Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About lakshman239
lakshman239
Influencer
Member since:
07-05-2016
09-19-2025
Community Statistics
| Posts | 669 |
| Solutions | 71 |
| Karma Given | 16 |
| Karma Received | 67 |
| Member Since | 07-05-2016 |
Activity Feed
- Karma Re: Sending data from onprem splunk to cloud - SSL error for livehybrid. 05-16-2025 03:36 AM
- Posted Re: Sending data from onprem splunk to cloud - SSL error on Splunk Cloud Platform. 05-16-2025 03:35 AM
- Posted Re: Connection problems with Universal Forwarder for Linux ARM and Splunk Cloud (SSL error) on Deployment Architecture. 05-16-2025 03:35 AM
- Karma Re: Clients under Forwarding Managements as GUID and not showing actual hostnames for flakshack. 05-15-2025 06:15 AM
- Posted Sending data from onprem splunk to cloud - SSL error on Splunk Cloud Platform. 05-14-2025 10:52 AM
- Tagged Sending data from onprem splunk to cloud - SSL error on Splunk Cloud Platform. 05-14-2025 10:52 AM
- Posted Re: Connection problems with Universal Forwarder for Linux ARM and Splunk Cloud (SSL error) on Deployment Architecture. 05-14-2025 10:33 AM
- Posted Re: Enterprise security app on Splunk Enterprise Security. 03-24-2025 02:53 AM
- Posted Re: DBConnect : Unable to connect to Oracle database Network Adaptor could not establish connection on All Apps and Add-ons. 03-25-2024 02:25 AM
- Posted Re: DBConnect : Unable to connect to Oracle database Network Adaptor could not establish connection on All Apps and Add-ons. 02-29-2024 07:50 AM
- Tagged DBConnect : Unable to connect to Oracle database Network Adaptor could not establish connection on All Apps and Add-ons. 01-10-2024 07:17 AM
- Posted DBConnect : Unable to connect to Oracle database Network Adaptor could not establish connection on All Apps and Add-ons. 01-10-2024 07:16 AM
- Got Karma for Re: Asset Lookup in Malware Datamodel. 08-16-2023 08:37 AM
- Got Karma for Re: Metrics definition errors in the add-on - is fix available in future version?. 06-05-2023 01:21 AM
- Posted Re: Risk Event Timeline not working. Error: "Risk event has missing or invalid fields" on Splunk Enterprise Security. 05-16-2023 05:54 AM
- Posted Re: Migrating Splunk Enterprise Security from VM to new physical host on Splunk Enterprise Security. 04-18-2023 01:02 PM
- Posted Re: Unable to access Splunk ES? on Splunk Enterprise Security. 04-18-2023 12:57 PM
- Posted Re: Splunkcloud ES - Missing an additional field in a notable event on Splunk Enterprise Security. 04-18-2023 12:54 PM
- Posted Re: Splunkcloud ES - Missing an additional field in a notable event on Splunk Enterprise Security. 04-18-2023 12:28 PM
- Got Karma for Re: Announcing Our Splunk MVPs. 04-03-2023 10:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
05-16-2025
03:35 AM
Thanks @livehybrid The issue was at the firewall side. It was dropping packets, so the policies/rules had to applied again. Also added some useful link which i came across. https://community.splunk.com/t5/Security/ERROR-TcpOutputFd-Connection-to-host-c-9997-failed-sock-error/m-p/487895 https://splunk.my.site.com/customer/s/article/Splunk-Universal-Forwarder-is-not-sending-events-to-Splunk-Cloud
... View more
05-16-2025
03:35 AM
it was an issue with firewall rules, as it dropped packets.
