@dicksola Hello, You can combine both the queries and create one single dashboard. Use lookup and map to add your CSV dataset to Splunk fields. You may view the fields and values of your dataset in Splunk after uploading the CSV file. You can now write your query 2 using the |inputlookup or |lookup commands. Subsearch or the append command can then be used to combine your query 2 with your query 1 (index=test* "users").   https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Append  https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Lookup  https://docs.splunk.com/Documentation/Splunk/9.2.0/Knowledge/Aboutlookupsandfieldactions    ... View more

@GHk62 Refer this documentation  Start or stop the universal forwarder - Splunk Documentation  If you want to reset your admin password: Solved: How to Reset the Admin password? - Splunk Community ... View more

@RyanPrice The stanza which you've added monitors the log files under ///var/www/.../storage/logs/laravel*.log . If these logs are large or frequently updated, it could contribute to increased memory usage.  verify if you have disabled THP. refer the splunk doc on it https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/SplunkandTHP  please check the limits.conf https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf  [thruput] maxKBps = [thruput] maxKBps = <integer> * The maximum speed, in kilobytes per second, that incoming data is processed through the thruput processor in the ingestion pipeline. * To control the CPU load while indexing, use this setting to throttle the number of events this indexer processes to the rate (in kilobytes per second) that you specify. * NOTE: * There is no guarantee that the thruput processor will always process less than the number of kilobytes per second that you specify with this setting. The status of earlier processing queues in the pipeline can cause temporary bursts of network activity that exceed what is configured in the setting. * The setting does not limit the amount of data that is written to the network from the tcpoutput processor, such as what happens when a universal forwarder sends data to an indexer. * The thruput processor applies the 'maxKBps' setting for each ingestion pipeline. If you configure multiple ingestion pipelines, the processor multiplies the 'maxKBps' value by the number of ingestion pipelines that you have configured. * For more information about multiple ingestion pipelines, see the 'parallelIngestionPipelines' setting in the server.conf.spec file. * Default (Splunk Enterprise): 0 (unlimited) * Default (Splunk Universal Forwarder): 256 the default value here is 256, you might consider increasing it if this is the actual reason for the data getting piled up, you can st the integer value to "0" which means unlimited.   Universal or Heavy, that is the question? | Splunk  Splunk Universal Forwarder | Splunk   ... View more

@dorHerbesman I don't see the lookup command in your search.  index=elbit_hr sourcetype=synerionDB source=retromng  | table ACCUM_CODE LOCK_CODE PERIOD_KEY TABLEQ UPD_DATE UPD_TIME USER_NAME ... View more

@dorHerbesman Hi, you must upload the lookup first, then use the |inputlookup tableq_lookyp to check. Upon successfully viewing your lookup data, you can access Splunk by using the lookup command. And the only way to find out is to use your initial search query along with the lookup command. Kindly review the Splunk documents listed below for your reference. lookup - Splunk Documentation  ... View more

@kate Can you check the inputs.conf in your add-on.  https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About#File_Monitoring_Inputs  https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About#Scripted_Inputs  ... View more

@pingli Hello, You can forward the data from your Commvault Metallic Saas Solution to Splunk using the API's or HEC tokens etc. Please find the below details for your reference.  https://www.splunk.com/en_us/blog/tips-and-tricks/getting-data-from-your-rest-apis-into-splunk.html?locale=en_us  https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector  https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/  ... View more

@vk2 You can check the below document, Splunk universal forwarder is compatible with Linux OS which is having kernel 4.x or higher. If you have kernel 3.x , Splunk supports this platform and architecture, but might remove support in a future release.  https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Confirm_support_for_your_computing_platform  ... View more

Attention, this is an AI generated answer and it wrong Moderator   @LearningGuy  Let’s delve into the differences between | summaryindex and | collect in Splunk: | summaryindex: Purpose: | summaryindex is primarily used for creating and managing summary indexes. A summary index is a pre-aggregated index that stores summarized data from your original events. It’s useful for speeding up searches and reducing the load on your search infrastructure. How It Works: When you use | summaryindex, it generates summary data based on existing reports. This means that you can create a summary index only from scheduled reports. Example Usage: If you have a scheduled report that summarizes data, you can pipe it | collect: Purpose: | collect is a versatile command that allows you to push data to a new index. Unlike | summaryindex, it’s not limited to existing reports. How It Works: You can use | collect to send specific data to an index of your choice. This is particularly useful when you want to extract relevant information from your search results and store it in a separate index. Name of the summary index where the events are added. The index must exist before the events are added. The index is not created automatically. Example Usage: Suppose you want to create a custom index called “test_summary” to store specific data. You can use | collect index=test_summary to achieve this. The testmode=false ensures that the data is actually indexed. In summary, while both commands involve indexing data, | summaryindex is tied to scheduled reports, whereas | collect provides more flexibility for pushing data to custom indexes regardless of report schedules. Remember that creating the summary index (whether through | summaryindex or | collect) requires defining the index specifications in indexes.conf beforehand. Happy Splunking! 🚀 https://docs.splunk.com/Splexicon:Summaryindex  https://docs.splunk.com/Documentation/Splunk/9.2.0/Knowledge/Usesummaryindexing  https://docs.splunk.com/Documentation/Splunk/9.2.0/Knowledge/Managesummaryindexgapsandoverlaps  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchReference/Collect  ... View more

