketRebuildMemoryHint = 0 compressRawdata = 1 coldPath = $SPLUNK_DB\summarydb\colddb minHotIdleSecsBeforeForceRoll = 0 enableTsidxReduction = 0 enableOnlineBucketRepair = 1 suspendHotRollByDeleteQuery = 0 enableDataIntegrityControl = 0 thawedPath = $SPLUNK_DB\summarydb\thaweddb tstatsHomePath = volume:_splunk_summaries\summarydb\datamodel_summary homePath = $SPLUNK_DB\summarydb\db rtRouterThreads = syncMeta = 1 maxTotalDataSizeMB = 500 rtRouterQueueSize = [volume:_splunk_summaries] path = $SPLUNK_DB        
The Credentials used to connect the Splunk TA for Azure was set to expire in 6 months from now. I would like to get an alert created for that in Splunk so we can update this a week before it expires ... See more...
The Credentials used to connect the Splunk TA for Azure was set to expire in 6 months from now. I would like to get an alert created for that in Splunk so we can update this a week before it expires so it does not take us by surprise. I do not want to set a personal reminder just in case someone else is in the role by then. Thanks for your help.  
Hello All. I trying to build a straightforward dashboard for some executives. I am the only one on my team who uses and knows how to use Dashboard Studio. By default, I have the "ALL" option chosen b... See more...
Hello All. I trying to build a straightforward dashboard for some executives. I am the only one on my team who uses and knows how to use Dashboard Studio. By default, I have the "ALL" option chosen but upon choosing any other option from my multi-select input, I receive an error in my table, indicating that no search results have been returned. The only option that works is the "ALL" option. This also happens when I use the dropdown input. 
how can I make the Splunk agent collect the web Brower or network logs from Endpoint (windows, Linux) to the Splunk Server 
Hello I have a problem with Deployment Server. I would like to setup e-mail settings for all my Splunk servers using Deployment application. I have created Deployment server, I have created classess... See more...
Hello I have a problem with Deployment Server. I would like to setup e-mail settings for all my Splunk servers using Deployment application. I have created Deployment server, I have created classess and applicatoins I want to deploy.  Application is downloading to right servers. Application is very simple. I had created file "/opt/splunk/etc/deployment-apps/setSplunkCommonConfig/default/xxx_alert.actions.conf" with following content: [email] allowedDomainList = domain.com pdf.header_left = none pdf.header_right = none This application is downloaded to client and it is stored under "/opt/splunk/etc/apps/setSplunkCommonConfig" directory and file "xxx_alert.actions.conf" is there.  So distribution of aplication looks working fine. But there I have problem that settings from file "xxx_alert.actions.conf" are not applied on client. What am I doing wrong? Deploy server can copy files to which directories "/opt/splunk/etc/system/local" or "/opt/splunk/etc/system/default" or both? Than you for any hint.  
In need of a workable universal forwarder that can be installed on Solaris 5.10 SPARC i think the latest version of 7.x should work but it's been taken off from download page 8.x didn't mention if... See more...
In need of a workable universal forwarder that can be installed on Solaris 5.10 SPARC i think the latest version of 7.x should work but it's been taken off from download page 8.x didn't mention if it will work on 10 so I am in need of someone to help me getting a 7.x universal forwarder for Solaris 10 SPARC
So, in my organization, I have have created many dashboards, but I want to know if they actually view them and how often and which roles are using/viewing them. Is is possible to get these stats from... See more...
So, in my organization, I have have created many dashboards, but I want to know if they actually view them and how often and which roles are using/viewing them. Is is possible to get these stats from dashboards? This will be very helpful for me and my team in the future.    Thank you. 
I am new to Splunk and I have been tasked to setup management and data traffic to use SSL certificates. A colleague installed Splunk 9.2.1 on Windows 2022 server on a separate application drive. A do... See more...
I am new to Splunk and I have been tasked to setup management and data traffic to use SSL certificates. A colleague installed Splunk 9.2.1 on Windows 2022 server on a separate application drive. A document I found on the Splunk documents site "How to obtain certificates from a third-party for inter-Splunk communication". The commands use environment variables that are not setup on my server. Questions: 1. Where these variables supposed to be added during the install? 2. If not which variables do I need to add and where do I add them (user or system) variables? 3. Is there a major difference in configuration if Splunk is installed to an application drive not the O/S drive? 4. In generating the privatekey.key file is it supposed to be saved in the same folder as the servercertificate.csr?  
Hello everyone, and thanks in advance for your help. I'm very new to this subject so if anything is unclear, i'll try to explain my problem more in details. I'm using spunk 9.2.1, and i'm trying to ... See more...
