Thank you!  ... View more

You have a thread from 2020 that states they fixed their problem.  I am pretty sure the reason the solution works is similar to what I am going to suggest here.  I have found (no scientific evidence to support it) that sometimes the conf files just seem to be buggered and if reset them, it starts to work.  I swear the settings are the same before the reset and after, but for some reason it works.  Maybe it's voodoo or whatever, but it has worked for me in the past. Here is a breakdown of quickly resetting the configurations that you need The warning suggests the SH is trying to query a non-existent or misconfigured search peer, possibly due to stale or incorrect settings in outputs.conf or related configuration files. Resetting outputs.conf clears any corrupted or conflicting settings (e.g., incorrect server names, ports, or SSL configurations) that might be preventing the SH from recognizing the IDX as a valid peer. Restarting Splunk ensures a clean state, and re-adding the peer re-establishes the connection with fresh, verified settings. Steps to Reset and Reconfigure Back Up Configuration Files: Before making changes, back up your Splunk configuration files to avoid losing custom settings. On the Search Head, copy the $SPLUNK_HOME\etc\system\local directory (e.g., C:\Program Files\Splunk\etc\system\local) to a safe location (e.g., C:\SplunkBackup). Delete or Rename outputs.conf: Navigate to $SPLUNK_HOME\etc\system\local on the Search Head (e.g., C:\Program Files\Splunk\etc\system\local). Locate outputs.conf. If it exists, rename it to outputs.conf.bak (or delete it if you’re sure no critical settings are needed). Note: If outputs.conf is in an app directory (e.g., $SPLUNK_HOME\etc\apps\<app_name>\local), check there too and rename/delete it. This ensures Splunk starts with default output settings, clearing any misconfigurations. Restart Splunk on the Search Head: Open a Command Prompt as Administrator on the Windows SH host. Navigate to $SPLUNK_HOME\bin (e.g., cd "C:\Program Files\Splunk\bin"). Run: splunk restart This restarts the Splunk service, applying the reset configuration. Verify Indexer Configuration: Ensure the Indexer is configured to receive data on the correct port (default: 9997). On the Indexer, check $SPLUNK_HOME\etc\system\local\inputs.conf for a [splunktcp://9997] stanza: ini   [splunktcp://9997] disabled = 0 If missing, add it and restart the Indexer (splunk restart). Confirm port 9997 is open: netstat -an | findstr 9997 (should show LISTENING). Reconfigure the Search Peer: On the Search Head, log into the Splunk Web UI as an admin. Go to Settings > Distributed Search > Search Peers. Remove the existing Indexer peer (select the IDX and click Remove). Add the Indexer as a new peer: Click Add New. Enter the Indexer’s details: Peer URI: https://<Indexer_IP>:8089 (e.g., https://192.168.1.100:8089). Authentication: Use the SH admin credentials or a pass4SymmKey (if configured in distsearch.conf). Replication Settings: Ensure settings match your setup (usually default). Save and wait for the status to show Healthy. Alternatively, use the CLI: cmd   splunk add search-server https://<Indexer_IP>:8089 -auth <admin>:<password> -remoteUsername <admin> -remotePassword <password> Test the Search: Run your search again from the SH: index=_internal. Verify results are returned without the warning. Check the Monitoring Console (Settings > Monitoring Console > Search > Distributed Search Health) to confirm the peer is active and responding. Additional Tips Check Network Connectivity: Ensure the SH can reach the IDX on port 8089 (management) and 9997 (data). Run: telnet <Indexer_IP> 8089 and telnet <Indexer_IP> 9997 from the SH host. If blocked, check Windows Firewall or network settings. Verify SSL Settings: If using SSL, ensure distsearch.conf on the SH and inputs.conf on the IDX align (e.g., ssl = true). Check $SPLUNK_HOME\var\log\splunk\splunkd.log on both hosts for SSL errors. Confirm Splunk Versions: Your SH and IDX should be on compatible versions (e.g., SH 8.2.2.1 or newer, IDX same or older). Run splunk version on both to confirm. If mismatched, upgrade the SH first. Debug Logs: If the issue persists, check $SPLUNK_HOME\var\log\splunk\splunkd.log ... View more

This link will help only if you are using Splunk Enterprise, what about if you are on Splunk Cloud? ... View more

Hi, Did you find what was wrong ? I have a similar behaviour : curl with ssl to send HEC events works fine, but from a python app, not so well :   Socket error while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number   Any idea ? Thanks Ema ... View more

@triest  : Is your issue is resolved. I also have same issue. If it is fixed, please share the steps. ... View more