@FPERVIL  https://www.tekstream.com/blog/route-data-to-multiple-destinations/  https://docs.splunk.com/Documentation/Splunk/9.2.0/Forwarding/Routeandfilterdatad?_gl=1*l8fn8q*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcwOTIyNTA5Mi4xOS4xLjE3MDkyMjUxMzcuMTUuMC4w*_ga_5EPM2P39FV*MTcwOTIyNTA0MS4xOS4xLjE3MDkyMjUzMTMuMC4wLjA.&_ga=2.139033904.2099731396.1709147440-984040655.1703927739#Filter_and_route_event_data_to_target_groups  You can watch this video if you stuck anywhere  https://www.youtube.com/watch?v=AxHetwfLC0Y    ... View more

@HarishSamudrala  The error message you provided indicates that search results might be incomplete due to the search process ending prematurely on the peer.  Check Peer Logs: Look into the peer log files, specifically: $SPLUNK_HOME/var/log/splunk/splunkd.log The search.log for the particular search. Examine these logs for any relevant error messages or clues about what caused the premature termination. Memory and Resource Constraints: Ensure that the peer has sufficient resources (CPU, memory, disk space) to handle the search workload. Sometimes, insufficient resources can lead to premature search process termination. Consider monitoring system resource usage during search execution. License Considerations: If you’re using a trial Splunk Enterprise distributed deployment, each instance must use its own self-generated Enterprise Trial license. In contrast, a distributed deployment running a Splunk Enterprise license requires configuring a license master to host all licenses. Check for OOM Killer Events: Review /var/log/messages on the peer for any Out-of-Memory (OOM) Killer events. Insufficient memory can cause processes to terminate unexpectedly. Increase ulimits for Open Files: If you haven’t already, consider increasing the ulimits for open files on the indexers. For example, set the ulimit to the recommended 64000 (initially it might be set to 4096). Review Configuration: Verify that the configuration of your search head, indexers, and forwarders is correct. Ensure that the search head can communicate with the peer properly. Remember to investigate the specific details in the logs to pinpoint the root cause. If you encounter any specific error messages or need further assistance, feel free to share additional details.  Solved: Search results might be incomplete: the search pro... - Splunk Community  https://community.splunk.com/t5/Splunk-Search/Search-results-might-be-incomplete-the-search-process-on-the/m-p/617673  ... View more

@Mr_Sneed  Could you elaborate a little more on this? Copy and paste the configurations that you were pushing to the forwarders from the deployment server. ... View more

@Komal0113  Certainly! If the IDP certificate setup isn’t working as expected, you can create your own certificate for SAML configuration in Splunk. Here are the steps to achieve this: https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Howtoself-signcertificates    ... View more

@ujju219  To use the Splunk Add-on for MySQL Database, you’ll need to configure appropriate permissions for the MySQL user. Here are the recommended steps: MySQL User Permissions: The MySQL user account used by the Splunk Add-on requires specific permissions to interact with the database. Assign the following permissions to the MySQL user: SELECT: Required for reading data from the MySQL database. SHOW DATABASES: Needed to list available databases. SHOW TABLES: Necessary to discover tables within a database. REPLICATION CLIENT: Required for reading binary logs (if applicable). EXECUTE: Needed for executing stored procedures (if used). Database-Specific Permissions: If you’re connecting to a specific database, grant additional permissions based on your use case: Read-Only Access:If the Splunk Add-on only needs to read data, grant read-only access to the specific database and tables. Write Access:If you plan to write data back to the database (e.g., summary index), grant appropriate write permissions. Host and Port Permissions: Ensure that the MySQL user has permission to connect from the host where the Splunk instance (heavy forwarder or indexer) is running. Grant access to the specific IP address or hostname of the Splunk server. Verify that the MySQL server allows connections on the specified port (usually 3306). Secure Credentials: Store the MySQL user credentials securely in Splunk. Use Splunk’s credential management system to avoid hardcoding credentials in configuration files. Splunk DB Connect Configuration: In Splunk, configure the Splunk DB Connect input to connect to the MySQL database using the MySQL user credentials. Specify the database name, hostname, port, and other relevant details. Test the Connection: After configuring the input, test the connection to ensure successful communication between Splunk and MySQL. Verify that data retrieval works as expected. Remember to document the permissions granted to the MySQL user and monitor the data collection process. If you encounter any issues, refer to the official Splunk documentation for additional guidance.  https://docs.splunk.com/Documentation/AddOns/released/MySQL/Setup  Configure Splunk DB Connect security and access controls - Splunk Documentationhttps://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/Configuresecurityandaccesscontrols  ... View more

