All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I can't see my logs, Stack: Spring boot , Maven Here is my pom file: <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/... See more...
I can't see my logs, Stack: Spring boot , Maven Here is my pom file: <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>3.0.2</version> <relativePath/> <!-- lookup parent from repository --> </parent> <groupId>com.example</groupId> <artifactId>SpringBootCRUDWithSplunkIntegration</artifactId> <version>0.0.1-SNAPSHOT</version> <name>SpringBootCRUDWithSplunkIntegration</name> <description>SpringBootCRUDWithSplunkIntegration</description> <properties> <java.version>17</java.version> </properties> <repositories> <repository> <id>splunk-artifactory</id> <name>Splunk Releases</name> <url>https://splunk.jfrog.io/splunk/ext-releases-local</url> </repository> </repositories> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-log4j --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> </dependency> <!-- https://mvnrepository.com/artifact/com.splunk.logging/splunk-library-javalogging --> <dependency> <groupId>com.splunk.logging</groupId> <artifactId>splunk-library-javalogging</artifactId> <version>1.8.0</version> <scope>runtime</scope> </dependency> <dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> <scope>runtime</scope> </dependency> <!-- https://mvnrepository.com/artifact/org.umlg/sqlg-postgres-dialect --> <dependency> <groupId>org.umlg</groupId> <artifactId>sqlg-postgres-dialect</artifactId> <version>1.3.2</version> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.12</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <configuration> <excludes> <exclude> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> </exclude> </excludes> </configuration> </plugin> </plugins> </build> </project> Here is my log4j.xml <?xml version="1.0" encoding="UTF-8"?> <Configuration> <Appenders> <Console name="console" target="SYSTEM_OUT"> <PatternLayout pattern="%style{%d{ISO8601}} %highlight{%-5level }[%style{%t}{bright,blue}] %style{%C{10}}{bright,yellow}: %msg%n%throwable" /> </Console> <SplunkHttp name="splunkhttp" url="http://127.0.0.1:8088" token="c7d19018-8e86-4c22-ace8-00903bb92845" host="localhost" index="spring_dev" type="raw" source="source name" sourcetype="log4j" messageFormat="text" disableCertificateValidation="true"> <PatternLayout pattern="%m" /> </SplunkHttp> </Appenders> <Loggers> <Root level="info"> <AppenderRef ref="console" /> <AppenderRef ref="splunkhttp" /> </Root> </Loggers> </Configuration> Can anybody help with that issue,  I've tried everything literary    
trying to upgrade our Windows Server 2019 based Splunk version 9.0.0 to 9.1.0.1 and it's randomly failing on 50% or half of our 12 servers in our lab the error below is from one of our non clustered... See more...
trying to upgrade our Windows Server 2019 based Splunk version 9.0.0 to 9.1.0.1 and it's randomly failing on 50% or half of our 12 servers in our lab the error below is from one of our non clustered Search Heads, others which are identical installed fine, we got the same error on our index Cluster Master    Splunk Enterprise Setup Wizard ended prematurely Splunk Enterprise Setup Wizard ended prematurely because of an error.  Your system has not been modified.  To install this program at a later time, run Setup Wizard again.  Click the Fiinish button to exit the Setup Wizard.       Setup cannot copy the following files:  Splknetdrv.sys SplunkMonitorNoHandleDrv.sys SplunkDrv.sys              
Hi All, urgent help here. I check whether is any activity done by a user on a client machine, so i use this query in splunk search - [host="domain controller's server name" "user's account name"]. Fr... See more...
Hi All, urgent help here. I check whether is any activity done by a user on a client machine, so i use this query in splunk search - [host="domain controller's server name" "user's account name"]. From the result, I see that there is multiple login/logout session within seconds and multiple Kerberos. I can confim that there is no physical user that is using the client machine. So can i ask why there is still wineventlogs (login/logout)?
Hi, I have created a splunk email and it seems to be triggering it twice. Below the query and alert configuration. query: index="liquidity" AND cf_space_name="pvs-ad00008034" AND (msg.Extended_F... See more...
Hi, I have created a splunk email and it seems to be triggering it twice. Below the query and alert configuration. query: index="liquidity" AND cf_space_name="pvs-ad00008034" AND (msg.Extended_Fields.ValueAmount = "0" OR msg.Extended_Fields.ValueAmount = "NULL" OR msg.Results.Message="EWI Load process is completed*") | table _time, msg.Extended_Fields.DataSource, msg.Extended_Fields.ValueAmount, msg.Results.Message | sort by _time | rename msg.Extended_Fields.ValueAmount as ValueAmount | rename msg.Results.Message as Message | rename msg.Extended_Fields.DataSource as DataSource   trigger condition: search Message = "EWI Load process is completed*" | stats count as Total | search Total > 0
So we rebuilt out SHs aby completely blowing them out and started with a fresh 9.1.01 install. Then just for kicks before making a SH  Cluster I installed the Splunk Security Essentials on one of th... See more...
