All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

There is no option "Alert" when I try to "Save As" for current search. There is also no "Access Controls" in "Settings". My final plan is to send alerts to Slack channels, but all the instructions I... See more...
There is no option "Alert" when I try to "Save As" for current search. There is also no "Access Controls" in "Settings". My final plan is to send alerts to Slack channels, but all the instructions I was able to find are for different versions of Splunk (Enterprise etc). Could someone point me in a right direction? Thank you!
I've been testing both "Splunk App for Salesforce" and "Splunk Add-on for Salesforce" since last year. I just checked to ensure I'm on the most recent version and I see the App is archived. Has it be... See more...
I've been testing both "Splunk App for Salesforce" and "Splunk Add-on for Salesforce" since last year. I just checked to ensure I'm on the most recent version and I see the App is archived. Has it been deprecated? Is there a replacement option? THANKS
I have integrated splunk wtih servicenow , am getting below error log_level=ERROR pid=531305 tid=MainThread file=snow_data_loader.py:_do_collect:538 | Failure potentially caused by expired access tok... See more...
I have integrated splunk wtih servicenow , am getting below error log_level=ERROR pid=531305 tid=MainThread file=snow_data_loader.py:_do_collect:538 | Failure potentially caused by expired access token. Regenerating access token
Hi colleagues, hope everyone is doing well! I need some advice. I have a server that writes logs to /var/log/test_log.json. On the Splunk side, I opened a port via "Data Input -> TCP". The logs in... See more...
Hi colleagues, hope everyone is doing well! I need some advice. I have a server that writes logs to /var/log/test_log.json. On the Splunk side, I opened a port via "Data Input -> TCP". The logs in  test_log.json are written line by line. Example: {"timestamp":"2025/02/27 00:00:15","description":"Event 1"} {"timestamp":"2025/02/27 00:00:16","description":"Event 2"} {"timestamp":"2025/02/27 00:00:17","description":"Event 3"} Could anyone suggest if they have a ready-made rsyslog configuration file for correctly reading this log file? The file is continuously updated with new logs, each on a new line. I want rsyslog to read the file and send each newly appearing line as a separate log. Has anyone encountered this before and could help with a ready-made rsyslog configuration? Thank you!
I would like to run powershell scripts and commands out to my endpoints via the Universal Forwarder, but based on the script or command i would like to specifiy which endpoint it goes to/which it col... See more...
I would like to run powershell scripts and commands out to my endpoints via the Universal Forwarder, but based on the script or command i would like to specifiy which endpoint it goes to/which it collects an output from. I have attempted this with the following entry in the local inputs.conf, but it still ran on all the endpoints. [powershell://find_version]       script = [powershell command here] host = [XXX] index = [index here] schedule = [cron here] disabled = 0
Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events:     (1) Logons (Success/Fail... See more...
Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events:     (1) Logons (Success/Failure)     (2) Logoffs (Success) 2. Security Relevant File and Objects events:     (1) Create (Success/Failure)     (2) Access (Success/Failure)     (3) Delete (Success/Failure)     (4) Modify (Success/Failure)     (5) Permission Modification (Success/Failure)     (6) Ownership Modification (Success/Failure) 3. Export/Writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 4. Import/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 5. User and Group Management events:     (1) User add, delete, modify, disable, lock (Success/Failure)     (2) Group/Role add, delete, modify (Success/Failure) 6. Use of Privileged/Special Rights events:     (1) Security or audit policy changes (Success/Failure)     (2) Configuration changes (Success/Failure) 7. Admin or root-level access (Success/Failure) 8. Privilege/Role escalation (Success/Failure) 9. Audit and security relevant log data accesses (Success/Failure) 10. System reboot, restart and shutdown (Success/Failure) 11. Print to a device (Success/Failure) 12. Print to a file (e.g., pdf format) (Success/Failure) 13. Application (e.g., Adobe, Firefox, MS Office Suite) initialization   Are there templated Splunk search commands for these? And if so, could you point me to them? Many thanks!
Hello I got the same question that was also asked in 2017.(The solution is outdated and doesn't work anymore) "With a SAAS controler, how can i get a clear report of how many licences are consumed... See more...
Hello I got the same question that was also asked in 2017.(The solution is outdated and doesn't work anymore) "With a SAAS controler, how can i get a clear report of how many licences are consumed by application ? I dont need the speed dials that tell me how many licenses are consumed total. What i need is the license count per actual application that i have created in appDynamics. We need this to figure out what is the cost per application." have it been implemented or its there a way in 2024 to get this?
I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and... See more...
I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and the IP address , also there is no option for export in that dashboard , there is another similar dashboard in the monitoring console named forwarder_deployment but does not show the IP address only the host name , can you help with that ?
Hello, As a SOC analyst, what are the best practices for writing SPL queries to quickly find specific data (such as an IP address, a string, or a keyword) across all logs and indexes? I understan... See more...
Hello, As a SOC analyst, what are the best practices for writing SPL queries to quickly find specific data (such as an IP address, a string, or a keyword) across all logs and indexes? I understand that it's generally recommended to narrow down searches and avoid using `index=*`, but sometimes I don't know exactly where the data is indexed (i.e., which index, sourcetype, or field name). Any advice would be greatly appreciated. Thanks in advance!
I am a Splunk Enterprise Certified Admin who has an opportunity to advance to Splunk Architect. Im planning on taking the Splunk Lab. I am preparing for my Splunk architect practical Lab. Please i wa... See more...