... View more
05-14-2025
10:52 AM
Hi, I have installed splunk 9.4.2 on-prem and downloaded and installed the 'splunkuf' app from splunkcloud universal forwarder package. Upon restarting the splunk instance, it throws following errors. I just want to ensure the internal logs reach cloud before i configure the server with custom apps/add-ons. 05-14-2025 13:05:23.918 +0000 ERROR TcpOutputFd [2377196 TcpOutEloop] - Connection to host=18.xx:9997 failed. sock_error = 104. SSL Error = No error I have checked connectivity from on-prem instance to inputs1.*.splunkcloud.com:9997 using curl/telnet and openssl and firewall team confirmed the ports are open. Any thoughts on what I could be missing or suggestions to troubleshoot? thanks laks
... View more
Labels
- Labels:
-
configuration
-
using Splunk Cloud
05-14-2025
10:33 AM
@bengoerz - does that mean, we shouldn't SSL inspect the traffic from On-prem splunk instance to splunk cloud traffic, to avoid sock_error = 104? thx
... View more
03-24-2025
02:53 AM
@BRFZ As @livehybrid and @gargantua explained, those links and materials will help you to understand ES better at your own pace. Having said that, if you have already ingested your data sources on to Splunk ( on-prem or on to splunk cloud), your ES should be able to use those data. ES comes with number of out of box dashboards and these rely on CIM compliance of your data source. Refer to requirements here, if you plan to use any of these dashboards. Suggest reviewing your use cases and see how you can make sure of the datamodels for improved searches and triage. If you want the search results to be available in the incident review screen for triage, analysis, you would need to create/configure your detections/rules/alerts as correlation searches.
... View more
- Tags:
- es
03-25-2024
02:25 AM
The firewall request from the splunk server (e.g. HF) should be both to the actual database physical host/IPs and the SCAN host/IP server. ( if using this in the tns listener files). In a RAC setup there may be multiple IP/host, so you would need access to all of them from splunk server. Another test would be to run a nslookup on the scan ip/hostname/FQDN and if it return multiple IPs/host, submit firewall req for them as well.
... View more
02-29-2024
07:50 AM
Answering my query, as I hope this could help others. The oracle 19c RAC database had SCAN address ( Single Client Access Name ) and needed additional firewall rules from the splunk servers to actual physical oracle servers, as the jdbc driver in dbconnect needs access to it to establish connection. Once firewall rules are implemented, dbconnect worked.
... View more
01-10-2024
07:16 AM
Hi, I have following setup. Splunk HF running on 9.1.2 Splunk Dbconnect latest version - 3.15 Splunk DBX Add on for oracle DB JDBC - 2.2.0 ( has ojdbc8-21.7.0.0.jar) Configured to use JRE from Oracle's Open jdk-18.0.2 Our Oracle database is running on 19c. I have re-loaded the driver. I have verified the connectivity from the Splunk HF server to DB server via telnet/curl and connection exists ( had to open firewall). However, when I try create a connection getting errors like "IO Error: Network Adapater could not establish connection) from the internal logs. Suspected, it could be an issue with jdbc driver, so downloaded "ojdbc8-21.1.0.0.jar" from oracle and placed them under drivers folder within splunk_app_db_connect as well as in the lib folder within the DBX add-on. re-loaded the driver and I can see internal logs loading the new jar, but still same issue. Any pointers/thoughts to troubleshoot? java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection (CONNECTION_ID=5gNEcEZfSnyI6PN7r2LGog==) at oracle.jdbc.driver.T4CConnection.handleLogonNetException(T4CConnection.java:892) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:697) at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1041) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:89) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:732) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:648) at com.splunk.dbx.service.driver.DelegatingDriver.connect(DelegatingDriver.java:25) Thanks in advance.
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
05-16-2023
05:54 AM
@gabriel_vasseur @stewlarsen @marysan - Not sure if you have managed to resolve this. I had encountered the same issue and i had to change the drill-down to ensure calculated_risk_score is available in addition to all risk_* fields - https://docs.splunk.com/Documentation/ES/7.1.1/RBA/TopologyVisualization If this helps, pls mark this accepted. thx
... View more
04-18-2023
01:02 PM
Have you considered fresh ES install on the new physical server and migrate the data from your VM?
