All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a current Splunk install in my production environment, all running RedHat Linux.  I have a single server w/ Splunk Enterprise installed on it, as well as SplunkForwarder.  I have 100+ other se... See more...
I have a current Splunk install in my production environment, all running RedHat Linux.  I have a single server w/ Splunk Enterprise installed on it, as well as SplunkForwarder.  I have 100+ other servers w/ SplunkForwarder installed on them all pushing logs to the Splunk Enterprise server.  All servers had v9.1.2 of the forwarder installed, and the Enterprise server was also this version. I recently updated the Splunk Enterprise server, as well as the Splunk Forwarders on all servers, to version 9.2.0.1 successfully.  With one exception.  The forwarder installed on my Splunk Enterprise server (named "splunkenter1") fails.  It displays the error listed below where it says that the splunkforwarder package is conflicting with the splunk install. I have another Splunk Enterprise install (using the same set-up) in another environment, and I did not run into this issue.  That upgrade worked without issue. I've tried Google'ing the issue, but haven't found much.  Anyone have any ideas on what could be causing this, or has anyone seen this before?   [root@splunkenter1 ~]# dnf update splunkforwarder Last metadata expiration check: 0:01:36 ago on Mon 22 Apr 2024 04:47:07 PM UTC. Dependencies resolved. ======================================================================================================== Package Architecture Version Repository Size ======================================================================================================== Upgrading: splunkforwarder x86_64 9.2.0.1-d8ae995bf219 splunk-repo 44 M Transaction Summary ======================================================================================================== Upgrade 1 Package Total download size: 44 M Is this ok [y/N]: y Downloading Packages: splunkforwarder-9.2.0.1-d8ae995bf219.x86_64.rpm 41 MB/s | 44 MB 00:01 -------------------------------------------------------------------------------------------------------- Total 41 MB/s | 44 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: Transaction test error: file /usr/lib/.build-id/03/f57acc2883000e6b54bf75c7e67d1a07446919 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/06/a82be30cc16ea5bea39f78f8056447e18beb15 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/1a/b0b8e873c6d668dcd3361470954d12004926cd from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/1e/8edb02a946c645cd20558aa8a6b420792f5541 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/35/e87a7fb154de7d5226e5a0a28c80ffd0c1be48 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/3a/3aac493bff5bb22e02b8726142dd67443dd03c from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/42/abc0f2a26bfb13b563104e87287312420c707e from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/44/6a270f1de8d26f47bf9ff9ae778e1fd3332403 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/64/b2324ff715d30c8a91dee6a980d63c291648d8 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/65/274a42201dd21f83996ba7c8bd0ba0dc3894c8 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/6d/dd008477651e7c8febce4699a739aaf188b0ae from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/88/cbe6deabd44a4766207eebf7c5e74f7ed53120 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/8a/6ee8699fb74fb883874a1123d91acf0b0d98a6 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/94/ea2865a21761f062a2db312845c535d5429bfc from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/95/d5fe61c313d8a5616f8a45f6c7d05151283ab6 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/96/b9463c40fc6541345a4b87634e8517281f8d4d from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/99/93008fdae763af21c831956de21501bb09e197 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/9b/2a882e45910da32603baf28a13b1630987184e from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/9f/b5fd366b32867d537caa84d4b2b521f5c21083 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/a0/1ae9032915dce67a58e8696c3c9fe195193d77 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/a1/616e140409dc54f0db2bf02ed7e114f07490af from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/b6/6dd3d33542916fff507849621dac5f763a98a2 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/b6/fd3c259a4c6e552d9b067f39e66c03cc134895 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/b7/e3d0b70694caa826df19d93b7341de0decdad3 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/bc/f1c9c6878bb887ef6869012b79c97546983b83 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/c8/d218675e02086588c28882c28b3533069d505c from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/d0/be01f291a5b978e02dcdd0069b82ce8a764dbf from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/d3/7dcf7bcf859ed048625d20139782517947e6e0 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/d7/30a0409850e89f806f3798ca99b378c335b7a5 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/dc/259ac038741ecbd76f6052a9fa403bc5ab5ab3 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/de/294f4dd1fa80d590074161566f06b39b9230fb from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/e0/0ee3712cdbd590286c2b8da49724fdaf6dee15 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/e6/7f07efdda1fcfe82b6ceb170412f22e03d2ab5 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/ec/dc3eeaba4750e657f5910fa2adb21365533f27 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/ee/6addfc324fb4bf57058df3adf7ea55dff4953f from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/f1/0b5a5bc3bcb996183924bd6029efba8290c71a from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/f2/c0dd88030fc9e343f6d9104a5015938cfe3503 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/f3/61ef732e036606eef3d78bb13f6d6165bcd927 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/f4/c1fc01304f2796efaabefd2a6350ba67cc9edc from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/f9/3cf5828d46fbdd6e82b2d18a4a5c650b84c185 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/fa/a370a95319b4a8ce1bd239652457843a09c15e from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64 file /usr/lib/.build-id/fd/201b0799acb29720c90a6129be08800ce4b7e5 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64  
Hello, if we have on DS "app/local" with conf files, is that possible restarting it that it pushes DS "app/local" to HF "app/local" and deletes custom local conf files on HF (created from HF GUI)? ... See more...