So we rebuilt out SHs aby completely blowing them out and started with a fresh 9.1.01 install. Then just for kicks before making a SH  Cluster I installed the Splunk Security Essentials on one of the SHs and The app worked wonderfully but when I made it part of a cluster It gave  errors I am attaching a snipits of both so you can see. Keep in mind that all that was changed was that I put the SH into  a cluster and then got the errors.
Hello, support didn't provide way to have current state of squash_threshold in our clustered environment. They suggest increase from 2000 to 3000 for instance. How do you set this value? Thanks f... See more...
Hello, support didn't provide way to have current state of squash_threshold in our clustered environment. They suggest increase from 2000 to 3000 for instance. How do you set this value? Thanks for your help.
Hi There, I have just checked the Cloud Monitoring Console after receiving an email that noted some apps were ready to be upgraded to Python 3. I am using Splunk Cloud and saw the following informa... See more...
Hi There, I have just checked the Cloud Monitoring Console after receiving an email that noted some apps were ready to be upgraded to Python 3. I am using Splunk Cloud and saw the following information about my universal forwarders. I have attached a screenshot, but the date doesn't appear to make sense and the newer version is showing as being outdated. Any help would be appreciated, Jamie
Hi Team Is this feature available in cloud instance( free tier, trail version), to share the studio dashboard URL to an anonymous user( the url should be able to open in browser and mobile devices)... See more...
Hi Team Is this feature available in cloud instance( free tier, trail version), to share the studio dashboard URL to an anonymous user( the url should be able to open in browser and mobile devices).   Thanks.
Hi, We know how to change WebUI SSL certificate to a custom one. How about the certificate used for other ports (like JobManager)? Is it possible?
Dear Team I have a splunk lookup with two fields, username and location. The lookup is populated every time the location is US. However, I want to see the location keeps on changing. So, I woul... See more...
Dear Team I have a splunk lookup with two fields, username and location. The lookup is populated every time the location is US. However, I want to see the location keeps on changing. So, I would like to write a query, which first checks if the username exists in the lookup and if it does, match the location in the event field to the lookup field. If the location from event field doesn't match with that of lookup field, it should remove that username from the lookup.  Any ideas or suggestions would be appreciated.  
I have the Microsoft Azure App for Splunk 2.0.1 and I have data for `azure-consumption` (sourcetype=azure:billing) via Splunk Add-on for Microsoft Azure 4.0.3. The Billing dashboard queries are filt... See more...
I have the Microsoft Azure App for Splunk 2.0.1 and I have data for `azure-consumption` (sourcetype=azure:billing) via Splunk Add-on for Microsoft Azure 4.0.3. The Billing dashboard queries are filtering on properties.subscriptionId, but this is not in my data, I have subscriptionGuid and subscriptionName. We have recently moved to an MCA single billing model, it looks like this has caused the issue as the legacy dashboards stopped at this time. It looks like the type: Microsoft.Consumption/usageDetails has completely changed, i notice that the 'kind' has changed from 'legacy' to 'modern'. Has anyone else encountered this and have a solution? Are the dashboards supposed to work for my data? Thanks
I have an issue with KV store "KV Store initialization failed" and to overcome with this issue. I have followed below steps and after that no new error shown for "KV Store initialization failed". But... See more...
I have an issue with KV store "KV Store initialization failed" and to overcome with this issue. I have followed below steps and after that no new error shown for "KV Store initialization failed". But after that all the entries under KV store lookup got vanished. Please help me how I should restore the entries. If restore is not possible then what is the other possible solution to restore the entries. Stop Splunk rename the current mongo folder to old Start Splunk And you will see a new mongo folder created with all the components.  
Hello, We have 1 master server (Receiver or Indexer) and 50 slave servers. All are LINUX servers.  Now, we need to install universal forwarder in all 50 Linux machines.  Is there any way to autom... See more...
Hello, We have 1 master server (Receiver or Indexer) and 50 slave servers. All are LINUX servers.  Now, we need to install universal forwarder in all 50 Linux machines.  Is there any way to automate this installation process without any manual work? It would be really helpful if i get the solution. Thanks, Ragav 
Hi looking to change a color of a field based on its value in a monitoring context like failed , successful kind of thing any idea how to do this would be great.   The table cell color is what I am l... See more...
