@phamanh1652  Have you created the index called "trellix"? and also check the splunk internal logs on your Splunk Cloud Search head.  You can use this add-on to integrate your Trellix MVISION. It supports both Splunk Cloud and Splunk Enterprise. https://splunkbase.splunk.com/app/7022    ... View more

@palyogit  Check this documentation and try to send an sample events to HEC.  https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-data-with-http-event-collector/http-event-collector-examples  https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-data-with-http-event-collector/use-curl-to-manage-http-event-collector-tokens-events-and-services  ... View more

@palyogit  Ensure that your HEC input includes valid index= . Missing or mis-typed values cause Splunk to drop data. HttpInputDataHandler - handled token name=embedded … events_processed=1 … Truncating line because limit of 10000 bytes … it means Splunk HEC received the event, parsed it, but truncated the line at ~10 kB, which likely leads to it being dropped  before indexing  ... View more

@unluakin  Refer this ERROR: IP address 127.0.0.1 not in server certificate. Please see server.conf/[sslConfig]/cliVerifyServerName for details. | Splunk Configure TLS certificate host name validation for secured connections between Splunk software components | Splunk Docs ... View more

@peterow  The error typically occurs when you're trying to add a Developer/Test license to a Splunk instance that is currently using a Production license stack. Splunk enforces license stack segregation, meaning you can't mix Dev/Test licenses with Production ones.  If you're moving to a Dev/Test license (e.g., for a non-production environment), you need to remove the existing Production license first.  NOTE:- Only do this if you're sure the system should be running under a Dev/Test license. Removing a Production license from a live production system could cause compliance or functionality issues. ... View more

@DufferDave  Please have a look  https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Installing_and_upgrading_to_Splunk_Enterprise_Security_8x  https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/analytics/risk-analysis  ... View more

@ReiGjuzi  Finding a legacy Splunk Universal Forwarder MSI for Windows 7 SP1 (x64) is tricky since Microsoft and Splunk no longer support Windows 7, and official download pages prioritize newer versions for supported OSes like Windows 10 and 11.   If you can’t find the MSI on Splunk’s official site, avoid unofficial mirrors due to security risks.   ... View more

@simonsa I see that you're uploading a .gz file. Please extract it and upload the original, uncompressed file. ... View more

@simonsa  If the DNSlog files are large, they might exceed the upload limits or cause the browser to time out. Try uploading a smaller portion of the log file to see if it succeeds. ... View more

@ramiiitnzv  To obtain a license for the Splunk Enterprise Security (ES) app, you need to purchase it from Splunk. https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/introduction/licensing-for-splunk-enterprise-security  ... View more

@RAVISHANKAR  Yes, a Splunk Enterprise Search Head running version 9.4.2 can communicate with Indexers running version 9.2.1. But It's recommended to upgrade all components to the same version to ensure full feature compatibility and support. Yes, UF 8.0.5 can still forward data to Splunk Indexers running 9.2.1 or 9.4.2. However, Splunk no longer provides full support for UF 8.0.x. Splunk Software Support Policy | Splunk  About upgrading to 8.0 READ THIS FIRST - Splunk Documentation ... View more

@meg Please verify your sourcetype, The Splunk Add-on for Sysmon for Linux supports the following source types: sysmon:linux  ... View more

@meg  renderXml = false This setting is typically used in Universal Forwarder or inputs.conf for Windows Event Logs. If you're forwarding Linux logs, this setting might not be relevant unless you're using it in a specific context. Have you installed the below add-on to parse the data? Can you share your inputs.conf file here.  https://splunkbase.splunk.com/app/6652  https://docs.splunk.com/Documentation/AddOns/released/NixSysmon/Sourcetypes    ... View more

@tanjil  I recommend raising a Splunk Support ticket to request the 0 MB license file. Please ensure that the support case is submitted under your valid entitlement. Recently, one of our customers submitted a similar request, and Splunk provided the 0 MB license file for their heavy forwarder.. ... View more

