Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About splunkreal
splunkreal
Motivator
Member since:
05-26-2016
Online
Community Statistics
| Posts | 589 |
| Solutions | 29 |
| Karma Given | 837 |
| Karma Received | 49 |
| Member Since | 05-26-2016 |
Activity Feed
- Posted Upgrading from ES 7 to 8 on Splunk Enterprise Security. Monday
- Posted Re: Addon Builder Configuration Pages Don't Work on a Search Head Cluster on All Apps and Add-ons. Thursday
- Karma Addon Builder Configuration Pages Don't Work on a Search Head Cluster for cameronjust. Thursday
- Karma Re: How can non-admin users share content across apps globally? for eavent_splunk. a week ago
- Karma Re: Splunk ISE add on - no sourcetype=cisco:ise:syslog for hunters_splunk. a week ago
- Karma Re: Problem with connection_host = dns setting for PickleRick. a week ago
- Karma Re: Problem with connection_host = dns setting for NoSpaces. a week ago
- Karma Re: How to achieve The High availability and Disaster recovery architecture in Splunk distributed environment. for richgalloway. a week ago
- Karma Re: What are best practices for setting up a Splunk Disaster Recovery site if primary site goes down? for frmaasdam. a week ago
- Karma Re: I need to find out the high memory usage searches on the Splunk search heads for NareshKilaru. 2 weeks ago
- Karma Re: License manager / slave certificates for PickleRick. 2 weeks ago
- Posted Re: Splunk MCP for On-Prem Instances on Splunk Enterprise. 2 weeks ago
- Posted Re: License manager / slave certificates on Splunk Enterprise. 3 weeks ago
- Karma Re: License manager / slave certificates for richgalloway. 3 weeks ago
- Posted License manager / slave certificates on Splunk Enterprise. 3 weeks ago
- Karma Re: rename row1 after transpose for venkatasri. 3 weeks ago
- Karma Re: What is the difference between index time extractions and search time extractions? for nilbak1. 11-13-2025 02:26 PM
- Karma Should you add the configurations in limits.conf on universal forwarder OR indexer servers? for manjunathmeti. 11-12-2025 08:50 AM
- Karma Re: Should you add the configurations in limits.conf on universal forwarder OR indexer servers? for DMohn. 11-12-2025 08:50 AM
- Posted Re: How to configure Unviversal forwarder Props.conf for Truncate on Getting Data In. 11-12-2025 08:42 AM
Monday
Hello, Upgrading Splunk ES 7.3.2 to 8.3.0 how existing correlation searches will be converted with new RBA? Thanks.
... View more
2 weeks ago
Hello, where do you install the mcp server? On search heads? Does it work on clustered (SHC)? Thanks.
... View more
3 weeks ago
Hello, Does Splunk license slave node with default certificates can communicate with license manager that has custom CA on management port? Is there any ssl verification? Thanks.
... View more
Labels
11-12-2025
08:42 AM
Thanks @richgalloway for being so fast, so it means HF then. It seems for long json logs there is another setting to put.
... View more
11-12-2025
07:34 AM
Hello @verbal_666 on a Splunk distributed or cluster, did you apply on HF, SHC or IDX side(s) then? In our case we receive json logs from HF. @isoutamo what do you think? 🙂 Thanks for your help!
... View more
11-12-2025
07:27 AM
If we index JSON data from HF and want to extend TRUNCATE setting for long logs, should we also do it on (clustered) indexers or HF is enough? Also when looking at https://community.splunk.com/t5/Splunk-Search/Why-are-not-all-field-values-are-extracted-for-long-JSON-files/m-p/573446 it seems TRUNCATE=0 isn't enough? Thanks!
... View more
11-06-2025
02:31 AM
Hello @jkat54 noticed in splunkbase release notes "-Removed ability to specify user and pass with the command, use splunkpasswdname & splunkpasswdcontext OR token=<token> OR splunkauth=true instead." You should update the curl commands on Details tab of splunkbase app as this is misleading. For the moment using v3.1.2 could only make work using token not username/password. Getting error 401 when it works correctly with CLI curl command. I'm using "REST storage/passwords Manager for Splunk" syntax: | curl method=get uri="https://xxx/internalqueries?queryguid={3A798982-3D8F-465C-BB01-9E90CE4D3B4D}&filterguid={73B09AC4-6C...}" splunkpasswdname="api.xxx" splunkauth=f I could make it work using v3.1.0 so maybe there is a bug with latest version? Thanks for your help and thank you for this app!
... View more
Labels
- Labels:
-
administration
-
configuration
11-06-2025
01:54 AM
Hello, like username/password is it possible to hide tokens? This could help secure @jkat54 Webtools add-on. Thanks for your help!
