I convert it to answer. thanks ... View more

if my solution worked, please accept the answer. ... View more

Try this: [monitor://D:[path]\logs] whitelist=localhost_access_log.\d[^-].*.txt$ disabled = 0 https://regex101.com/r/vXzgcK/1 if it did not work, you have to troubleshoot the input. https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Troubleshoottheinputprocess ... View more

to make connections to port 8089, you have to use -uri https://nomeserver:8089 instead only http for further information check this document -> https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/AccessandusetheCLIonaremoteserver ... View more

Are you running on Splunk Cloud? If so there are some limits applied to splunk cloud that does not allowed you to work above the limits, in order to guarantee a good performance to entire system. Try to bring small chunks of data. If it did not fix the issue, open a support case with splunk for further assistance. https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Service/SplunkCloudservice#Service_limits_and_constraints. ... View more

try this one: [monitor://D:[path]\logs] whitelist=localhost_access_log.\d{4}-\d{2}-\d{2}.txt disabled = 0 ... View more

Per my verification the current version 7.1.3 of Splunk Stream app is compatible to deploy it at Splunk Cloud. On the trial version you should not have access to deploy apps. Access the link below and send a note to Splunk Sales team and check with them if this app can be deployed in our trial environment https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/FAQs/FAQs#Splunk_Cloud_Free_Trial_FAQ In additional I found this answer saying we cannot upload an app. https://answers.splunk.com/answers/551602/how-to-install-this-app-to-my-splunk-cloud-free-tr.html ... View more

Have you setup the proxy server configuration? When I deployed the integration I have to setup the proxy in order to get splunk connected properly to Snow from ssl connection. the configuration is similiar with this. For the new add-on version there is tab for proxy configuration under service now add-on or you can edit the config file at $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/splunk_ta_snow_settings.conf [proxy] proxy_enabled = 0 Indicates whether connection to ServiceNow occurs through a proxy. The default is false. proxy_url = URL or IP address for the proxy connection proxy_port = Port for the proxy connection proxy_username = Username for the proxy connection proxy_password = Password for the proxy connection proxy_rdns If you use the proxy to do DNS resolution, set this value to 1. The default is 0. proxy_type The default is http. Other accepted values are http_no_tunnel, socks4, and socks5. further information : https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Setuptheadd-on ... View more

try to run this troubleshoot steps : https://ta-nmon.readthedocs.io/en/latest/troubleshoot.html# Here is a complete document that author created recently and also have the same troubleshooting steps: https://buildmedia.readthedocs.org/media/pdf/nmon-for-splunk/latest/nmon-for-splunk.pdf If it did not work, open a case with splunk support and attach the diag file to suport case running on the UF client server and on splunk enterprise. ... View more

In general the license capabilities are default assigned to admin roles. If you want to add the capability to users to handle splunk license, you have to add the following capabilities to the roles you have created to: license_edit : Lets the user edit the license. license_tab : Lets the user access and change the license. This attribute is deprecated(Although it is saying that is deprecated, I've seen this capability at Splunk 8.0 as well) license_view_warnings : Lets the user see a warning message when they are exceeding data limits or reaching the expiration date of their license. These warnings appear on the system banner. go to menu Settings - User and Authentication - Roles Select the role/edit and then select the license capabilities hitting the check the box and save to complete the configuration: license_edit license_tab license_view_warnings For further information about role capabilities, check this documento -> https://docs.splunk.com/Documentation/Splunk/8.0.0/Security/Rolesandcapabilities ... View more

I mean that it is possible the account that is being used to start the splunk service does not have all the required access to start splunkd service, so this process splunkd should run successfully, so if for some reason the user is not able to start this service, it is potential problem. Use the root user to try to redploy the permission for the user you have created to start splunk. If it did not work, try to reinstall the previous version and after that redeploy Splunk 8 again. ... View more

Please check the troubleshoot steps -> https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting#Find_relevant_errors search for errors on eventtype=snow_ticket_error. verify if all those steps here are completed -> https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithSplunkEnterprise check this link to manually create incidents without wait for schedule alert to be triggered https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts#Usage In order to create incidents, the account you setup at service now, has rights to create the incident direct on the incidents table or if you are using service now events to appropriate assign ticket to the correct team to work on, you have to use the events feature at servicenow, and you can use the | snowevent ... command to test it. In the ServiceNow add-on, you have to setup a proxy server to connect with servicenow server, it can be a potential issue for you not able to connect to server and also create incidents. https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Setuptheadd-on ... View more

Per my verification, the ta-nmon addon does not support version 7.3 COMPATIBILITY Products: Splunk Enterprise Splunk Versions: 7.2, 7.1, 7.0, 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, 6.0 further information -> https://splunkbase.splunk.com/app/3248/ Try to deploy a UF version 7.2 instead, and redeploy the addon again. ... View more

Per the error message it seems to be a permission issue. The splunk process is trying to load, but the Debian is not allowing to start. Check which account was created to run the splunkd service. I believe you have the redeploy the ownership the user created to run splunkd service. ... View more

Per what is being described on the app documentation, the current Sysmon deploy and maintain is developed to support Sysmon 8.00. Release Notes Version 1.16 July 25, 2018 Updated sysmon config generated from my modular repository. This config is updated to the latest iteration of the MITRE ATT&CK framework Built for Sysmon 8.00 I suggest to deploy this app to a Splunk sandbox environment and run your tests to check about the Sysmon behavior on verson 10.x. I never worked with this app before. ... View more

Is Splunk running on linux? Check if the user has the proper rights to read the entire Splunk directory. If not, re-apply the user permissions to the entire splunk folder. Is this happen only for _internal index? Or Are others on the same issue? Check if the file for _internal index is being updated with the most recent data at $Splunk_home/var/lib/splunk/_internaldb/db If it did not work, please create a diag file ./splunk diag, open a case at splunk support and attach the diag file to the case. ... View more

check if the transaction command can assist you on this. if the time events between 4624 and 4633 are closer, you can check if this command can assist you group them by user_id instead. Check this article for further assistance. https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/Abouttransactions ... View more

try to fix the bucket editing the gray ones : For buckets that have been stuck in fixup for long periods of time, you can take remedial action. Click Action for the bucket that you want to manage. Select one of the available actions: View bucket details Roll Resync Delete Copy A pop-up window appears to guide you through the selected action. Use the following sequence when performing actions on anomalous bucket. View bucket details Roll Resync Delete Copy Only perform the next action if the previous one does not resolve the issue. For further information, check this link -> https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets#Take_action_on_an_anomalous_bucket If it did not work, please submit a case to splunk support and generate a diag file to attach to the case running ./splunk diag ... View more

try this: | timechart count dc(idxtime) as numIndexed, values(source), values(idxtime) by _raw where count > 1 ... View more

This can be a potential problem with the DNS service. Glad to help. Happy Splunking! ... View more

Hi williamsmew, please check this splunk answer, maybe this can help you out with your issue -> https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html ... View more

Hi satyaallaparthi, please check this troubleshoot guide, maybe it can help you to find your issue. https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Troubleshootdashboards ... View more