Activity Feed
- Posted Re: Do we need to run an indexer rolling restart when getting new HEC data stream? on Getting Data In. a week ago
- Posted Re: How to configure the load balancer to handle HEC data? on Getting Data In. a week ago
- Karma Re: Is saturation level fine as a preparation for additional HEC data stream? for livehybrid. a week ago
- Posted Do we need to run an indexer rolling restart when getting new HEC data stream? on Getting Data In. a week ago
- Posted How to configure the load balancer to handle HEC data? on Getting Data In. a week ago
- Posted Is saturation level fine as a preparation for additional HEC data stream? on Splunk Enterprise. a week ago
- Posted Integration between Confluent and Splunk on Getting Data In. a month ago
- Karma Re: What app can execute the btool command on the cloud? for livehybrid. a month ago
- Posted What app can execute the btool command on the cloud? on Splunk Cloud Platform. 02-25-2025 10:07 AM
- Tagged What app can execute the btool command on the cloud? on Splunk Cloud Platform. 02-25-2025 10:07 AM
- Posted Re: Why don't I see my three Splunk servers via the rest call? on Splunk Search. 02-17-2025 08:42 AM
- Karma Re: Why don't I see my three Splunk servers via the rest call? for richgalloway. 02-16-2025 11:03 AM
- Karma Re: Why don't I see my three Splunk servers via the rest call? for isoutamo. 02-16-2025 11:03 AM
- Posted Why don't I see my three Splunk servers via the rest call? on Splunk Search. 02-14-2025 09:33 AM
- Posted Re: How to I retrieve proofpoint data? on Getting Data In. 02-11-2025 10:08 AM
- Posted Re: How to I retrieve proofpoint data? on Getting Data In. 02-11-2025 10:08 AM
- Karma Re: How to I retrieve proofpoint data? for gcusello. 02-11-2025 09:43 AM
- Karma Re: How to I retrieve proofpoint data? for PickleRick. 02-11-2025 09:42 AM
- Posted Re: How to I retrieve proofpoint data? on Getting Data In. 02-10-2025 10:26 AM
- Karma Re: How to I retrieve proofpoint data? for gcusello. 02-10-2025 10:24 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a week ago
Great @livehybrid, "If you are using config files to create your HEC tokens", what are my options on-prem to configure the HEC token?
... View more
a week ago
Very interesting @livehybrid, how do I check whether indexer acknowledgment is in place?
... View more
a week ago
We are transitioning from getting the HEC data through HFs to getting it directly to the indexers and we are wondering if upon introducing a new data source are we forced to do an indexer rolling restart.
... View more
Labels
- Labels:
-
indexer
a week ago
We are in a transition from sending the data through HFs to sending the data directly to the indexers and we wonder how to configure the load balancer to handle this HTTP data. My understanding is that HTTP is based on TCP and TCP is connection based and therefore we can lock the sender to a particular indexer which would lead to an uneven distribution of the load, any suggestions?
... View more
Labels
- Labels:
-
configuration
a week ago
For our indexers, we see the following under 'Storage I/O Saturation (Mount Point)' - 0.90% (/opt/splunk) 6.56% (/indexing/splunk_cold) We have 14 indexers with roughly the same saturation levels and I wonder if it's healthy. We would like to direct the HEC data straight to the indexers (instead of going through the HFs) and therefore I wonder if at the I/O level we are ready.
... View more
- Tags:
- saturation
Labels
- Labels:
-
using Splunk Enterprise
a month ago
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk. Is this the right Integration between Confluent and Splunk, meaning via the Open Telemetry Collector (OTEL)?
... View more
Labels
- Labels:
-
HTTP Event Collector
02-25-2025
10:07 AM
I was told that there is an app that can run the btool command on cloud instances. Does anybody know the name of this app?
... View more
- Tags:
- app
Labels
- Labels:
-
Splunk Investigate
-
using Splunk Cloud
02-17-2025
08:42 AM
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error - Encountered the following error while trying to save: Status 401 while sending public key to search peer https://<ip>:8089: Unauthorized
... View more
02-14-2025
09:33 AM
I'm running the following command - | rest /services/server/sysinfo And it shows the indexer and the search head but not the heavy forwarder. What can it be?
... View more
- Tags:
- rest-call
02-10-2025
10:26 AM
Thank you @gcusello. Our Proofpoint account manager said the following - "There is an API but no mail flow API so Splunk wouldn't have anything on the Essentials side. Enterprise side - Remote Syslog gets them all sorts of mail flow details! Having said that, the only way to get an integration with Splunk would be to upgrade from Essentials to our Enterprise email." Is there a way to get the Proofpoint data without an upgrade?
... View more
02-05-2025
09:16 AM
I see multiple Tenable Apps and TAs in Splunkbase, which one should I use to get Tenable data in?
... View more
- Tags:
- Tenable Integration
02-03-2025
08:30 AM
Looking at Splunk base, and there are quite a lot of Proofpoint apps/TAs, which one should I install in order to connect to the Proofpoint endpoint and receive the data?
... View more
- Tags:
- app
Labels
- Labels:
-
data
02-03-2025
07:34 AM
I see multiple versions of the inputs.conf Visio stencil however I'm looking for props.conf and transforms.conf ones. Anybody knows anything?
... View more
- Tags:
- stencils
01-28-2025
10:30 AM
Introspection seems to give me the data.mount_point only for "/" and not for the other file systems that I can see via the Linux "df -kh" command. How come?
... View more
01-28-2025
08:55 AM
Thank you @isoutamo, I changed the global setting to HTTPS and it works perfectly fine. I just don't understand how it works, doesn't the sender need the public key? how does it work?
... View more
01-26-2025
01:11 PM
What do I need to change in order to convert HEC on HTTP to HEC on HTTPS?
... View more
- Tags:
- hec via https
Labels
- Labels:
-
HTTP Event Collector
01-21-2025
08:13 AM
At the moment, our tiny indexer has very little disk space and _introspection consumes roughly GB of storage a day, is there a way to minimize the space consumed by the index besides making the retention very short?
... View more
- Tags:
- _introspection
Labels
- Labels:
-
Linux
01-17-2025
09:00 AM
Great, so how do I configure the SH to send uncooked data?
... View more
01-17-2025
08:50 AM
I got it, however, I'm setting these three machines and I would like the HF to send cooked data while the SH should send uncooked data to the indexer. Based on what you're saying, it appears that whenever we forward the data, it is already cooked, is it right?
... View more
01-17-2025
08:38 AM
That's great, but what defines in the configurations an HF to be an HF?
... View more
01-17-2025
08:17 AM
It's not clear to me how indexAndForward works, the documentation says - "Set to 'true' to index all data locally, in addition to forwarding it." Does it mean that the data is being indexed in two places? if so, what should we do to produce cooked data AND forward it to the indexer?
... View more
- Tags:
- indexandforward
Labels
- Labels:
-
distributed search
01-17-2025
07:37 AM
We have a case where we can search and find events that match the search criteria. The client would like to see the events that are prior in time to the one that we matched via the SPL. Can we do that?
... View more
Labels
- Labels:
-
subsearch
01-14-2025
09:41 AM
Thank you for your insight. I do see it via https://<indexer>:8089
... View more
