Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About _joe
_joe
Contributor
Member since:
04-09-2019
09-22-2025
Community Statistics
| Posts | 99 |
| Solutions | 3 |
| Karma Given | 20 |
| Karma Received | 14 |
| Member Since | 04-09-2019 |
Activity Feed
- Posted Dynatrace Audit logs on Getting Data In. 09-22-2025 12:51 PM
- Posted Citrix NetScaler sourcetype for HEC on Getting Data In. 06-30-2025 01:15 PM
- Posted Splunk Nutanix TA and Splunk Enterprise 9.3.4 on Getting Data In. 06-04-2025 11:58 AM
- Posted Splunk Cloud compliance for zScaler TA on Splunk Cloud Platform. 02-25-2025 08:21 AM
- Posted Splunk 9x compatibility for Certificate Transparency addon on All Apps and Add-ons. 02-21-2025 05:32 AM
- Posted Re: Getting the following error on my indexers on All Apps and Add-ons. 02-03-2025 08:26 AM
- Posted CSAM Reports - 500 ERROR on Getting Data In. 02-03-2025 07:05 AM
- Posted Re: Time config incorrect on Getting Data In. 01-29-2025 03:28 AM
- Posted Time config incorrect on Getting Data In. 01-29-2025 03:27 AM
- Karma ForwardedEvents ingestion broken after update to 9.1 for PickleRick. 10-15-2024 11:23 AM
- Posted Re: Federated Search -How do I create lookup file with results? on Getting Data In. 09-04-2024 08:42 AM
- Posted Re: Federated Search -How do I create lookup file with results? on Getting Data In. 09-04-2024 05:19 AM
- Posted Disabling indexed fields for CIsco DNA on All Apps and Add-ons. 05-16-2024 12:08 PM
- Posted Re: Setup UiPath logging export on Getting Data In. 05-13-2024 12:16 PM
- Posted Setup UiPath logging export on Getting Data In. 05-13-2024 05:02 AM
- Posted SynAck logging channel on Getting Data In. 04-05-2024 05:14 AM
- Got Karma for Re: Linux UF boot-start issues and non-impacting errors on 9.0.0. 09-11-2023 03:26 PM
- Got Karma for Linux UF boot-start issues and non-impacting errors on 9.0.0. 09-11-2023 03:25 PM
- Posted Re: Why is Splunk Add-on for Microsoft Security for GCC not working? on All Apps and Add-ons. 07-20-2023 09:38 AM
- Posted Re: Why is Splunk Add-on for Microsoft Security for GCC not working? on All Apps and Add-ons. 07-20-2023 09:25 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-22-2025
12:51 PM
This is a comment rather than a question. Please add the ability to ingest audit logs in to the Dynatrace add-on.
... View more
Labels
- Labels:
-
scripted input
06-30-2025
01:15 PM
The current Netscaler guidance is that logs should be exported via HEC. However, it seems like the app doesn't have a sourcetype for HEC. Any guidance on that? https://docs.netscaler.com/en-us/citrix-adc/current-release/observability/auditlogs-splunk-integration.html
... View more
Labels
- Labels:
-
universal forwarder
06-04-2025
11:58 AM
Hello all Is the Nutanix TA (version 2.5.0) compatible with Splunk 9.3.4+? It is listed as such on the splunk base (https://splunkbase.splunk.com/app/3103) but when I attempted to upgrade Unable to initialize modular input "abc" defined in the app "TA-nutanix": Introspecting scheme=nutanix_health: script running failed (PID 2607550 exited with code 1)..
... View more
- Tags:
- Nutanix
Labels
- Labels:
-
heavy forwarder
-
modular input
02-25-2025
08:21 AM
Hello, Does anyone know when this app will become cloud compliant?
... View more
- Tags:
- installing
Labels
- Labels:
-
using Splunk Cloud
02-21-2025
05:32 AM
Hello, Does anyone know if there are any plans for this app to become compatible with recent versions of Splunk? It claims to be compatible with 9.4 but it is running python 2...
