An error occurred while installing the app: 500 means that the app you are trying to install from the splunk web have a different file owner/permission from the user being used. Change the app owner to the owner running splunkd SSH into the server and chown -R your_splunk_user:your_splunk_group $SPLUNK_HOME/etc/apps/app_name ... View more

An error occurred while installing the app: 500 means that the app you are trying to install from the splunk web have a different file owner/permission from the user being used. Change the app owner to the owner running splunkd SSH into the server and chown -R your_splunk_user:your_splunk_group $SPLUNK_HOME/etc/apps/app_name   ... View more

- Go to settings > all configuration > search for your datamodel constraint index e.g. cim_Malware_indexes - edit the macro definition from "()" to "(index=*)" and save the macro - go back to the datamodel constraint and remove any additional info not included in the original constraint "(`cim_Malware_indexes`) tag=malware tag=attack" and save the datamodel - go back to the macro and reverse "(index=*)" to "()" your datamodel should now have the (`cim_Malware_indexes`) tag=malware tag=attack as it's constraints ... View more

If this error is been generated on the cluster master. Go to Settings > Distributed Peers and verify the health of the indexers, it's possible that the remote credentials have expired or has changed. Click on each of the peer nodes and re-authenticate. This should fix the issue. ... View more

 https://www.splunk.com/blog/feed/ ... View more

This resolved the issue. ... View more

this worked for me also. Make sure you back up the auth directory before making any change ... View more

Here's how I filtered out the splunk events for event code 4688 blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:splunk)" blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:splunk-netmon.exe)" ... View more

This is a great explanation. Thanks! ... View more