I am a Splunk Enterprise Certified Admin who has an opportunity to advance to Splunk Architect. Im planning on taking the Splunk Lab. I am preparing for my Splunk architect practical Lab. Please i want to ask , In the  practical Lab exam, is it acceptable to have only one instance run as The Deployment Server, License Master and the Monitoring Console on the same port  on  the management system  Or I am  expected to run different Three Splunk instances working on different ports (Deployment server, License Master and on the monitoring console) on the Management System   
We have a 4 node SHC connected to a deployer.  For a usecase, I created a simple custom app that is just putting handful of dashboards together. Due to ease of use, I create this directly on SHC and... See more...
We have a 4 node SHC connected to a deployer.  For a usecase, I created a simple custom app that is just putting handful of dashboards together. Due to ease of use, I create this directly on SHC and all knowledge objects replicated among the members. During the next bundle push, will deployer delete this app from SHC as it has no knowledge of it? Should I move this app under shcluster/apps folder on the Deployer as well to be safe? Thanks, ~Abhi 
So I had help before that after a search I could send a report on a schedule and send a token to a mattermost channel I can send the token and it works, but I am doing a search where one of the fiel... See more...
So I had help before that after a search I could send a report on a schedule and send a token to a mattermost channel I can send the token and it works, but I am doing a search where one of the fields is a sum  Example stats sum(SizeGB) which is getting the sum of a Project ID for a day. What the search is doing is getting the total number of Data uploaded for a Project and the report works great however I was want to send the figure as a token in the alert - I can send the project id but not the sum - I have tried $testresult.sum(SizeGB)$ and also I did an eval of the Sum and called it total_size and tried that as a token and it is just blank.
I want to get all action.correlationsearch.label into an autocomplete field of a custom UI. Displaying all the correlation search names in this dropdown and filtering on typing. I have ruled out usi... See more...
I want to get all action.correlationsearch.label into an autocomplete field of a custom UI. Displaying all the correlation search names in this dropdown and filtering on typing. I have ruled out using  https://<deployment-name>splunkcloud.com:8089/services/search/typeahead as that field does not have the field I need in the prefix.  Is there a method using a splunk endpoint with actual typeahead functionality where this is possible? I know I can use /services/saved/searches to get the rules and then implement filtering logic.  
The latest appinspect tool (splunk-appinspect inspect ....) returns a failure on our Add-on ..which is using cffi backend cpython.  below is the text form of error message .. included a screenshot of... See more...
The latest appinspect tool (splunk-appinspect inspect ....) returns a failure on our Add-on ..which is using cffi backend cpython.  below is the text form of error message .. included a screenshot of the failure.    Our App/Add-on is using this module for a long time .. multiple old versions  have it.. and we never seen this failure before.  We have got this package from the wheelodex (URL included below) to enable the support for python3-cffi URL : https://www.wheelodex.org/projects/cffi/wheels/cffi-1.17.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/     A default value of 25 for max-messages will be used. Binary file standards Check that every binary file is compatible with AArch64. FAILURE: Found AArch64-incompatible binary file. Remove or rebuild the file to be AArch64-compatible. File: linux_x86_64/bin/lib/_cffi_backend.cpython-39-x86_64-linux-gnu.so File: linux_x86_64/bin/lib/_cffi_backend.cpython-39-x86_64-linux-gnu.so        Even the old version of apps that are published and available on splunk appstore are running into this failure.   Any insights on how to get this addressed ??
Hi , We have a cluster of 3 searchheads and 3 indexers 2+1 primary and DR setup for both indexers and searchhead. If a DR indexer and a searchheads got corrupted, instead of  creating a new VM and i... See more...
Hi , We have a cluster of 3 searchheads and 3 indexers 2+1 primary and DR setup for both indexers and searchhead. If a DR indexer and a searchheads got corrupted, instead of  creating a new VM and install fresh splunk on the new VM and add it to the searchhed and indexer cluster is there a chance we can clone the existing searchhead and indexer VM to the new searchhead and indexer VM, and make it join the cluster.
I have an SSL certificate .pem provided by my organization and I need to configure it in Splunk HF. Please assist with any document referrals or steps. I have already gone through the Splunk document... See more...
I have an SSL certificate .pem provided by my organization and I need to configure it in Splunk HF. Please assist with any document referrals or steps. I have already gone through the Splunk documentation below but had no luck https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/ConfigureandinstallcertificatesforLogObserver
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk.  Is this the right In... See more...
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk.  Is this the right Integration between Confluent and Splunk, meaning via the Open Telemetry Collector (OTEL)?
Hi fellow splunkers, recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus. Tested in Enterprise 9.3.2 and 9.4.0 ... See more...
Hi fellow splunkers, recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus. Tested in Enterprise 9.3.2 and 9.4.0 in the calculated version i found out, that the revision of a driver differs from the printmanagement on that printserver directly. i calculate the revision like that: version % pow(2,16) In my case the calculation translates to 17171305019303231 % 65536 splunk calculates 25920 which isn't correct, it is 25919
Hello, I am looking to download Forwarder package  windows ARM for Surface 7 laptops and not finding the link, please help me with it.   Thanks
Hi, I`m trying to make an API request from my local machine to our Splunk Cloud instance, without much success. Checked the Firewall logs and I can`t see any blocked/denied traffic. Using: -  cur... See more...
Hi, I`m trying to make an API request from my local machine to our Splunk Cloud instance, without much success. Checked the Firewall logs and I can`t see any blocked/denied traffic. Using: -  curl 7.29.0 - nss-3.90 Error received:   * Host myDomain.splunkcloud.com:8089 was resolved. * IPv6: (none) * IPv4: xx.xx.xx.xxx * Trying xx.xx.xx.xxx:8089... * Connected to myDomain.splunkcloud.com (xx.xx.xx.xxx) port 8089 * schannel: disabled automatic use of client certificate * ALPN: curl offers http/1.1 * Recv failure: Connection was reset * schannel: failed to receive handshake, SSL/TLS connection failed * closing connection #0 curl: (35) Recv failure: Connection was reset