... View more
Labels
- Labels:
-
installation
-
upgrade
02-03-2025
08:26 AM
I think that app was removed for 9.3. What is confusing is that you said this was a new build as opposed to an upgrade - maybe you are pushing it and it shouldn't be there? https://docs.splunk.com/Documentation/SecureGateway/3.5.15/ReleaseNotes/Releasenotes
... View more
02-03-2025
07:05 AM
Hello all, I am wondering if anyone has run into an issue where they receive a "500 error" on some large reports (small reports work fine)? The only feedback I got from the cSAM admin was to add a time out value in Microsoft PowerQuery, doesn't quite seem to relate to CURL though. personal_access_token = "MyRealToken",
request_timeout_in_minutes = 10, // Specify your timeout value here
data = Table.FromRecords(
Json.Document(
Web.Contents(
csam_api_endpoint_url,
[
Headers =
[
#"Authorization"="Bearer " & personal_access_token,
#"Content-Type" = "application/json"
],
Timeout = #duration(0, 0, request_timeout_in_minutes, 0)
]
)
)
)
in
data
... View more
- Tags:
- CSAM
Labels
- Labels:
-
heavy forwarder
01-29-2025
03:28 AM
I updated it to a 4 digit year to match my logs. %d %b %Y %H:%M:%S, %Z
... View more
01-29-2025
03:27 AM
This isn't so much a question as a comment. I found that time config to be incorrect. My logs start like this: {"Time": "29 Jan 2025 03:16:30, PST", The default timestring is expecting a 2 digit year. %d %b %y %H:%M:%S, %Z Prior to the update, Splunk was stil able to figure out the time but issed the timezone parameter. In other words, if your heavy forwarder has the same timezone as your zScaler logs you would probably be fine.
... View more
Labels
- Labels:
-
modular input
09-04-2024
08:42 AM
You can use '| append [ | noop ]' as a workaround:
| from federated <>
| append [ | noop ]
| outputlookup <>.csv
... View more
09-04-2024
05:19 AM
Similar issue. There are no error logs per say. The search log shows the the output appears to be happening on the remote SH. Results written to file '/opt/splunk/etc/apps/search/lookups/mylookup.csv' on serverName=',<<remoteServerName>>
In other words, if I login to my local search head and run this and get an output of 100 entries:
| federated from:my report | outputlookup mylookup.csv
Then I run this (Again on the local search head), it will be empty:
| inputlookup mylookup.csv
... View more
05-16-2024
12:08 PM
Hello all, Just wondering if anyone else is removed index time extractions for the Cisco DNA Center Add-on (6668). I don't like that it needlessly indexes fields then resolved the duplicate-field issue by disabling KV_MODE. I was thinking of adding something like this to the app props.conf but I am still looking better options. INDEXED_EXTRACTIONS = KV_MODE=JSON SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n\[\]\,]+\s*)([\{])
... View more
Labels
- Labels:
-
configuration
05-13-2024
12:16 PM
Thanks for taking the time to respond. I guess I should have better explained that I was hoping to receive audit logs (failed logins, etc.). That is what the UiPath team here is saying that cannot put at a file location without "manual labor." We settled on a database connection.
... View more
05-13-2024
05:02 AM
Hello all, In our environment, the UiPath team doesn't seem to know how to expect the export expecting in the default inputs.conf (C:\uipath_logs). Is there any documentation that might help them?
... View more
Labels
- Labels:
-
monitor
-
universal forwarder
-
Windows
04-05-2024
05:14 AM
Hello all, SynApp: 3.0.3 OS: RHEL8 FIPS Splunk 9.0.x I configured this app and changed the index IPs in the local inputs.conf but it isn't working. Obviously there are a lot of things that could be wrong but I am really not seeing any app logging. Is there anyway to configure that? Does this app have a FIPS incompatibility? The only thing I am finding are these logs in splunkd.log: ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/assessment_data.py" obj, end = self.raw_decode(s, idx=_w(s, 0).end())
ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/vuln_data.py" json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
... View more
Labels
- Labels:
-
heavy forwarder
07-20-2023
09:38 AM
Sorry, only GCC (literally the "GCC" selection an the API input configuration). I have not had the opportunity to work with GCC high yet so I cannot confirm if it works.
... View more
07-20-2023
09:25 AM
I believe when I posted this support had not yet been added. At this time, this app does support GCC and I have gotten it working in at least one environment. My guess would be you are running into an Azure permissions issue. https://splunkbase.splunk.com/app/6207
... View more
05-04-2023
08:16 AM
Hello,
Has anyone been able to ingest Certificate Transparency logs (via Certificate Transparency Log add-on for Splunk or any other app) on Splunk Enterprise version 9?
... View more
Labels
- Labels:
-
configuration
-
development
09-13-2022
12:36 PM
Has anyone setup CIM parsing for the Akamai SIEM TA? I am assuming these events should be going to the Alerts data model, but there is almost no parsing in the app.
https://splunkbase.splunk.com/app/4310/
... View more
Labels
- Labels:
-
installation
07-29-2022
09:30 AM
I don't have a whole lot of information about this, just wanted to comment that personally I've had an issue with Burp Suite crashing Splunk. We have had to ask them to turn back the Burp Suite threads to half.
