About richgalloway

richgalloway

What is a command depends on your point of reference. From the perspective of the operating system/shell, "splunk" is the command and everything else is arguments. From Splunk's perspective, the first argument (other than options) on the command line is the command. Since the documentation is written from Splunk's point of view, it doesn't make sense to treat "splunk" as a separate command since it is necessary to invoke any of the other commands. IOW, what Splunk documents as commands are directives to Splunk and so the leading "splunk" is implied.

richgalloway

It sounds like some of the data in the lookup file is confusing the SPL parser. When you run the subsearch by itself with format, does the output look like valid SPL? | inputlookup ip_test.csv | fields src | format

richgalloway

1) A "dev guy" should not be sending anything to a data/inputs endpoint - only the services/collector endpoints. 2) Use the services/collector/raw/1.0 endpoint if you need props and transforms to process your data. Use the services/collector/event/1.0?auto_extract_timestamp=true endpoint if you only need the timestamp extracted.

richgalloway

The solution depends on which HEC endpoint you're using. If you're using the event endpoint then props are ignored and the timestamp must be in epoch format. See https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-collector/http-event-collector-rest-api-endpoints for details.

richgalloway

Thanks for clarifying. DS lets us rotate the labels on the X axis, but we do not have the ability to rotate the values over each column. Consider submitting a request for that feature at https://ideas.splunk.com See https://help.splunk.com/en/splunk-enterprise/create-dashboards-and-reports/dashboard-studio/10.0/visualizations/bar-and-column-charts#column-chart-options-0 for the available options.

richgalloway

A vertical bar chart is called a column chart in Splunk. Choose that visualization type in your dashboard.

richgalloway

If HTTPS is used and sslVerifyServerCert is set then both sides of the connection must use the same certificate. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.2/secure-splunk-platform-communications-with-transport-layer-security-certificates/configure-tls-certificate-host-name-validation-for-secured-connections-between-splunk-software-components and https://splunk.my.site.com/customer/s/article/Where-are-SSL-Configuration-Files-located-How-to-configure-them-in-Splunk-Enterprise for details.

richgalloway

Run the base search interactively and notice the fields produced. You should see the timechart fields don't match those expected by stats. I suggest changing the base search to stop immediately before the timechart command. Then have two chained searches - one for timechart and one for stats.

richgalloway

Deduplication at ingest time is tricky bordering on impossible. Duplicate events may follow different paths and so be undetectable until search time. Even if they follow a common path, they may be sufficiently far apart that the EP/IP worker can't detect the duplication.

richgalloway

It's highly unusual for users to be providing certificates to Splunk admins for installation. Usually, the admin creates the certificate. Instructions for preparing certificates for Splunk are in the Admin Manual. I'm not aware of any tool/command that will tell you if a certificate file is correct or not. You can use openssl to examine the file, but it's up to you to make sure the file was built as it should be. If you do use openssl, be sure to use the version provided by Splunk.

richgalloway

We need some more information. Are all location using the Splunk Universal Forwarder? If not, that is what they should be using. Is the Intermediate Forwarder a heavy forwarder or universal forwarder? Where did the queue blocking occur? Where did you make the changes to server.conf and limits.conf? Did you restart each Splunk instance after making the changes? What inputs are enabled on the location with high CPU usage? Which TAs/apps are installed there?

richgalloway

Reading data from Splunk Cloud via the REST API is not possible with a free trial account. The best workaround is to install Splunk Enterprise in a private cloud server and test the API calls against that.

richgalloway

Contact Splunk Support. They should be able to provide the desired version.

richgalloway

The documentation is correct. Splunk Cloud free trials do not have access to the REST API. That means calls to the API are not possible until the account converts to a paid one. What problem are you trying to solve? Perhaps there is another way.

richgalloway

Timestamps issues are uncommon in _internal. Splunkd.log will show indexer restarts. Restarting does not clear the health status. That usually takes 24 hours. Use btool to view the default index settings. $SPLUNK_HOME/bin/splunk btool indexes _internal | grep "system\/default" Btool also can show overrides of default settings.