Hello, if we have on DS "app/local" with conf files, is that possible restarting it that it pushes DS "app/local" to HF "app/local" and deletes custom local conf files on HF (created from HF GUI)? Thanks.
Hello, How to solve " Events might not be returned in sub-second order due to search memory limits" without increasing the value of the following limits.conf setting:[search]:max_rawsize_perchunk?... See more...
Hello, How to solve " Events might not be returned in sub-second order due to search memory limits" without increasing the value of the following limits.conf setting:[search]:max_rawsize_perchunk? I got a message after I scheduled a query to move more than 150k rows into a summary index. I appreciate your help. Thank you
Hello, I have a standalone Splunk Enterprise 9.1.3 instance with some DCs and servers connected to it using Forwarder Management console. At the moment I have 2 server classes configured, 1 for the... See more...
Hello, I have a standalone Splunk Enterprise 9.1.3 instance with some DCs and servers connected to it using Forwarder Management console. At the moment I have 2 server classes configured, 1 for the DCs and the other one for the servers. The server class for the DCs includes only the inputs.conf file for Windows logs: [WinEventLog://Security] disabled = 0 index = myindex followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = 4624,4634,4625,4728,4729 renderXml=false Moreover, in the Splunk Enterprise I configured 2 transforms for splitting the logs in two separeted indexes, like this: props.conf: [WinEventLog:Security] TRANSFORMS-security = rewrite_ad_group_management, rewrite_index_adm transforms.conf: [rewrite_ad_group_management] REGEX = EventCode=(4728|4729) DEST_KEY = _MetaData:Index FORMAT = index1 [rewrite_index_adm] REGEX = Account Name:\s+.*\.adm DEST_KEY = _MetaData:Index FORMAT = index2 In particular, the goal is to forward the authentication events (4624,4634,4625) for only admin users (Account Name:\s+.*\.adm) in index2 and only EventCode 4728 and 4729 in index1, and the events that not match none transform should remain in myindex. At the moment the first transform is not working, so I'm receiving Events 4728 and 4729 in index2, am I missing something or there is a better logic to do that? I tried to combine also 4624,4634,4625 and Account Name:\s+.*\.adm with  (?ms)EventCode=(4624|4634|4625)\X*Account Name:\s+.*\.adm Thanks in advance
I am having some dashboards created by Splunk Dashboard Studio. Anyone know where I could set static color based on values in the dashboard? Thanks much!
Hi Team  How to convert millsec value to seconds  index=testing | timechart max("event.Properties.duration") Can anyone helps to with spl query search converting value  millsec value to seconds... See more...
Hi Team  How to convert millsec value to seconds  index=testing | timechart max("event.Properties.duration") Can anyone helps to with spl query search converting value  millsec value to seconds       
Hello, It seems that in the dashboard studio the static choropleth map has no legend. Here is the spl: index=xxxxxxxx sourcetype=yyyyyy mailgate* src=* | iplocation src | stats count by Country |... See more...
