I have recently run into an issue with multiple "WARN HttpListener [HttpDedicatedIoThread:0] Socket error from [Search Head IP] while accessing /services/streams/search: broken pipe" for each Indexer in the Index cluster. There is a SH cluster, and a standalone SH. The standalone houses an app that does heavy backend searching. And the majority of the errors are from the standalone. When looking at the "I/O Operations per second" and "Storage I/O Saturation (cold/hot/opt)" from the Monitoring Console all instances are below 1%. I am not sure which settings to adjust to fix this error. Would adjusting the maxSockets and/or maxThreads in the server.conf help? Currently they are both set to default. Or should I be looking at values in limits.conf? This is happening on version 9.0.1. Any suggestions to help solve this would be much appreciated. Thanks!

I have a lookup table that I want to use in a search. So I load the lookup table and use format. However I noticed there is a limit to 50,000 events in the format's result. What config allows me to increase that or convert a column of values into a single string? | inputlookup test.csv | table count | format The lookup has 50,001 values in it but format only goes up to 50,000. 

Hi all,  I am trying to configure a REST API (OAuth) into a Splunk cloud trial environment. I'm running into issues and not seeing a clear way to pull this data in. I've tried using the HTTP event collector with no luck.  I want to consume and search on the events that are pulled. Could this be a limitation on my cloud trial? Anything I'm missing?  I did find an app called "REST API Modular Input" that seems to work with splunk enterprise, but not splunk cloud. is there a free equivalent on splunk cloud splunkbase? Thanks, Michelle

Hi Spelunker, I want to create a field "Credentialed checks:" with this field value. Please help. regards, Nessus version : 8.10.0 Nessus build : 20232 Plugin feed version : 202210171349 Scanner edition used : Nessus Scanner OS : LINUX Scanner distribution : es6-x86-64 Scan type : Normal Scan policy used : eb1cd575-c2d4-5be5-8010-1290128ec92e-23586099/01. PCI-INTERNAL-VA-SCAN Scanner IP : 10.6.6.51 Port scanner(s) : nessus_syn_scanner Port range : sc-default Ping RTT : Unavailable Thorough tests : no Experimental tests : no Plugin debugging enabled : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None Display superseded patches : no (supersedence plugin launched) CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : Detected Allow post-scan editing : Yes Scan Start Date : 2022/10/18 19:50 +07 Scan duration : 561 sec" ........................................................................................................ Nessus version : 8.10.0 Nessus build : 20232 Plugin feed version : 202210171349 Scanner edition used : Nessus Scanner OS : LINUX Scanner distribution : es6-x86-64 Scan type : Normal Scan policy used : eb1cd575-c2d4-5be5-8010-1290128ec92e-23586099/01. PCI-INTERNAL-VA-SCAN Scanner IP : 10.6.6.51 Port scanner(s) : netstat Port range : sc-default Ping RTT : Unavailable Thorough tests : no Experimental tests : no Plugin debugging enabled : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : yes, as 'isdscan' via ssh Attempt Least Privilege : no Patch management checks : None Display superseded patches : no (supersedence plugin launched) CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : Detected Allow post-scan editing : Yes Scan Start Date : 2022/10/18 19:51 +07 Scan duration : 2483 sec"

Hello,  I find myself needing a jump start on Splunk API calls with tokens. Anyone have more information than the docs?   https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/UseAuthTokens   any techniques to make testing easier?  I need to confirm that a given token is valid, I have the correct port number and that some basic functionality works with the API calls.  Anything would be greatly appreciated.  Has this been a topic of past Splunk .conf? 

I'm setting up Splunk Cloud for my organization.  Lately I've been getting errors when I try to establish a connection between my services and Splunk Cloud both from on-premises systems and cloud environments.   I've been getting timeout errors as shown above when Cloudflare tests the connection.  I also get timeout messages when other applications (ADAudit) send data to Splunk.  Has anyone run into issues such as this or could give me some pointers.  My organization has reached out to Splunk regarding establishing a service contract (We thought it was included in our order) but have not heard anything back from our sales rep yet. 

  I have a search index="xyz" sourcetype="csv" | fillnull value="unknownMan" field1 field2 field3 field4 | eventstats dc(field1) as xyz by field2 field3 field4 | table field1 field2 field3 field4 while running this, i'm getting NULL values in the results? Please help me with this why NULL values will be coming when there is no NULL values in the events??

Please let me know the correlation search query and time range conditions for two of these usecases. I have windows powershell logs onboarded.   1. Suspicious Windows Shell Launched by Web Applications  2. Suspicious Windows Shell Launched by a trusted process

I have a flat file that is in JSON format where events have no date/time as follows:     {"device": "info.gw.xyz.com", "ip": "x.x.x.x", "age": "0", "mac": "Incomplete", "interface": " "}, {"device": "info.gw.xyz.com", "ip": "x.x.x.x", "age": "-", "mac": "0000.0000.0000", "interface": "Vlan673"}     My props.conf file is as follows:     [my_arp] INDEXED_EXTRACTIONS = JSON TZ=UTC     Problem is when I search events, they are four hours in the future. The files are on a sever that has the UF and that has the correct time set so looking through the Splunk docs  (https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/HowSplunkextractstimestamps) I see this: If no events in the source have a date, Splunk software tries to find a date in the source name or file name. The events must have a time, even if they don't have a date. The files do have a date and time How do I fix this? Thx

I'm trying to install Splunk SOAR in and EC2 Linux machine (8vCPU and 16GB RAM). I used this link https://docs.splunk.com/Documentation/SOARonprem/5.3.5/Install/InstallRPM. On running sudo ./soar-install i'm getting errors. Trying this setup for test purpose only. The storage I have added is less than 500GB.    Traceback (most recent call last): File "/opt/phantom/5.3.4/splunk-soar/./soar-install", line 85, in main deployment.run() File "/opt/phantom/5.3.4/splunk-soar/install/deployments/deployment.py", line 130, in run self.run_pre_deploy() File "/opt/phantom/5.3.4/splunk-soar/usr/python39/lib/python3.9/contextlib.py", line 79, in inner return func(*args, **kwds) File "/opt/phantom/5.3.4/splunk-soar/install/deployments/deployment.py", line 163, in run_pre_deploy raise InstallError( install.install_common.InstallError: pre-deploy checks failed. Warnings can be ignored with --ignore-warnings install failed.   Anyone faced any issues similar to this ?