Hey @jyzhou , did you find the solution? If yes then can you please share? I am facing the exact same issue. ... View more

I always wondered why that old syntax even worked.  Turns out it should NOT have worked! ... View more

@Susha  you can use a rest search to get list of saved searches that includes all your alerts & reports. Use the below search to get the disabled alerts & reports. | rest /servicesNS/-/-/saved/searches splunk_server="local" | search disabled=1 | table title author eai:acl.app updated  Similarly you can use another rest search to get all the views | rest /servicesNS/-/-/data/ui/views splunk_server="local" | table title author eai:acl.app updated     -- Hope this helps ... View more

Do you have any idea how to fix that ? ... View more

@SplunkDash  How are you onboarding this data? If you are onboarding this data from a remote server using UF, you should place the props.conf on the remote server to extract the fields. Its always better to test the extraction using UI i.e. settings -> Add Data -> upload -> choose psv as sourcetype. Once you are ok with extraction, copy the parameters deploy it over to the UF. If this psv file does not has a header file, you need to mention the fields as well in the props.conf.   -- Hope this helps. ... View more

Also, when you clone the group I believe you have to re-enter the bindDN password. ... View more

Hi as @timsheets13 @said it’s best practices to use full or relative paths on those file names like ./dir/file.csr instead of file.csr r. Ismo   ... View more

@AishwaryaDevi  If I understand your problem correctly, you want to search login data in splunk for the users in your spread sheet. If not pls elaborate your use case ... View more

@ashwath4k    You can create a scripted input from UI. I assume you have UI enabled on this HF. Please follow the below path to create the scripted input. Settings -> Data Inputs -> Scripts -> New Local Script   Fill the required parameters and save the input.   -- Hope this helps ... View more

@rahul2gupta    This is not related to disk space. You need to increase the concurrent searches limit on the role/user level.  By default the user has a limit 3 standard searches.    -- Hope this helps. ... View more

thank you ... View more

@dm1  If the csv file generated from the search has duplicate rows, indexer will index them as is. You need to remove duplicates in your search. Please try this out. index=abc |fields _time _raw |fields - _indextime _sourcetype _subsecond | dedup field_names* |outputcsv abc_dns   -- Hope this helps ... View more

First I apologize for having any "attitude" around this. From the little I have read, this is a problem that has been around for at least 3 years. And from what I have read, the Splunk techs have not repaired. If I am mistaken and they have, please advise. Otherwise, read on. The solutions I have read about clicking the search instead and exporting from there is not REALLY a solution. The reason for using a base search, at least from my POV, is to speed up the displaying of data on a dashboard with multiple panels. Having to open a separate search tab for each panel defeats the purpose of using a base search because each 5, 10, 15, 20 min+ search has to run all over again.  The other workaround of using saved searches and loads likewise defeats the purpose of using a base search. Splunk should stop offering "workarounds" and fix the issue.  In the meantime, I have come up with a "work-around" that I now unfortunately have to implement. Add the following text input and option to your dashboard code.    <fieldset submitButton="false" autoRun="false"> <input type="text" token="tok_rowsPerTable" searchWhenChanged="true"> <label>Rows per Table> <default>10</default> </input> </fieldset> <option name="count">$tok_rowsPerTable$</option>   Note: You can add the input to each panel, just before the <table> tag. Remember to remove the <fieldset> and </fieldset> tags first. You will click and drag the table cells and then copy and paste them into an Excel file. I know this is a drag, pun intended, but it is the only efficient workaround I have found to reduce the time it would take to open a search for each of my 20 panels. And if any customers are developers, please create a permanent code fix that the Splunk techs can implement. And if they won't implement it, at least the Splunk community can use it. Again, if this has already been resolved and I missed it somewhere, please advise. Thanks and God bless, Genesius ... View more

Hi @mah., if this solves your need, please accept my answer for the other people of Community. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

@Sathya0Q    I guess you have the list of users in a lookup file. If not please create one with field name as user. Use the below search to get the login attempts from the selected users. If the field name in the lookup is not user, you should use a rename command in the subsearch index=_audit [ | inputlookup users.csv ] login attempt   -- Hope this helps ... View more

I was so close... thank you!   ... View more

Thank u sir as always. Stay safe. ... View more

@ziko0303  Which version of Splunk ? Can you please share the snap shot of the settings tab?     ... View more

even If I replace line: | eval min_time = strftime(min_time,"%Y-%m-%d %H:%M:%S")   with | fieldformat min_time = strftime(min_time,"%Y-%m-%d %H:%M:%S") still I get an empty min_time field ... View more