Hi @t183194 @colbym , Splunk DB Connect does not natively support key pair authentication as an out-of-the-box option across all database types. However, certain databases like Snowflake offer specific workarounds, which you can refer to in the following article: 🔗 https://splunk.my.site.com/customer/s/article/Unable-to-save DB Connect primarily relies on the JDBC drivers of the target databases. If a particular JDBC driver supports key pair (or certificate-based) authentication, it may be possible to enable it by configuring advanced connection parameters within DB Connect. This is often the case with databases like Snowflake. For other databases, support for key pair authentication depends entirely on the capabilities of the respective JDBC driver, so it’s worth checking the official driver documentation. If you’d like to share your suggestion or request this as a feature enhancement, you can submit it to Splunk via their Ideas Portal: 🔗 https://ideas.splunk.com/ To summarize, implementing key pair authentication is something that typically needs to be handled at the JDBC level, not directly through the DB Connect UI. ... View more

Hi @igor5212 ,   upgrading from Splunk 8.1.14 to 9.4 is supported, as Splunk supports direct upgrades between any two minor/patch versions, provided you follow upgrade best practices. However, for testing purposes, you’ll need to get a copy of Splunk 8.1.14, and unfortunately, it’s not listed on the public Splunk downloads page anymore, as they tend to remove older versions. Please reach out to Splunk Support for the older version https://splunk.my.site.com/customer/s/need-help/create-case  backup Splunk_HOME/etc folder and $Splunk_home/var/lib/splunk before procedding Check the Python 3 compatibility for the scripts and addons in the HF ... View more

Hi @JH2 ,   Can you check this below link    https://answers.splunk.com/answers/627432/jquery-datepicker-in-splunk.html ... View more

Hi @Keigo,   You’re using Splunk Universal Forwarder with the Linux Add-on on a 2 vCPU / 4GB RAM VM. A script (hardware.sh) that runs lshw causes 20–40% CPU spikes, which may impact performance. lshw is not light weight and is overkill most of the use cases, and thhis behavior is expected because lshw is resource-heavy, especially on low-spec machines. Below are the recommendations 1. Check if you actually need hardware data.  2. If needed, reduce the frequency to minimize impact 3. Alternative: Run the script via cron during off-peak hours and monitor its output file with Splunk. 4. Use lightweight tools like CollectD for performance metrics instead of heavy scripts. 5. Recommended specs (if you keep such scripts):     Use 4 vCPUs and 6–8 GB RAM for better performance. ... View more

Hi @Dolly , Splunk recently (especially in newer 9.x versions) introduced mechanisms to quarantine suspicious or unexpected binaries during startup or upgrade. As part of App Integrity Checking or Quarantine subsystem, it moved that binary out of active paths into quarantined_files for security reasons. During an upgrade, Splunk validates installed apps and files. If it finds unexpected binaries (especially those with execution permissions or high-risk names like postgres, bash, sh), it moves them to quarantined_files/ to prevent unintended execution.     ... View more

Hi @ASEP  follow the below steps and let me know if you are facing any issues. 1. Export the Remedy SSL certificate from the Remedy server using the command: echo -n | openssl s_client -connect <remedy_host>:<port> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > remedy_cert.pem 2.Add the certificate to Splunk’s trusted CA bundle: cat remedy_cert.pem >> /etc/ssl/certs/ca-bundle.crt Note: take a backup before appending  3. Restart Splunk  ... View more

Hi @sl ,  Please contact the support and request the needed version or alternatively you can use the below link to download https://github.com/ryanadler/downloadSplunk/tree/main but its not recommended way. ... View more

Hi @ASEP  The Splunk Add-on is trying to establish an HTTPS connection to the BMC Remedy server, but the SSL certificate presented by Remedy is not trusted by the Splunk environment. This usually happens when the Remedy server uses a self-signed certificate or a certificate from an internal CA that Splunk doesn’t recognize. ... View more

HI @debdutsaini , replace stats with table in the last line of your query like below index=* | eval device = coalesce(dvc, device_name) | eval is_valid_str=if(match(device, "^[a-zA-Z0-9_\-.,$]*$"), "true", "false") | where is_valid_str="false" | table _time index device _raw ... View more

Hi @Namo ,   When Splunk alert emails land in your junk/spam folder, it's usually an issue not with Splunk itself, but with how the email is being handled by your mail server, client, or spam filters. If you control your mail client or domain filters: Add the From address to your safe sender list. Whitelist the Splunk server IP or domain in your Exchange / Outlook / Gmail policies. ... View more