... View more
Labels
- Labels:
-
administration
-
configuration
10-31-2025
07:42 AM
Hello @jkat54 please have a look at https://community.splunk.com/t5/All-Apps-and-Add-ons/Error-401-with-Webtools-v3-1-2-and-username-password/m-p/755264#M82473 thanks for your help!
... View more
10-30-2025
10:09 AM
Thanks @M4rv1m it works. I hope @jkat54 will add an option for that 🙂
... View more
10-29-2025
09:23 AM
Hello, in ssh CLI running Redhat linux, how to launch splunk offline on indexers and on splunk manager node, enable or disable maintenance-mode without credentials (it asks for local admin username and password)? This way we could automate OS updates by properly stop services. Thanks for your help.
... View more
Labels
10-10-2025
03:10 AM
Hi @livehybrid @PickleRick doesn't seem to work with HEC port (8088)
... View more
10-09-2025
09:12 AM
Hello, is this query valid to check incoming network traffic to heavyforwarders? index=_internal source=*metrics.log* group=tcpin_connections (host=s*HF*) | eval mb=floor(kb/1024) | timechart sum(mb) as mb span=5min useother=f usenull=f by host Thanks.
... View more
Labels
10-09-2025
07:46 AM
Hi @livehybrid yes it's http, do you use it on SHC cluster? We are using v1.1.5 FYI
... View more
10-09-2025
06:42 AM
Hello, is Splunk opencti addon compatible on Splunk cluster (shc)? From 2/3 search heads we are getting this error: "2025-10-09 16:22:56,618 ERROR pid=31312 tid=MainThread file=base_modinput.py:log_error:309 | Error in ListenStream loop, exit, reason: HTTPSConnectionPool(host='sXXX.XXX.XXX', port=8080): Max retries exceeded with url: /stream/4484559f-66f8-4107-9afc-1d9c141377fb?recover=2025-07-22T10:27:24Z (Caused by SSLError(SSLError(1, '[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:1143)')))" Even if we are not configured as SSL. Thanks.
... View more
Labels
- Labels:
-
other
09-22-2025
06:06 AM
1 Karma
Hello, we disabled sources which were not available anymore and it's ok now. Support told us provider subscriptions are now required.
... View more
09-03-2025
07:28 AM
Hello guys, since 08/20/2025 we have issues in ES downloading these feeds from Splunk servers. When we try with curl then it doesn't return any data. No error. We use proxy. Thanks for your help! phishtank https://data.phishtank.com/data/online-valid.csv.gz iblocklist_piratebay https://list.iblocklist.com/?list=nzldzlpkgrcncdomnttb iblocklist_web_attacker https://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag iblocklist_tor https://list.iblocklist.com/?list=tor iblocklist_logmein https://list.iblocklist.com/?list=logmein iblocklist_proxy https://list.iblocklist.com/?list=bt_proxy iblocklist_rapidshare https://list.iblocklist.com/?list=zfucwtjkfwkalytktyiw mozilla_public_suffix_list https://publicsuffix.org/list/effective_tld_names.dat
... View more
07-25-2025
09:09 AM
Hello @kiran_panchavat @Rhidian maybe we could filter special characters with REGEXP_REPLACE(sql_text… in the SQL query? Thanks.
... View more
06-26-2025
08:36 AM
Hello @livehybrid looks like the json is from Vector agent to Kafka, that's why we may end up with json or is it possible to convert json to raw log in Splunk?
... View more
06-18-2025
05:44 AM
Thanks @livehybrid then Splunk should parse correctly fields for addons? Do you mean _raw will be the original event from source host and sending to targered index/sourcetype?
... View more
06-18-2025
05:14 AM
Hello, is it possible in Splunk HEC from Kafka to receive raw events on HF in order to parse fields with addons? It seems we can only receive json data with "event" field and may not be able to extract fields within standard addons? The HEC event may also contain target index and sourcetype. Thanks.
... View more
Labels
06-05-2025
07:45 AM
Hello, I put this regex on SHC inline extraction : "<(?<pri>\d+)>1\s(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?[+-]\d{2}:\d{2})\s(?<hostname>[^\s]+)\s(?<appname>[^\s]+)\s(?<procid>[^\s]+)\s(?<msgid>[^\s]+)\s(?<structured_data>\S+)\s(?<json_msg>\{.*\})" however json_msg needs | spath input=json_msg Is it possible to auto extract fields contained in json_msg to avoid adding | spath input=json_msg at search time? Thanks.
... View more
Labels
- Labels:
-
inputs.conf
-
props.conf
-
syslog
-
transforms.conf
05-16-2025
12:24 AM
Hello @dshpritz looks like this is "officially" documented at https://splunk.my.site.com/customer/s/article/How-To-Use-Wildcards-with-Sourcetype
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
Tuesday
|
Karma given to