Hello everyone, and thanks in advance for your help. I'm very new to this subject so if anything is unclear, i'll try to explain my problem more in details. I'm using spunk 9.2.1, and i'm trying to generate a PDF from one of my dashboard, using a splunk API call. From what i saw online, i should use : GET /services/pdfgen/render?input-dashboard=<DashboardName>&namespace=<AppName>&paper-size=a4-landscape     user = MyUser; app = MyApp; dashboard = Security_events_dashboard (i'm using a module that calls the API for me, all i do is precise the endpoint and the parameters and it gives me the response as a string) The problem is that i get this error :   Unable to render PDF.<br/><ul><il>Bailing out of Integrated PDF Generation. Exception raised while preparing to render "Untitled" to PDF. [HTTP 404] https://localhost:8089/servicesNS/MyUser/MyApp/data/ui/views/Security_events_dashboard; [{'type': 'ERROR', 'code': None, 'text': 'Could not find object id=Security_events_dashboard'}]</li></ul>     On th GUI, signed as MyUser, i can see the dashboard under MyApp, and the permission is set to read for MyUser, Owner = nobody, Sharing = App. To confirm this, on my Search-Head VM i can see the dashboard under $SPLUNK_HOME/etc/apps/MyApp/default/data/ui/views/security_events_dashboard.xml. Plus in $SPLUNK_HOME/etc/apps/MyApp/metadata/default.meta :   [views/security_events_dashboard.xml] access = read : [MyUser], write : [admin] owner = nobody version = 9.1.0.1 export = system     I've tried using the dashboard name as security_events_dashboard (instead of Security_events_dashboard) but i get the same error. I don't see what i'm missing here, si if anyone could give me hint or two please, thank you
Hi We are being unable to use the PostgreSQL connector since updating to SOAR version 6, either with the last connector version or with previous the ones. This issue is happening both on cloud envi... See more...
Hi We are being unable to use the PostgreSQL connector since updating to SOAR version 6, either with the last connector version or with previous the ones. This issue is happening both on cloud environments and on-prem environments (which where connecting ok to PostgreSQL while on Phantom 5.X versions). This is the error we are getting on-prem (the very same happens on cloud enviroments with automation broker).   Testing Connectivity App 'PostgreSQL' started successfully (id: 1723042384532) on asset: 'pgdb'(id: 433) Loaded action execution configuration db login error SCRAM authentication requires libpq version 10 or above Test Connectivity Failed. PostgresqlConnector::initialize() returned error. I already opened a suport ticket weeks ago but maybe some of you were able to solve it on your own. Any ideas about the root cause and possible solutions? Regards
Hi,    We have installed AppDynamics and we are using Oracle JVM and added tools.jar under tomcat lib, and java JRE lib also but when we try to check on object tracking we are still seeing  tools... See more...
Hi,    We have installed AppDynamics and we are using Oracle JVM and added tools.jar under tomcat lib, and java JRE lib also but when we try to check on object tracking we are still seeing  tools.jar is not in the JVM classpath any help to resolve this is appreciated. 
will the Searchbase App (https://splunkbase.splunk.com/app/7188) ever be made available for general download?
Hello Everyone,  looking for a little guidance on our Splunk deployment for a system.  Currently, we have a few different sites that span across the US with Universal forwarders deployed to all of th... See more...
Hello Everyone,  looking for a little guidance on our Splunk deployment for a system.  Currently, we have a few different sites that span across the US with Universal forwarders deployed to all of the systems and reporting back to one main Splunk instance individually.   Id like to see about splitting the Splunk system up into two separate parts to improve integrity and reduce latency, but have never delt with deploying a heavy forwarder in an instance like this.  My thought is to have all of the western universal forwarders sending their events to a dedicated Western Heavy forwarder, and have all of the eastern universal forwards send their data to the eastern heavy forwarder, and have both of the heavy forwarders send their data to our main Splunk instance.  (crude visio below) Any guidance is greatly appreciated!   
Hi all! I would like to create a no_msg_wait_time column here. This is my existing splunk search query:   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | rex field=_raw "^(?<da... See more...
