Seeing different results when performing similiar searches and not sure on the reason.  base search is the same for both    |timechart span=5m count(eval(if(event=="Started",total,0))) as "started, count (eval(if(event =="Completed",total,0))) as "completed" |eval divergence = completed-started second search is |timechart span=5m count(eval(event=="Started")) as "started, count (eval(event =="Completed")) as "completed" |eval divergence = completed-started    they both produce same results but reversed: first query  time started completed divergence time 18499 18517 18 time 18426 18422 -4   second query time started completed divergence time 18517 18499 -18 time 18422 18426 4   any help will be appreciated  

Lately, I have been reading the Splunk Validated Architectures (SVAs) [found here]  The document states in the Introduction that there is a tool called "Interactive Splunk Validated Architecture (iSVA)", and in there is a link to it (https://sva.splunk.com), but this link redirects me to the pdf itself!  I have searched for the tool on google but with no luck, now I'm just wondering what happened to this tool and where I can find it. I really appreciate any help anyone can provide. Edit: Is there any newer version of the document? because the current one is from January 2021.

Hello, I have a query in which I display some value over time in a chart and I want to create an alert that will be triggered when this value is over some threshold for more then 10 minutes straight. How would I perform this alert?

Hi,  is there a list with recommended indexes for Security Essentials? I have to build a PoC in a greenfield deployment and would like to create the indexes in a way that they are also usable in Enterprise Security. thanks Alex

Hey all - I successfully installed a forwarder on my RPI a while back but can't seem to be able to do it again. After unpacking splunkforwarder-9.0.3-dd0128b1f8cd-Linux-armv8.tgz into /opt/, I can't run the splunk binary.  I have also tried the 64bit and s390x, just cuz. I've google extensively and had not luck with some solutions such as creating a symbolic link to a certain file, but the file already exists in the system. I realize this file name says armv8 and armv8 "introduces the 64-bit instruction set", but the downloads page doesn't have armv7. Anyway.... sudo /opt/splunkforwarder/bin/splunk start --accept-license /opt/splunkforwarder/bin/splunk: 1: Syntax error: "(" unexpected uname -a Linux zeek-pi 5.15.61-v7l+ #1579 SMP Fri Aug 26 11:13:03 BST 2022 armv7l GNU/Linux uname -r 5.15.61-v7l+   Any suggestions on how to fix this? Thank you!

I have Splunk setup and it establishes connection with syslog and splunk universal forwarder from a remote server: I have syslog-ng setup as follows:    You can see the connections established :   This is the inputs.conf for the splunk universal forwarder:    But still no data is being received by splunk:      I was able to use some powershell script to verify that the logs were being sent and delivered to the server with splunk. The issue is with splunk itself.   Am I missing something? And how would I go about troubleshooting the issue and fixing it?

Hello!! I'm trying to integrate Akamai with Splunk using the APP: https://splunkbase.splunk.com/app/4310 But when trying to configure, I get the error below: "Encountered the following error while trying to save: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" Java was installed as required: java -version openjdk version "1.8.0_352" OpenJDK Runtime Environment (build 1.8.0_352-b08) OpenJDK 64-Bit Server VM (build 25.352-b08, mixed mode) The APP was installed on my Splunk Enterprise(HeavyFowarder), the configuration was based on this document: https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector I imported the certificate into the Java path: keytool -importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64/jre/lib/security/cacerts -storepass changeit -file certificate.crt Reference - https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ?page=2&tab=scoredesc#tab-top Error in Log: "01-13-2023 11:39:54.829 -0300 INFO SpecFiles - Found external scheme definition for stanza="TA-Akamai_SIEM://" from spec file="/opt/splunk/etc/apps/TA-Akamai_SIEM/README /inputs.conf.spec" with parameters="hostname, security_configuration_id_s_, client_token, client_secret, access_token, initial_epoch_time, final_epoch_time, limit, log_level, proxy_host, proxy_port" 01-13-2023 11:39:55.241 -0300 INFO ModularInputs - Introspection setup completed for scheme "TA-Akamai_SIEM". 01-13-2023 11:42:07.678 -0300 WARN ModularInputs - Argument validation for scheme=TA-Akamai_SIEM failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification target path to requested 01-13-2023 11:42:29.337 -0300 WARN ModularInputs - Argument validation for scheme=TA-Akamai_SIEM failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification target path to requested" I don't use proxy... Does anyone have a light? I'm losing hope of doing this integration! Thanks!