Hi looking to change a color of a field based on its value in a monitoring context like failed , successful kind of thing any idea how to do this would be great.   The table cell color is what I am looking to change. 
Hello, I have installed the splunk enterprise free version on my pc and i have installed the app Splunk app for lookup file edting but unfortunatly doesn't works. When i try to upload a file .csv... See more...
Hello, I have installed the splunk enterprise free version on my pc and i have installed the app Splunk app for lookup file edting but unfortunatly doesn't works. When i try to upload a file .csv i have the following error "File is binary or file encoding is not supported, only utf-8 encoded files are supported splunk". I tried to change the permission on the app's folder on windows but i did not resolve the problem. I tested with a very easy csv, and this one is the result: In the csv the column test3,test,test2 were divided. I saved the .csv in all format. Thanks for the support!
hey, we're in the process of upgrading on our splunk single instances from 8.2.5 to 9.1.0.1 due to EOL. we have two splunk instances - production which is under the enterprise license, test which ... See more...
hey, we're in the process of upgrading on our splunk single instances from 8.2.5 to 9.1.0.1 due to EOL. we have two splunk instances - production which is under the enterprise license, test which is under the free license. we've first started upgrading our test splunk instance with the free license and we instantly saw these errors:     07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" [modular_input:349] [execute] [834704] Modular input: Splunk Assist exit with exception: Traceback (most recent call last): 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" File "/opt/splunk/etc/apps/splunk_assist/bin/assist/modular_input.py", line 342, in execute 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" self.do_run(input_definition["inputs"]) 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" File "/opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py", line 66, in do_run 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" if not should_run(self.logger, self.session_key): 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" File "/opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py", line 27, in should_run 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" sh = is_search_head(log, session_key) 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" File "/opt/splunk/etc/apps/splunk_assist/bin/assist/serverinfo.py", line 153, in is_search_head 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" cluster_mode = get_cluster_mode(log, session_key) 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" File "/opt/splunk/etc/apps/splunk_assist/bin/assist/serverinfo.py", line 257, in get_cluster_mode 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" raiseAllErrors=True 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 646, in simpleRequest 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" raise splunk.LicenseRestriction 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" splunk.LicenseRestriction: [HTTP 402] Current license does not allow the requested action 07-31-2023 07:01:44.412 +0000 ERROR ExecProcessor [670742 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" .       this splunk assist issue seems to come from the usage of free license on splunk. I tried to disable the splunk-assist app but it wouldn't let me:     Cannot disable app: splunk_assist       as a result of the previous errors, we are seeing UI errors as well:      Unable to load common tasks. Refresh the page to try again.       any idea on how to proceed?
Hello,  my splunk courses (splunl )is not working,  after clicking on it, its just loading i am not getting access to course, please do let know.
Hi there, is there any kind of limitation in the TA-elasticsearch-data-integrator app? We currently face the problem that the we ingest just a small amount of data from the elastic cluster itself... See more...
Hi there, is there any kind of limitation in the TA-elasticsearch-data-integrator app? We currently face the problem that the we ingest just a small amount of data from the elastic cluster itself. For me it looks a kind of a limitation (snapshot attached). We got 3 Heavys in place running on Splunk 9.0.5.   Thanks and best regards. Brenny  
Hi all, I just upgraded splunk enterprise from 8.1.2 to 8.2.6.1 And I found some of big searches return below message when I run them   "Error in 'SearchPipeline': The pipeline size for this sear... See more...
Hi all, I just upgraded splunk enterprise from 8.1.2 to 8.2.6.1 And I found some of big searches return below message when I run them   "Error in 'SearchPipeline': The pipeline size for this search exceeds a search command limit : 340"   I've never seen this message on 8.1.2 before Could you please guide me 'which conf file stanza should be modified to increase pipeline limit?'
I've recently moved from an on-prem Splunk SOAR to the SaaS-based SOAR Cloud and am wondering if there's an equivalent to delete_containers.py script for Cloud?  I'm aware we can't run bespoke scrip... See more...
I've recently moved from an on-prem Splunk SOAR to the SaaS-based SOAR Cloud and am wondering if there's an equivalent to delete_containers.py script for Cloud?  I'm aware we can't run bespoke scripts on Cloud which is OK, but I haven't been able to manage container numbers besides running manual deletion, which is time consuming. Thanks!