@azer271  "Bucket is already registered with the peer" means during bucket replication, that indexer peer attempted to replicate a bucket to another peer, but the target peer already has that bucket registered possibly as a primary or searchable copy. Therefore, it refuses to overwrite or duplicate it. run the below rest command and check the health of the cluster | rest /services/cluster/master/buckets | table title, bucket_flags, replication_count, search_count, status and check for any standalone bucket issue, that also may be the reason ... View more

Hi @TestUser , Could you please frame your question with more details and clarity so that it would be helpful for other Splunkers to clarify your question. ... View more

Hi @nagendra1111 , Splunk does not currently support sending dashboard panel searches directly to background jobs from the UI. ... View more

HI @zaks191 ,  Please consider the below points for the better performance in your environment. 1. Be Specific in Searches: Always use index= and sourcetype= and add unique terms early in your search string to narrow down data quickly. 2. Filter Early, Transform Late: Place filtering commands (like where, search) at the beginning and transforming commands (stats, chart) at the end of your SPL. 3.Leverage Index-Time Extractions: Ensure critical fields are extracted at index time for faster searching, especially with JSON data. 4.Utilize tstats: For numeric or indexed data, tstats is highly efficient as it operates directly on pre-indexed data (.tsidx files), making it much faster than search | stats. 5.Accelerate Data Models: Define and accelerate data models for frequently accessed structured data. This pre-computes summaries, allowing tstats searches to run extremely fast. 6.Accelerate Reports: For specific, repetitive transforming reports, enable report acceleration to store pre-computed results. 7.Minimize Wildcards and Regex: Avoid leading wildcards (*term) and complex, unanchored regular expressions as they are resource-intensive. 8.Optimize Lookups: For large lookups, consider KV Store lookups or pre-generate summaries via scheduled searches. 9.Use Job Inspector: Regularly analyze slow searches with the Job Inspector to pinpoint bottlenecks (e.g., search head vs. indexer processing). 10.Review limits.conf (Carefully): While not a primary fix, review settings like max_mem_usage_mb or max_keymap_rows in limits.conf after monitoring resource usage, but proceed with caution and thorough testing. 11.Setup Alerts for Expensive searches: use internal metrics to detect problematic searches 12.Monitor and Limit User Search Concurrency: Users running unbounded or wide time-range ad hoc searches can harm performance. Happy Splunking ... View more

Hi @Sahansral , Please try to execute the below btool command on the SH $SPLUNK_HOME/bin/splunk cmd btool user-prefs list --debug then output should be like below /opt/splunk/etc/users/someuser/user-prefs/local/user-prefs.conf [general] lang = de if you find  lang = de thats the actual problem- splunk will try to redirect /de/ even though it should be /de-DE/, and /de/ doesnt exist. so try to update the below in the local if the issue persists for all the user $SPLUNK_HOME/etc/system/local/user-prefs.conf [general] lang = de-DE and restart splunk once. note: if the issue is only for specific user then you need to change in the user level. Please let me know if its worked. Happy Splunking!! ... View more

Hi @verbal_666 , if the indexer resource usage is stable and this happen periodically, this indicates a network issue. Try to capture a pcap during the delay window and check for the dropped ack's and engage the network team or firewall team and try to do some analyze on the traffic and session timeouts, it could be affecting splunk traffic. ... View more

Hi @tech_g706 ,   Sometime the issue with the MongoDB as well  Please check the following, it will helpful for further troubleshooting. Mongodb status ps -ef | grep -i mongod if we are not getting any output means kvstore is not running. check the below logs, try to find any clue on this logs cat $SPLUNK_HOME/var/log/splunk/kvstore.log cat $SPLUNK_HOME/var/log/splunk/mongod.log ... View more

hi @dbloms , Glad to hear. happy splunking! P.S.: Karma Points are appreciated by me and the other contributors 🙂    ... View more

Hi @amanthri ,    Disabling the KO is the safest option from your savedsearches.conf [<name_of_your aved_search>] disabled = 1   you can placed in the local directory /local/savedsearches.conf, it will effectively overide from the default this works for the other KOs too. ... View more

Hi @bigchungusfan55 , Please do the following check to find and fix the issue 1. check and confirm that the KV store collection exists 2. Check where the KV Store Lookup is defined 3. Check the permission for the lookup 4. check lookup defintion and collection configuration. ... View more

Hi @livehybrid , i have one query, As far as I understand, due to security restrictions, this 8089 port might be blocked or not exposed externally in the Splunk Cloud.   Thanks in Advance ... View more

Hi @unluakin    use the below btool command and check   $SPLUNK_HOME/bin/splunk btool web list --debug ... View more

@burwell Thanks for sharing the info. Seems you are handling very big infra. ... View more