Hello, I am having troubles with the installation of Splunk Enterprise as non-root user. I think it may be some kind of problem with Red Hat Enterprise v9 or maybe systemd. Online, even in the documentation and in the community, i was not able to find precise informations on how to execute the installation as non-root user (even for non-fedora systems). Consulting online resources i came up with this steps:      sudo su useradd splunk mv package.rpm /tmp; cd tmp rpm -i package.rpm ls -l /opt/ | grep splunk #i don't give ownership to /opt/splunk to the user splunk because with the installation it is automatic su - splunk cd /opt/splunk/bin ./splunk start --accept-license PIDS=$(/opt/splunk/bin/splunk status | grep splunkd | awk {'print$5'} | tr -d \)\.); ps -p $PIDS -o ruser= #to check if it is executed by splunk ./splunk stop exit /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 #the boot-start is started after the /splunk start, for some strange reason if i put the boot-start before the start it doesn't let me use the splunk command su - splunk /opt/splunk/bin/splunk start exit # for the integrated firewall problem: sudo su firewall-cmd --zone=public --add-port=8000/tcp --permanent; firewall-cmd --zone=public --add-port=8089/tcp --permanent; firewall-cmd --zone=public --add-port=9997/tcp --permanent; firewall-cmd --zone=public --add-port=9887/tcp --permanent; firewall-cmd --reload        they are far from perfect but for some strange reason this steps make it all work. Unfortunatly i am not confident with this solution and i don't want to use it in a production enviroment. So i am here to ask you if some of you know some better steps to do this installation. If you have some best practices that i am ignoring i would be glad to hear them. Thanks a lot in advance

Hi Splunkers, for our customer we have the need to understand if we can obtain an asset and identity inventory using Splunk.  I know that, with the Enterprise Security, this can be achieved in many ways, for example with a CMDB; I found a useful link here. The point is that we have not the ES SH; we have only the "classic" SH, in a SaaS solution. Is there any equivalent solution?

Hi, My Splunk Enterprise security is hosted in Linux servers and the Splunk UF is deployed to both Linux and Windows Operating Systems. Recently Qualys has reported a Vulnerability on the Splunk servers that the UF is listening through port 8089 and is accessible using default password. Can some one help me how to change this default password with out individually log into these large number of end points. Is there any way to centrally do this from Splunk servers. 

I have an issues with lookup, i create a table  I want to exclude path in lookup table from my search, so i try this query :  index="kaspersky" AND etdn="Object not disinfected" p2 NOT ([ inputlookup FP_malware.csv]) | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|stats count by time hip hdn etdn p2 | dedup p2 it seems not working . So how can i fix this ????? Many thanks !!