@kate  The Splunk Cloud Platform is compatible with the Universal Forwarder for data collection. Let’s determine the appropriate version of the Universal Forwarder for your use case: Universal Forwarder Compatibility: The Universal Forwarder is the best choice for collecting data from systems in your environment with minimal resource requirements. For Splunk Cloud, you should use a Universal Forwarder that aligns with the Splunk Cloud version you are using. Recommended Version: Based on the compatibility matrix, the following Universal Forwarder versions are compatible with Splunk Cloud 9.1.2308.203: 9.0.x 9.1.x 9.2.x Deployment Considerations: Deploy the Universal Forwarder on your Ubuntu (Debian 64-bit) systems. Configure it to send data to your Splunk Cloud instance. Remember to verify the compatibility and monitor the data collection process. You can find more details in the Splunk documentation. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsingforwardingagentsCloud  https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers  https://docs.splunk.com/Documentation/Forwarder/9.2.0/Forwarder/Deploy  ... View more

@Symon   To effectively monitor Linux Auditd events in Splunk, you can use the Splunk Add-on for Linux. This add-on allows you to collect and analyze audit logs from your Linux devices. Here’s how you can set it up: Configure AuditD to Send Data to the Splunk Add-on for Linux: https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure4  https://splunkbase.splunk.com/app/833  This Add On for linux Auditd allows Administrators to make their data OCSF Compliant and CIM compliant for related Linux Auditd Events https://preview.splunkbase.splunk.com/app/7045    ... View more

@pavithra  Kindly refer the below links:  How to display the count in piechart as labels - Splunk Community  Chart configuration reference - Splunk Documentation Chart configuration reference - Splunk Documentation ... View more

@trha_ Can you check this  https://www.tekstream.com/blog/blog-deleting-the-unsupported-splunk-windows-universal-forwarder/  ... View more

@yazeed    Splunk's _configtracker can be used to monitor changes to alerts and saved searches in Splunk. The _configtracker index: With Splunk 9, the _configtracker index was introduced. This index stores changes to Splunk configuration files, including the date and time of the change, as well as all the new and old values associated with the modified item. However, the data in _configtracker has a limitation: it only monitors changes to configuration files. Consequently, a crucial piece of information is missing from these logs: the user responsible for the change. While it does provide a record of the previous and updated settings, this information is not available in the same event. Therefore, to create a comprehensive alert, we need to perform data aggregation and enrichment. For instance, after the described change to the Windows failed logons alert use case, the configtracker will contain two related events. Note the search looks in the _configtracker index, for a configuration update, where the changed item (data.changes{}.stanza) is specified, and particularly for a saved search being changed, independently of the app and Splunk installation directory ("*/savedsearches.conf"). Here is the SPL query: index=_configtracker component=ConfigChange data.action=update data.changes{}.stanza=* data.path="*/savedsearches.conf"   ... View more

@splukiee    Certainly! Addressing high CPU usage in your Splunk environment due to specific dashboards can be challenging, but let’s explore some strategies to mitigate the issue: Dashboard Optimization:- Review Dashboard Components: Inspect each dashboard panel. Are there any resource-intensive visualizations (e.g., complex charts, tables, or maps)? Simplify or optimize them. Reduce Real-Time Updates: If dashboards update in real-time, consider increasing the refresh interval. Frequent updates can strain CPU resources. Limit Concurrent Sessions: Since users have multiple sessions open, limit the number of concurrent sessions per user. Excessive sessions can overload the system. Use Summary Indexes: Consider using summary indexes for frequently accessed data. This reduces the need for real-time searches. Monitoring and Troubleshooting: Splunk Monitoring Console (MC): Use MC to monitor resource usage. Check the CPU Usage by process class graph to identify which components consume the most CPU. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Troubleshooting_high_resource_usage  https://docs.splunk.com/Documentation/Splunk/9.2.0/DMC/ResourceusageCPU  ... View more

@khj Hello, You don't get the Splunk DB connect add-on file which was not supported to your Splunk version 7.3.4. I would suggest you to upgrade your splunk environment and install the suitable db connect add-on version.  System requirements - Splunk Documentation  ... View more

@n3wbi3  The error message you mentioned, “Data Durability Root Cause(s): Replication Factor is not met,” indicates that the replication factor for some buckets is not being fulfilled.     Check if any peers are offline or experiencing connectivity problems. An offline peer can prevent the replication factor from being met https://docs.splunk.com/Documentation/Splunk/9.2.0/DMC/Usefeaturemonitoring  The message “All data is not searchable” suggests that some buckets are not fully searchable. Ensure that all buckets have primary copies. If a bucket lacks a primary copy, it can impact searchability. Resync the state of the affected bucket copies on the manager. https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Anomalousbuckets  Anomalous bucket issues - Splunk Documentation ... View more

@nmboner Can you check this  Deleting the Unsupported Splunk Windows Universal Forwarder TekStream Solutions ... View more