Hello, It seems that in the dashboard studio the static choropleth map has no legend. Here is the spl: index=xxxxxxxx sourcetype=yyyyyy mailgate* src=* | iplocation src | stats count by Country | geom geo_countries allFeatures=True featureIdField=Country If I put this map in a classic dashboard I get the map with the legend but in the dashboard studio no legend is showed. Is it a way to show this legend in the dashboard studio? Regards, Emile
we used a  F5 load balancer in front of 2 Intermediate Forwarders,  to receive syslog messages. the issue of the load balancer as all logs are forwarded to one IF and the other is empty. We need to... See more...
we used a  F5 load balancer in front of 2 Intermediate Forwarders,  to receive syslog messages. the issue of the load balancer as all logs are forwarded to one IF and the other is empty. We need to balance the load between them. where can I investigate this issue?
Hi everyone, i have an Enterprise instance installed on a Windows machine. I am trying to monitor the CPU performance of the machine on which the instance is on so that i can generate an alert whenev... See more...
Hi everyone, i have an Enterprise instance installed on a Windows machine. I am trying to monitor the CPU performance of the machine on which the instance is on so that i can generate an alert whenever the CPU exceeds 90% performance. Any help will be greatly appreciated!!!
Hello to everyone! I have a Splunk Instance with DMC Every day I see this message in the Erros report:   04-22-2024 03:03:08.599 +0300 ERROR AdminManagerDispatch [56824 TcpChannelThread] - Admin ... See more...
Hello to everyone! I have a Splunk Instance with DMC Every day I see this message in the Erros report:   04-22-2024 03:03:08.599 +0300 ERROR AdminManagerDispatch [56824 TcpChannelThread] - Admin handler 'resource-usage' not found.   What does it mean? How can I fix it?
Hello I have this query :  index="github_runners" sourcetype="testing" source="reports-tests" | spath path=libraryPath output=library | spath path=result.69991058{} output=testResult | mvexpand te... See more...
Hello I have this query :  index="github_runners" sourcetype="testing" source="reports-tests" | spath path=libraryPath output=library | spath path=result.69991058{} output=testResult | mvexpand testResult | spath input=testResult path=fullName output=test_name | spath input=testResult path=success output=test_outcome | spath input=testResult path=skipped output=test_skipped | spath input=testResult path=time output=test_time | table library testResult test_name test_outcome test_skipped test_time | eval status=if(test_outcome="true", "Passed", if(test_outcome="false", "Failed", if(test_skipped="true", "NotExecuted", ""))) | stats count sum(eval(if(status="Passed", 1, 0))) as passed_tests, sum(eval(if(status="Failed", 1, 0))) as failed_tests , sum(eval(if(status="NotExecuted", 1, 0))) as test_skipped by test_name library test_time | eval total_tests = passed_tests + failed_tests | eval success_ratio=round((passed_tests/total_tests)*100,2) | table library, test_name, total_tests, passed_tests, failed_tests, test_skipped, success_ratio test_time | sort + success_ratio And i'm trying to make its dynamic so i will see results for other numbers than '69991058' How can i make it ? i'm trying with regex but it looks like im doing something wrong since im getting 0 results while in the first query there are results  index="github_runners" sourcetype="testing" source="reports-tests" | spath path=libraryPath output=library | rex field=_raw "result\.(?<number>\d+)\{\}" | spath path="result.number{}" output=testResult | mvexpand testResult | spath input=testResult path=fullName output=test_name | spath input=testResult path=success output=test_outcome | spath input=testResult path=skipped output=test_skipped | spath input=testResult path=time output=test_time | table library testResult test_name test_outcome test_skipped test_time | eval status=if(test_outcome="true", "Passed", if(test_outcome="false", "Failed", if(test_skipped="true", "NotExecuted", ""))) | stats count sum(eval(if(status="Passed", 1, 0))) as passed_tests, sum(eval(if(status="Failed", 1, 0))) as failed_tests , sum(eval(if(status="NotExecuted", 1, 0))) as test_skipped by test_name library test_time | eval total_tests = passed_tests + failed_tests | eval success_ratio=round((passed_tests/total_tests)*100,2) | table library, test_name, total_tests, passed_tests, failed_tests, test_skipped, success_ratio test_time | sort + success_ratio
Hi Splunkers, I am working on creating a column line chart dashboard that shows database lattency . I'm encountering a issue where I'm trying to pass a token value to overlay options for line chart ... See more...
