As I said earlier if you want to use hashed password instead of plain text, then you must use same splunk.secret on both nodes. ... View more

Ty. Work greate in 2024 ... View more

@R15  For monitoring Stanzas, it's still pretty much the same. However, many new type of inputs exists too (modular, scripted, HEC etc...), who do not rely on the fishbucket. ... View more

In case anyone else stumbles upon this thread, this solution worked for me. ... View more

Reviving a dead post here, as I'm encountering the same issue as the OP. Splunk will work with the docker command, but when I attempt with compose it get the same error. docker-compose.yml Error:   ... View more

First things first - check splunkd.log for errors. It looks like come communication problems. between nodes. If all else fails, just reinstall the node from scratch and bootstrap it as a SHC member. ... View more

Apologies, but would really appreciate a more detailed set of instructions - can`t get my head round how adding a checkbox helps with the encryption and how to actually achieve this ? Many thanks! ... View more

@codebuilder  i got the same message, but in the splunk i don't find any logs. What is the problem ? ... View more

Hi @woodcock  Please tell me how to do this configuration How long and whether we can set how long the log is kept ?   ... View more

Experienced that as well, just restart of the cluster master is fixing the issue. Maintenance mode is not required in this case. ... View more

You are probably using a 32bit raspberry pi os and trying to run the 64bit UF last ARMv6 is 8.1.9 universal forwarder  ... View more

Hi, Did you find what was wrong ? I have a similar behaviour : curl with ssl to send HEC events works fine, but from a python app, not so well :   Socket error while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number   Any idea ? Thanks Ema ... View more

Exactly that way. ... View more

@Christians86 wrote:     Hi, I have had this problem twice now on two different computers.    I install debian/ubuntu  Then I use the .deb file from splunk.com - the newest you get when you start your trial I then make a VM based on a distro of ubuntu/debian and install Everything workes fine, I use my own user, not the root user to install I follow the steps of  https://www.bitsioinc.com/tutorials/install-splunk-linux/ Splunk starts and works fine. No problems..until I restart the VM. Then localhost:8000 and the external ip both stop working and splunk web gui is not possible to connect to. I use the same account both for installation and for login when restarting   What am I doing wrong? Other VM's don't report problems on the machine, its only splunk, and only after restarting of the vm. The VM itself has internet and works fine, its only splunk that has issues.    i am also facing this problem man  ... View more

Just a footnote, mine replicated and looked like they should be working until  I realized I spelled the filename indexs.conf  instead of indexes.conf ... View more

I added  SPLUNK_USER=splunk to the docker-compose yml file and restarted the container.  Here is the environment.  [ansible@28f74f55c15a splunk]$ env LANG=C.utf8 HOSTNAME=28f74f55c15a ANSIBLE_USER=ansible SPLUNK_HEC_TOKEN=test1234 container=oci SPLUNK_HOME=/opt/splunk SCLOUD_URL=https://github.com/splunk/splunk-cloud-sdk-go/releases/download/v1.11.1/scloud_v7.1.0_linux_amd64.tar.gz CONTAINER_ARTIFACT_DIR=/opt/container_artifact PWD=/opt/splunk HOME=/home/ansible SPLUNK_DEFAULTS_URL= SPLUNK_GROUP=splunk SPLUNK_ANSIBLE_HOME=/opt/ansible TERM=xterm SPLUNK_ROLE=splunk_standalone SPLUNK_PASSWORD=A#123#aaa PYTHON_GPG_KEY_ID=#### TMPSPLUNKDIR=/opt/splunk/tmp PYTHON_VERSION=3.7.10 ANSIBLE_GROUP=ansible SPLUNK_START_ARGS=--accept-license TMPETCDIR=/opt/splunk/tmp/etc SHLVL=1 SPLUNK_USER=splunk PATH=/home/ansible/.local/bin:/home/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin _=/usr/bin/env [ansible@28f74f55c15a splunk]$ whoami ansible   There is no change in from ansible to splunk. Due to this unable to browse some /opt/splunk files as facing persmission issue. Not sure what other changed needed to environment file. Please check  ... View more

This 100% helped me when I was having trouble licensing a slave node to the master and receiving the same error. Copying the unencrypted key into server.conf and then restarting Splunk made all the difference. ... View more

Hi @jaracan    Please execute the commands in the terminal  ## Fix minimum free diskspace issue - only for lab environment not for production echo "[diskUsage]" >> /opt/splunk/etc/system/local/server.conf echo "minFreeSpace = 50" >> /opt/splunk/etc/system/local/server.conf After this restart the splunk service ... View more

@RDAVISS That search doesn't work if you have the Splunk_SA_CIM installed because "action" will never equal "login attempt" [audittrail] EVAL-action = case(match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action) EVAL-app = if(match(_raw,"action\=login\sattempt"),"splunk",app) Try it without action= index=_audit "login attempt" "info=succeeded"   ... View more

Hi @codebuilder  @richgalloway  ran into this issue all of a sudden, i am using the same crcSalt=<SOURCE> parameter in my inputs.conf stanza, however its still throwing the same error "File will not be read, is too small to match seekptr checksum (file=<path to file>). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.  the same inputs stanza has been pushed to another UF, where the logs are flowing fine for the same path. Is there something still missing ? ... View more

Also hit the same issue in 8.2.5, logged a new case Note that adding the option  include_reduced_buckets=t works in most cases, I've found it doesn't work when combined with PREFIX ... View more

We had the same issue after upgrading to 8.2.4 Cleaning the browser cache solved the issue ... View more

dbxlookup doesn't seem to work when I tried to run. The query doesn't provide any outputs when I clicked Open in Search in Data Lab/ Edit Lookup page. Both my reference search and Look SQL are working, and provide correct results when running separately. ... View more

How to resolve the issue if logs are rotated or compressed. How to blacklist them?  Splunk is ingesting duplicate events in my org.   Help me how to fix issue if logs are rotated or compressed. Highly appreciate your help. ... View more

Can we delete old dated .ns files from $Splunk Directory$\Splunk\var\lib\splunk\kvstore\mongo folder to increase the SH drive space...whether it will have any impact on SH performance ... View more