@sverdhan  | metadata type=hosts index=* earliest=-30d@d | eval age = now() - lastTime | eval last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S") | where age > 30*24*60*60 | eval age_days = round(age/(24*60*60), 2) | table host, last_seen, age_days | rename host as "Forwarder", last_seen as "Last Data Received", age_days as "Days Since Last Data"   ... View more

@sverdhan  | tstats latest(_time) as lastTime where index=* by host | eval age=now()-lastTime | where age > 2592000 | convert ctime(lastTime) | rename host as "Forwarder Host", lastTime as "Last Data Received Time", age as "Age (in seconds)" | sort - "Age (in seconds)" ... View more

@Namo  Please can you confirm if you followed the Splunk 9.4 upgrade pre-steps that are documented here? https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/AboutupgradingREADTHISFIRST  There is a section on upgrading the kv-store before running the Splunk 9.4 upgrade. Reference: https://splunk.my.site.com/customer/s/article/KV-store-status-failed-after-upgrade-to-9-4?  ... View more

@Namo  Could you please confirm the upgrade path — specifically, from which version to which version Splunk was upgraded? Please note that you must first upgrade to the KV Store server version 4.2.x before proceeding with an upgrade to Splunk Enterprise 9.4.x or higher. For detailed instructions on updating to KV Store version 4.2.x (applicable to Splunk Enterprise versions 9.0.x through 9.3.x), refer to the official documentation: Migrate the KV store storage engine in the https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.3/administer-the-app-key-value-store/migrate-the-kv-store-storage-engine  We strongly recommend reviewing this guide to ensure a successful upgrade path and avoid issues like the one you're encountering.  https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/MigrateKVstore ... View more

@parthbhawsar  We have recently configured the Cisco FMC and successfully integrated it with Splunk. Could you please check the error you are encountering in Splunk so that I can assist you further? If you continue to face any issues, I would recommend reaching out to the Cisco TAC team for additional support. ... View more

@Splunkers2 Check this https://www.reddit.com/r/Splunk/comments/17msvh2/misp_integration_error/  ... View more

@L_Petch  Check this https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-connect-to-license-master-since-certification/m-p/488156    https://community.splunk.com/t5/Security/Getting-an-issue-where-Splunk-hosts-can-t-reach-the-License/m-p/455396  ... View more

@Leonardo1998  In addition to other recommendations: You can configure a dedicated VM and install either syslog-ng or rsyslog, making it act as a syslog forwarder. Network Devices (such as firewalls, routers, and switches) can then be configured to send logs over a custom port to this syslog forwarder. On the syslog forwarder, update the syslog-ng.conf or rsyslog.conf to capture these logs and store them in a specific directory. From here, you have two options: Install the Splunk Universal Forwarder (UF) on the server and configure it to forward the logs to the Splunk indexers. Or, install the full Splunk Enterprise package on the server and use it as a Heavy Forwarder (HF). If the server is used as a Heavy Forwarder, you can also install the relevant Technology Add-ons (TAs) for parsing. For example, if you're onboarding Fortinet firewall logs, you can install the Fortinet Add-on on this HF for proper parsing before forwarding the logs to the indexers. https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html?locale=en_us  ... View more

@super_edition  | makeresults | eval data="/ae/english/experience/dining/onboard-menu/=1;/ae/english/experience/woyf/=2;/uk/english/experience/dining/onboard-menu/=1;/us/english/experience/dining/onboard-menu/=1;/ae/arabic/experience/dining/onboard-menu/=1;/english/experience/dining/onboard-menu/=1" | makemv delim=";" data | mvexpand data | rex field=data "(?<uri>[^=]+)=(?<count>\d+)" | eval count=tonumber(count) | eval normalized_uri = replace(uri, "^/[^/]+/[^/]+", "") | stats sum(count) as hits by normalized_uri   ... View more

@Priya70  If the search returns a large dataset or the panel uses a complex visualization rendering might silently fail or else Memory or CPU limitations in the browser can cause rendering to hang, especially with multiple panels loading simultaneously. If multiple panels use similar base searches, consider using a base search with postProcess to reduce load. Can you please paste your dashboard XML to identify the issue? I’ll take a look.. ... View more

@Amira Have you verified this?  https://splunkbase.splunk.com/app/6657  ... View more