Hi Splunkers, I am working on creating a column line chart dashboard that shows database lattency . I'm encountering a issue where I'm trying to pass a token value to overlay options for line chart representation over a column chart. Here are things currently i have, My Chart and My SPL query:   SPL: index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=* | eval ds_file_path=ds_path."\\".ds_file | chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine | appendcols [search index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=* | eval ds_file_path=ds_path."\\".ds_file | stats max(block_count) as total_blocks by ds_file_path] I need to assign the overlay field value(avg_processing_time_per_block )from the line in SPL: | chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine The reason I'm attempting to assign it as a token is that the avg_processing_time_per_block has dynamic values (sometimes it may be 10 or 12 machines data ).instead of rwmini and rwws01. Column has total_blocks value   Or is there any ways to achieve this requirement? Your thoughts on these are highly appreciated. Thank you in advance. Sanjai
Hi All, I have deployed new deployment server  (aws ec2 instance) and updated the existing route53 dns entry to point to this new server. But I see the deployment clients are making connection to ... See more...
Hi All, I have deployed new deployment server  (aws ec2 instance) and updated the existing route53 dns entry to point to this new server. But I see the deployment clients are making connection to old server still. I believe there is  old connection saved at deployment client. Does anyone of you know how to encounter this issue ? Your solution helps me lot please. Regards, PNV
Thanks In Advance. I am using dropdown values for my requirement. In the dropdown i am using token and getting the values from inputlookup and i will pass the value to splunk query.There are two dro... See more...
Thanks In Advance. I am using dropdown values for my requirement. In the dropdown i am using token and getting the values from inputlookup and i will pass the value to splunk query.There are two dropdown one is application Name another one interface name.If i select values i am getting result .If select ALL and the values shows *.in the splunk query.Instead of * .I want to gey values like OR conditions.If i the token getting * then it showing all the values.But i want to show the values which is comming from inputlookup values both application name and interface name.     When i am selecting ALL my splunk query like this: index=mulesoft environment=PRD (applicationName="*" OR priority IN ("ERROR", "WARN")) | stats values(*) AS * BY correlationId applicationName | rename content.InterfaceName AS InterfaceName content.FileList{} AS FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | search InterfaceName="*" FileList="*" | sort -timestamp | sort -timestamp I am expecting : index=mulesoft environment=PRD applicationName IN ("Test1" OR "TEST2" OR "Test3") OR priority IN ("ERROR", "WARN") | stats values(*) AS * BY correlationId applicationName | rename content.InterfaceName AS InterfaceName content.FileList{} AS FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | search InterfaceName IN ("aa" OR "bb" OR "cc") AND FileList="*" | sort -timestamp | sort -timestamp DropDown Code </input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup applicationName | sort applicationName | table applicationName </query> </search> <fieldForLabel>applicationName</fieldForLabel> <fieldForValue>applicationName</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort InterfaceName | table InterfaceName </query> </search> <fieldForLabel>InterfaceName</fieldForLabel> <fieldForValue>InterfaceName</fieldForValue> <default>*</default> <prefix>InterfaceName="</prefix> <suffix>"</suffix> </input>    
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make ... See more...
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make sure that the same passkey in SHC and the deployer is the same. Thank you  
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the us... See more...
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the users. Could you please clarify what the minimum permissions are to retrieve all users? Additionally, I encountered a similar issue with the URL for fetching triggered alerts: /services/alerts/fired_alerts/{ALERT_NAME}   What permissions are necessary for accessing this information? Thanks
Hi Is it possible in SplunkBase, as an App Publisher, to edit the "Release Notes" of own App ? I mean in an existing version, without publishing a new one regards Altin
Hi team,   Could you please help me on how to get health alert notification in phantom. Thanks in advance.   Regards, Harisha
Hi Team, Could you please help me on below requirement, how to make manual task approval without  approver login to the phantom. Thanks in advance Regards, Harisha
Hi !  I want to try splunk UBA on a single linux machine.  But, on the app download page, I'm seeing error saying app installation is restricted to certain users and your user profile is not in that... See more...
Hi !  I want to try splunk UBA on a single linux machine.  But, on the app download page, I'm seeing error saying app installation is restricted to certain users and your user profile is not in that list. Any suggestions to resolve this ? Thanks, Abhishek