Hi all! I would like to create a no_msg_wait_time column here. This is my existing splunk search query:   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | rex field=_raw "^(?<date>\d{4}-\d{2}-\d{2})\s+(?<timestamp>\d{2}:\d{2}:\d{2},\d{3})" | rex field=_raw "Done Bulk saving messages, Count=(?<count>\d+), used (?<db_bulk_write_time>\d+) ms" | where isnotnull(count) | eval event_time=strptime(date . " " . timestamp, "%Y-%m-%d %H:%M:%S,%3N") | sort 0 event_time | streamstats current=f last(event_time) as prev_event_time | eval processing_time=if(isnull(prev_event_time), 0, event_time - prev_event_time) | fields date, timestamp, processing_time, count, db_bulk_write_time | eval processing_time = processing_time * 1000 | table date, timestamp, processing_time, count, db_bulk_write_time, _raw   This is an example of the log lines  I would like to create a no_msg_wait_time column with the following results: It would count how many No message to handle (noMessageHandleCounter=*), retry in 1000 ms there are between each "Done bulk saving messages"  So if there are like 4 in between then no_msg_wait_time will be 4000ms, if there are none or zero of those in between than no_msg_wait_time will be 0ms. So using my current example here: 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=7), retry in 1000 ms 2024-08-07 21:13:11,007 [15] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4504 2024-08-07 21:13:11,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:11,257 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:11,382 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:11,507 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:11,632 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:11,757 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:11,882 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms 2024-08-07 21:13:12,007 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:12,054 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:12,179 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:12,257 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,398 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,528 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,778 [33] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4668 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms 2024-08-07 21:13:12,841 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,934 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:12,966 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:13,059 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:13,059 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,184 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:13,200 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,325 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:13,341 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:13,591 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:13,716 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:13,841 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:13,966 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:15,731 [20] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:7648 2024-08-07 21:13:15,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:15,981 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:16,106 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:16,231 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:16,356 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:16,481 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:16,606 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms 2024-08-07 21:13:16,637 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:16,731 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:16,762 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:16,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:16,856 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:16,997 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,137 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:19,544 [28] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:13568 2024-08-07 21:13:19,669 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:19,794 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:19,919 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:20,044 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:20,169 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:20,294 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:20,419 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms And my current results are as follow (i manually added expected no_msg_wait_time) date timestamp processing_time count db_bulk_write_time no_msg_wait_time _raw 2024-08-07 21:13:07,070 0.00 ms 1 13.00 ms this one should be zero as i dont have one log line before to calculate (assume this is the start of log line) 2024-08-07 21:13:07,070 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 13 ms   21:13:12,007 4,937.00 ms 1 113.00 ms 4000ms (as there are 4 no message to handle, ... 1000ms) 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms   21:13:12,825 818.00 ms 1 24.00 ms 3000ms 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms   21:13:16,622 3,797.00 ms 1 11.00 ms 10,000ms 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms   21:13:20,434 3,812.00 ms 1 12.00 ms and so on so forth 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms
Good morning! I am receiving the Error: Could not load lookup=LOOKUP-reply_code on multiple boxes.  Any similar situations?  Thanks in advance for any feedback.  
We pull change, incident and security incident tickets from servicenow into splunk using the addon app for servicenow. Since we have upgraded the service now add on app to 7.8.0, we are unable to pul... See more...
We pull change, incident and security incident tickets from servicenow into splunk using the addon app for servicenow. Since we have upgraded the service now add on app to 7.8.0, we are unable to pull security incidents. The other data set related to changes, incident etc is coming through. We see the below error:   2024-08-06 19:22:13,103 ERROR pid=663322 tid=MainThread _data:274 | Failure occurred while getting records for the input: securityincident from the table: sn_si_incident of the servicenow host: xxxx The reason for failure= {'message': 'Insufficient rights to query records', 'detail': 'Field(s) present in the query do not have permission to be read'}. Contact Splunk administrator for further information.     Anyone had this issue?
Hi Team, I am monitoring blucoat proxy logs via syslog log collection method. My input.conf file is configured to read all logs inside the location opt/splunk/syslog/symantec/bluecoat/*/*.log.  bel... See more...
Hi Team, I am monitoring blucoat proxy logs via syslog log collection method. My input.conf file is configured to read all logs inside the location opt/splunk/syslog/symantec/bluecoat/*/*.log.  below is the current configuration. Now i need to exclude the log which have cs-host=nxtengine.cpga.net.qa from indexing.  [monitor:///opt/splunk/syslog/symantec/bluecoat/*/*.log] sourcetype = bluecoat:proxysg:access:syslog index = cus_XXX host_segment = 6 disabled = false Sample raw logs below 2024-08-07T14:12:37+03:00 10.253.253.44 Bluecoat|src=X.x.x.x|srcport=53936|dst=x.x.x.x|dstport=8443|username=abcdef$|devicetime=[07/08/2024:11:12:32 GMT]|s-action=TCP_DENIED|sc-status=407|cs-method=CONNECT|time-taken=11|sc-bytes=247|cs-bytes=816|cs-uri-scheme=tcp|cs-host=nxtengine.cpga.net.qa|cs-uri-path=/|cs-uri-query=-|cs-uri-extension=-|cs-auth-group=-|rs(Content-Type)=-|cs(User-Agent)=Mozilla/5.0|cs(Referer)=-|sc-filter-result=DENIED|filter-category=none|cs-uri=tcp://nxtengine.cpga.net.qa:8443/            
Hello Everyone,   I'm experiencing a problem with the latest version of Missile Map (1.6.0). The animated arrows remain static when the page initially loads, and the animations only begin when I ma... See more...
Hello Everyone,   I'm experiencing a problem with the latest version of Missile Map (1.6.0). The animated arrows remain static when the page initially loads, and the animations only begin when I manually zoom in or out of the map.   This is an issue, as the animations used to start automatically as soon as the dashboard page was loaded.   Thank you for your assistance.