Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About splunkreal
splunkreal
Influencer
Member since:
05-26-2016
Thursday
Community Statistics
| Posts | 621 |
| Solutions | 31 |
| Karma Given | 879 |
| Karma Received | 50 |
| Member Since | 05-26-2016 |
Activity Feed
- Karma Re: UF directories structure for PickleRick. Thursday
- Posted UF directories structure on Splunk Enterprise. Thursday
- Karma Re: Stable Splunk 10 for livehybrid. Tuesday
- Posted Stable Splunk 10 on Splunk Enterprise. Monday
- Karma Re: Lookup Editor: Won't save edits after update to Splunk (Cloud) 8.0. for LukeMurphey. a week ago
- Karma Re: Has anyone come across this warning below in Splunk Web? for PaulPanther. a week ago
- Karma Why are events are not displayed in the search results because _raw fields exceed the limit of 16777216 characters? for ssuluguri. a week ago
- Karma Re: Why are events are not displayed in the search results because _raw fields exceed the limit of 16777216 characters? for woodcock. a week ago
- Posted Intermediate findings in analyst queue ES v8.3 on Splunk Enterprise Security. 2 weeks ago
- Karma Re: Renewing server.pem certificate for harsmarvania57. 2 weeks ago
- Posted Re: Wrong host license usage report / squash_threshold on Monitoring Splunk. 2 weeks ago
- Posted Wrong host license usage report / squash_threshold on Monitoring Splunk. 2 weeks ago
- Karma Re: Changing root CA / server certificates on cluster for PickleRick. 3 weeks ago
- Posted Re: How do I get a list of all my lookups with their file size? on Splunk Search. 3 weeks ago
- Posted Re: Changing root CA / server certificates on cluster on Splunk Enterprise. 3 weeks ago
- Karma Re: Changing root CA / server certificates on cluster for kknairr. 3 weeks ago
- Posted Re: Changing root CA / server certificates on cluster on Splunk Enterprise. 3 weeks ago
- Karma Re: Changing root CA / server certificates on cluster for PickleRick. 3 weeks ago
- Got Karma for kvstore backup failing with pointintime on SHC. 3 weeks ago
- Posted Re: kvstore backup failing with pointintime on SHC on Splunk Enterprise. 3 weeks ago
Thursday
Hello, On UF I've seen that we put pem certificates in etc/apps/myapp/default/data On our servers however I've seen something like etc/apps/myapp/data Are there rules or both are ok? (they are working but are they best practices?) Thanks!
... View more
Labels
Monday
Hello, which Splunk 10 version is stable? I've seen there is 10.2 and before 10.0, what happened to 10.1? Also I saw 10.0.4 was released recently, why? Thanks.
... View more
Labels
2 weeks ago
Hello, us there still Intermediate findings column for findings in analyst queue for Event based detections? Thanks.
... View more
Labels
- Labels:
-
administration
-
installation
2 weeks ago
squash_threshold = <positive integer> * Periodically the indexer must report to license manager the data indexed broken down by source, sourcetype, host, and index. If the number of distinct (source, sourcetype, host, index) tuples grows over the 'squash_threshold', the (host, source) values are squashed and only a breakdown by (sourcetype, index) is reported. This is to prevent explosions in memory + license_usage.log lines. * This is an advanced setting. Set it only after consulting a Splunk Support engineer. * This needs to be set on license peers as well as the license manager. * Default: 2000
... View more
2 weeks ago
Hello, if you have license usage error when running a query on license logs, it can be based on Splunk server.conf setup.
... View more
Labels
- Labels:
-
license usage
-
monitoring console
3 weeks ago
Hello @bowesmana had some errors, this way is more reliable but from ssh : find /OPT/splunk/etc/apps -type f -path "*/lookups/*" -exec du -h {} \; | sort -h
... View more
3 weeks ago
Hello @kknairr thanks for detailed explanation, especially sslRootCAPath, no need to put all rootCAs in single file but in the directory then?
... View more
3 weeks ago
Hello @PickleRick thanks, do you mean using sslRootCAPath? By default ssl verify is disabled so is it necessary? Thanks.
... View more
4 weeks ago
1 Karma
Hello, running "splunk backup kvstore -pointInTime true" on SHC member or captain doesn't create kvstore .tar.gz - it works with pointInTime = false We can see this error in logs in splunkd.log : ERROR MongodRunner [57705 KVStoreBackupThread] - Failed to create PKCS1 certification for Mongo CLI tools INFO MongodRunner [57705 KVStoreBackupThread] - PKCS1 Certificate already exists INFO MongodRunner [57705 KVStoreBackupThread] - Private key password changed. Creating a new PKCS1 Certificate ERROR MongodRunner [57705 KVStoreBackupThread] - Failed to create PKCS1 certification for Mongo CLI tools INFO MongodRunner [57705 KVStoreBackupThread] - PKCS1 Certificate already exists INFO MongodRunner [57705 KVStoreBackupThread] - Private key password changed. Creating a new PKCS1 Certificate ERROR MongodRunner [57705 KVStoreBackupThread] - Failed to create PKCS1 certification for Mongo CLI tools INFO MongodRunner [57700 MongodLogThread] - mongod exited normally (exit code 0, status: PID 57701 exited with code 0). in /var/lib/splunk/kvstorebackup/ empty kvdump_... Thanks for your help.
... View more
Labels
4 weeks ago
Hello, we will need to change root CA/server certificates on all our splunk cluster, forwarders will also be affected. Also we use TCP-SSL on our HF with various network appliances, I guess they will be affected? Is there good practice or guideline that you could provide? Thanks for your help.
... View more
Labels
4 weeks ago
Hello @BuzzLights10 did you get your answer? If yes could you provide your SPL query? 😊
... View more
a month ago
Hello @andrew_nelson it looks complicated, is it supported by Splunk using this method?
... View more
02-04-2026
08:49 AM
Hello, in Splunk Enterprise Security cluster how to export content like macros and lookup files (csv) from one environment (clustered production) to another one (clustered pre-production) using best practice? This documentation https://help.splunk.com/en/splunk-enterprise-security-7/administer/7.3/managing-content/export-content-from-splunk-enterprise-security-as-an-app doesn't talk about cluster.
... View more
Labels
02-02-2026
03:36 AM
Solution : add Mozilla/5.0 to user agent in configuration screen of the feeds.
... View more
02-02-2026
03:36 AM
Hello, several threat feeds can fail to download like Sans or Icann.
... View more
Labels
01-30-2026
05:55 AM
Hi @gcusello same issue here but we can't share all fields globally just for cim vladiator, is there any solution? Thanks!
... View more
- Tags:
- cim
01-25-2026
06:36 AM
Hello, interesting subject, I guess we can work with server.conf sslRootCAPath setting to include old and new root CA? @mdsnmss @harsmarvania57
... View more
01-20-2026
09:01 AM
Hello, if we have adaptive response in ES7 (using third party addon like https://splunkbase.splunk.com/app/5329), is it automatically recreated when upgrading to ES8? Any compatibility issue? Thanks.
... View more
Labels
01-20-2026
08:58 AM
Hello @Bubbleob sorry for late response, using https://splunkbase.splunk.com/app/5329
... View more
01-19-2026
07:39 AM
Hello, is it possible to push/upgrade a SHC app to single search head for testing, in a production cluster? Thanks.
... View more
Labels
- Labels:
-
deployer
-
search head clustering
01-15-2026
02:16 AM
In ES8 Analyst queue : NOT rule_title=*Activity*
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
Karma given to
