That sounds great, @PickleRick how long can the REGEX string be? and is there any way to "beautify" it instead of using constant pipes "|" so it's more readable? ... View more

Hi @livehybrid , Thank you for the great response. It seemed to have been a simple typo on my side. Do you know how I could rework this REGEX to work for multiple phrases (about 50 or so)? Is it best practice to do it all in one REGEX statement or split it into multiple transforms.conf stanzas? ... View more

Thank you so much @alacercogitatus, I installed it, and Vault data is being streamed in. One thing I don't understand is how do they relate to each other? Should I switch all sourcetypes to https://splunkbase.splunk.com/app/5498 or keep only Vault on this one? ... View more

It sounds like you want to restrict users to a specific, pre-filtered view in Service Analyzer and prevent them from removing or changing those filters. To clarify, Service Analyzer itself is a single app that displays all services in ITSI, and filters applied through the UI are generally user-controlled. Teams and roles in ITSI control access to services and KPIs, but they don’t inherently restrict filter controls within Service Analyzer. Some questions to better understand your setup: Are you using ITSI Teams and roles to limit users’ permissions on specific services and KPIs? How are you creating and sharing these filtered Service Analyzer views? Are these saved as bookmarks or dashboards? Have you explored the “Service Visibility” settings in ITSI to restrict what services users can see? Are users accessing Service Analyzer via direct URL with filters applied, or through the main ITSI navigation? Getting clarity on these points can help determine if the behavior is expected or if additional permission configurations are needed. If this helps, some karma would be appreciated! ... View more

A few questions to better understand your issue: When you get the “Could not save ServiceNow settings” error, are there any detailed error messages or logs from Splunk? Have you verified the new password works by testing the ServiceNow API directly outside of Splunk? Is the service account still active and has the required permissions to update incidents via the API? Were there any recent changes in Splunk or ServiceNow configurations related to this integration? Answers to these will help pinpoint the cause. ... View more

Hi Moh, For advanced Windows Server and Active Directory/DC monitoring using Splunk, here are some best practices and resources to consider: Use the Splunk Add-on for Microsoft Windows: This add-on collects detailed Windows event logs and includes CIM-compliant field extractions. It’s a solid foundation for monitoring Windows servers and AD/DC events. Tuning Inputs: Focus on critical event channels related to AD and DC, such as: Security (Event IDs like 4624, 4625, 4768, 4769 for logon/logoff and Kerberos authentication) Directory Service (Event IDs like 1000-1999) DNS Server (if applicable) Sysmon (if installed) for detailed process and network monitoring Filtering noisy or less relevant events can improve performance and clarity. GUID/SID Translation: Splunk doesn’t natively translate GUIDs/SIDs, but you can: Use lookups with exported Active Directory data to map SIDs/GUIDs to usernames or group names. Leverage PowerShell scripts to export AD user/group info on a schedule and ingest into Splunk. Consider the “Identity” and “User Behavior Analytics” apps if you have Splunk UBA for advanced identity correlation. Advanced Use Cases: - Monitor unusual logon patterns and account lockouts. - Detect changes to group memberships, privileged account usage. - Track replication issues and AD health events. - Correlate DNS and Kerberos events for authentication troubleshooting. Additional Resources: Splunk Add-on for Microsoft Windows Documentation Splunk Security Use Cases Splunk App for Windows Infrastructure These can help accelerate your AD/DC monitoring with pre-built dashboards and searches. Hope this helps! Feel free to ask if you need specifics on any of these areas. If this helped, some karma would be appreciated! ... View more

Currently, Synthetic Browser Tests in Splunk APM don’t provide a built-in way to clear the browser cache, cookies, or session data between individual Steps within the same monitor. Your workaround of creating separate monitors for each step is a common approach but, as you mentioned, it can be tedious and harder to maintain. Here are a couple of alternative suggestions you might consider: Use JavaScript in the Step to clear cookies and local storage: You can try running JavaScript at the start of each step to clear cookies and local storage, like this: document.cookie.split(";").forEach(function(c) { document.cookie = c.trim().split("=")[0] + "=;expires=Thu, 01 Jan 1970 00:00:00 UTC;path=/;"; }); localStorage.clear(); sessionStorage.clear(); This might help clear session data, but it doesn’t fully clear browser cache for static assets. Separate Monitors with Scheduled Runs: While more maintenance-heavy, scheduling multiple monitors with one step each allows each browser instance to start fresh, ensuring accurate Lighthouse scores. Feature Request / Support: Consider submitting a feature request to Splunk support or your customer success team for native support of cache clearing between steps. This could be a valuable enhancement for Synthetic testing workflows. Hope this helps! If you find a better solution or workaround, sharing it here would be appreciated. If this helped you, some karma would be appreciated! ... View more

As @livehybrid said, Debian 13 isn’t listed as a supported OS for Splunk Enterprise 10.0, so this incompatibility with newer OpenSSL versions could be the cause of the issue. It’s recommended to raise a support request at https://splunk.com/support so Splunk can address it in a future minor release. If this helps, some karma would be appreciated! ... View more

You can find Splunk's internal error and system logs in the following default locations, depending on your OS: 1. Main log file – splunkd.log This is the primary log for internal errors, warnings, and events. Default paths: Linux: /opt/splunk/var/log/splunk/splunkd.log Windows: C:\Program Files\Splunk\var\log\splunk\splunkd.log You can also search this log in Splunk using: index=_internal sourcetype=splunkd 2. Other useful log files (same directory): web_service.log – Web interface issues scheduler.log – Scheduled searches and jobs metrics.log – Performance metrics python.log – Scripted inputs and Python errors audit.log – User actions and security events If this helped you, some karma would be appreciated! ... View more

Sounds great @richgalloway , how would the reload command would look like? ... View more