richgalloway

If both indexers will be receiving HEC data (very likely) then both must have the same set of HEC tokens. Do that by putting the tokens in the inputs.conf file in an app on the CM and deploying it in the cluster bundle.

richgalloway

The TRUNCATE setting applies to the first full instance of Splunk (HF or indexer) that the data passes through. TRUNCATE=0 should accept events of any length. What makes you think it isn't "enough"?

richgalloway

There is only one default TLS port. You can, however, configure others. See http://splunk.github.io/splunk-connect-for-syslog/main/sources/#unique-listening-ports

richgalloway

I recommend using the SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) app to confirm your data is CIM-compliant. Add EVAL and FIELDALIAS settings to props.conf to create CIM-compliant fields as needed.

richgalloway

You're correct. Those setting say to use all but 10GB of the 15TB so you should have plenty of storage.

richgalloway

Which TA(s) are you using? Splunk is unlikely to parse the logs out-of-the-box so you'll need a TA from Splunkbase or one of your own. The "Cisco Security Cloud" app (https://splunkbase.splunk.com/app/7404) looks promising.

richgalloway

15TB should be enough at 300GB/day. Double-check the max_cache_size, min_free_space, and eviction_padding settings to ensure the entire space is available.

richgalloway

Make sure the Network Traffic DM is scanning the index that contains the Fortigate data (there's a macro for it). Also, make sure the Fortigate events are CIM-compliant. If the data doesn't use CIM fields it won't appear in the DM. Run the data model's constraint manually in a search (in the ES app) to confirm the events are found and the proper fields are extracted.

richgalloway

Don't use sourcetypes to integrate data into a data model and DON"T modify a data model. Instead, use tags to integrate the data into the DM. The DM will search specified indexes for events with specific tags. In the case of the Network Traffic model, the tags are 'network' and 'communicate'. Ensure the Fortigate data has those tags and it will become part of the DM.

richgalloway · ‎11-08-2025

You tried doubling the escape characters in the pattern, but did you try it in the replacement? <eval token="nav_chart_mode">replace($value$, "(\\w*)\\|(\\w*)", "\\2")</eval>

Posts	16643
Solutions	2977
Karma Given	1934
Karma Received	6628
Member Since	‎07-24-2012

Online Status	Offline
Date Last Visited	3 hours ago

Receiving notifications that are disabled

collectd reports "write_http plugin: curl_easy_per...

How do you restart splunk?

stats count(eval) always returns zero

Need help getting right timestamp from CSV

How to display more than 5 questions per page on A...

What will break if I set coldPath to /dev/null?

Knowledge Object Explorer won't load

How to use a field in SingleValue label?

How to move an index to another app?

Re: About Splunk Command options

Re: Splunk tstats search with IPV6 subnet - WHERE ...

Re: How to handle the log which has the "_time" fi...

Re: How to handle the log which has the "_time" fi...

Re: On dashboard Studio, make values for bar chart...

Re: On dashboard Studio, make values for bar chart...

Re: License manager / slave certificates

Re: Chaining from a timechart

Re: Events Deduplication feature on Splunk Cloud

Re: simple way for a splunk user to confirm certif...

Re: Data Onboarding CPU consumption 150% system st...

Re: Free Splunk Cloud Rest API - Not able to acces...

Re: Splunk forwader

Re: Free Splunk Cloud Rest API - Not able to acces...

Re: High Percentage of Small Buckets on Indexer – ...

Re: HEC Endpoint

Re: How to configure Unviversal forwarder Props.co...

Re: Multiple SC4S TLS port

Re: Adding a Source type to a Data Model

Re: Smartstore hotlist_recency_secs

Re: Cisco FMC/FTD log parsing issue

Re: Smartstore hotlist_recency_secs

Re: Adding a Source type to a Data Model

Re: Adding a Source type to a Data Model

Re: classic xml - token eval using replace functio...

Join the Conversation