... View more
07-18-2022
05:02 AM
1 Karma
Something like this would work best: index = _internal sourcetype = splunkd component=Archiver
Archiving large_file=*
| stats count latest(size_in_bytes) by large_file
... View more
06-28-2022
11:12 AM
5 Karma
This warning got added to "known issues" for 9.0.0 Date filed Issue number Description 2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
... View more
06-28-2022
09:08 AM
No actually. I was trying to use the App to ingest from an onprem server which isn't even supported (Only CyberArk SaaS).
... View more
06-21-2022
06:11 AM
2 Karma
Is anyone else running into boot-start/permissions issues with the 9.0.0 UF running on Linux using init.d scripts for bootstart? Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder" I am also finding that "./splunk disable boot-start" does not correctly remove the /etc/init.d/splunk script and, contrary to documentation, splunk UF 9.0.0 uses systemd as default. https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/ConfigureSplunktostartatboottime Also systemd scripts seem to fail getting the permissions needed even when trying to enable-boot as root. A key error I am seeing is "Failed to create the unit file" when running the install. But it seems to be a total fail. ## When upgrading (from 8.2.5)
runuser -l splunk -c "/opt/splunkforwarder/bin/splunk stop"
tar -xzvf /tmp/splunkforwarder-9.0.0-6818ac46f2ec-Linux-x86_64.tgz -C /opt
chown -R splunk:splunk /opt/splunkforwarder/
runuser -l splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt"
runuser -l splunk -c "/opt/splunkforwarder/bin/splunk status"
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
(NOTE: Seems to be non-impacting) ### When doing a new install
tar -xzvf /tmp/splunkforwarder-9.0.0-6818ac46f2ec-Linux-x86_64.tgz -C /opt
chown -R splunk:splunk /opt/splunkforwarder
[root]# sudo -H -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
This appears to be your first time running this version of Splunk.
IMPORTANT: Because an admin password was not provided, the admin user
will not be created. You will have to set up an admin username/password
later using user-seed.conf.
Creating unit file...
Current splunk is running as non root, which cannot operate systemd unit files.
Please create it manually by 'sudo splunk enable boot-start' later.
Failed to create the unit file. Please do it manually later.
Splunk> Now with more code!
sudo -H -u splunk /opt/splunkforwarder/bin/splunk status
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
splunkd is running (PID: 3132350).
splunk helpers are running (PIDs: 3132354). # sudo -H -u splunk /opt/splunkforwarder/bin/splunk stop
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
. [ OK ]
Stopping splunk helpers...
[ OK ]
Done.
# /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
Systemd unit file installed by user at /etc/systemd/system/SplunkForwarder.service.
Configured as systemd managed service.
systemctl start SplunkForwarder.service
Job for SplunkForwarder.service failed because the control process exited with error code.
See "systemctl status SplunkForwarder.service" and "journalctl -xe" for details.
systemctl status SplunkForwarder.service
● SplunkForwarder.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
Loaded: loaded (/etc/systemd/system/SplunkForwarder.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2022-06-21 12:58:55 UTC; 27s ago
Process: 3141480 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/SplunkForwarder.service (code=exited, status=0/SUCCES>
Process: 3141478 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/SplunkForwarder.service (code=exited, status=0/SUCCESS)
Process: 3141477 ExecStart=/opt/splunkforwarder/bin/splunk _internal_launch_under_systemd (code=exited, status=203/EXEC)
Process: 3141475 ExecStartPre=/bin/bash -c chown -R splunk:splunk /opt/splunkforwarder (code=exited, status=0/SUCCESS)
Main PID: 3141477 (code=exited, status=203/EXEC)
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Failed with result 'exit-code'.
Jun 21 12:58:55 <host> systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Service RestartSec=100ms expired, scheduling restart.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Scheduled restart job, restart counter is at 5.
Jun 21 12:58:55 <host> systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Start request repeated too quickly.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Failed with result 'exit-code'.
Jun 21 12:58:55 <host> systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'.
... View more
Labels
- Labels:
-
universal forwarder
-
upgrade
06-08-2022
08:13 AM
You are correct, it is missing when you switch to kvstore. You can add it in the transforms.conf manually and it works - but any further saving to the lookup definition through the Web UI will overwrite/remove the change. A little frustrating. [lookup_definition_name] ... case_sensitive_match = 0
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-22-2025
12:49 PM
|
Karma from
Karma given to