... View more
04-18-2023
12:57 PM
Has this been resolved now? Appears to be auth errors/cache clear and possible re-load/re-login could sort the issue, if it persists still.
... View more
04-18-2023
12:54 PM
Just for clarity, when the correlation search runs and produces the events/results, it should have a field 'dest' with some values. Once these events/results are written to the index=notable (can be accessed via notable macro), dest field should be there with some value, for it to appear in the Incident review screen, additional fields.
... View more
04-18-2023
12:28 PM
If you go to `notable` and search for your search, in the list of field values, are you seeing 'dest'?
... View more
09-09-2022
07:47 AM
1 Karma
As of the latest version, 1.9.2 (Jun 2022), it still fails for python3 in the upgrade readiness app. Hope app owner reviews and provides us an updated version.
... View more
03-10-2022
10:19 AM
Answering my own - Had to edit the LookupEditorhandler javascript file to TRIM the values passed to the json handler file.
... View more
03-01-2022
11:55 AM
@beano501 My recommendation would be not updating the datamodel as much as possible. One way to achieve what you are looking is to using the 'src_interface' and 'dest_interface' fields in https://docs.splunk.com/Documentation/CIM/5.0.0/User/NetworkTraffic . Populate these fields with your values from the firewall logs, which can then be used in your searches. Additionally the mapping can also be used via lookup table to enrich data as necessary. Additionally, I would also suggest you to capture all your firewalls in a lookup within the ES Assets, using appropriate values in 'category' (e.g. internal_fw, external_fw, dmzfw etc..). This would then be available both in your searches and in your datam
... View more
02-22-2022
10:29 AM
Hi,
When using lookup editor app (https://splunkbase.splunk.com/app/1724/), it allows the user to save fields with leading and trailing spaces.
Is there a plan to update the app to trim them and/or alternatively is there a quick fix, apart from user training?
thanks
laks
@Anonymous - Any thoughts pls? thx
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
09-15-2021
06:20 AM
@soumyasaha25 Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*. You can have dispatch context as ES if you want. Test/check splunkd.logs/btool for any errors after migration and restarting the instances.
... View more
09-08-2021
05:25 AM
Something like this will do in Splunk Core or ES. index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?<mysaved_search>.+) err=" | rex field=_raw "savedsearch_id=\"(?<mysavedsearch>.+)\", message=\"Error" | stats count by host, mysaved_search You can then adjust as per your setup and perhaps setup an alert/correlation search to show you errors from macros/lookups within the correlation search in ES.
... View more
09-03-2021
06:31 AM
did this setup work in the past? If so, has there been any changes to IP/host/dns resolution and/or firewall/connectivity? looks like connectivity/resolution issue
... View more
09-03-2021
06:24 AM
stop-all running for long time does indicate an underlying issue in the cluster. Have you run the pre-check and post health checks using the latest available scripts? If not, please run them and perhaps raise a case with support attaching the output.
... View more
09-03-2021
06:11 AM
1 Karma
@SamHTexas you can look at index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment. Hope this helps.
... View more
09-03-2021
06:04 AM
@inayath_khanin1 The above error indicates that during the asset merge process, you have one of the 'key' entries exceeding the multi-value limit setup in the AssetFields page under 'Asset and Identity managent' UI ( you can access in the ES app via Configure -> Data enrichment -> Asset and Identity managent). Look at the all the key fields and the multi-value limit. Additionally, you can also check something like this (pick up any field you want to test, e.g. ip which has a mv limit of 6 by default |`assets` | eval my_mvcount = count(ip) | stats count by my_mvcount | where my_mvcount > 3
... View more
09-03-2021
05:34 AM
@dominikatvastli - Perhaps this could help, to understand the dependency on the datamodel for each dashboard. https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Dashboardrequirements . You normally don't need to include the index=MyIndex in your eventtypes.conf, sourcetype alone will do, unless you want the index. Also, I assume the index is added to the Spunk_SA_CIM/local/macros.conf for cim_Change_indexes.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-19-2025
04:03 AM
|
Karma from
Karma given to
