Depending on the size of the lookup file, the map command may do the job. | inputlookup id.csv | eval search_start=strptime(time,) | map search="index=id ID_index=$ID$ starttime>$search_start$ timeformat=\"%m.%d.%Y\" | stats count as cnt by $ID$ | where cnt>$limit$ | | eval msg="limit outreached" | table $ID$ cnt $limit$" ... View more

When the query ends with stats count, it will always return one result.  Therefore,  Number of Results > 0 will always trigger the alert.  Add a where command to the alert so it only returns results if there are consecutive errors. index=your_logs "error" | bin _time span=1m | stats count as error_count by _time | streamstats window=2 current=t count(error_count) as consecutive_error_minutes | where consecutive_error_minutes >= 2 | stats count as alert_trigger | where alert_trigger > 0 That said, I have doubts about the methodology used.  The current query will trigger if two consecutive errors are detected, but what if they're different errors?  Does it matter?  I would think that two different errors would not be considered "persistence". ... View more

Have you tried this filter? JournalFilter = NOT MESSAGE~"apparmor=ALLOW" If that doesn't work then you can use props and transforms or Ingest Actions to drop the unwanted events in HF or indexer.  Props and transforms work only in the first full instance (HF or indexer) that the data passes through; Ingest Actions work in any full instance. ... View more

SPL files are just renamed tgz files.  There's no need to do anything.  Just install the file as-is. ... View more

Have you tried cloning the XML dashboard to Dashboard Studio?  Splunk will do the conversion for you. ... View more

The best way to get clarification on a Documentation page is to submit feedback on the page.  Click the "Share feedback" button at the bottom of the page. ... View more

We need more information. Are not getting any logs or just some of them?  If some, are you getting the internal logs for the forwarder that is supposed to be sending them? Please share the inputs.conf stanza for the missing logs. ... View more

Splunk 10.0.x is not the latest version.  Try 10.2.x. ... View more

Questions like this should be directed to someone at Cribl. ... View more

Splunk has not supported SSL 2.0 or 3.0 for some time now.  It only supports TLS 1.0, 1.1, and 1.2 with 1.2 being the recommended version.  I'm curious about how Tenable was able to connect using an unsupported protocol. Splunk 9.1.x is no longer supported so no fixes are forthcoming for that version.  A supported version may contain a fix, but it's hard to know without a CVE number. You may find mention of a fix at http://advisory.splunk.com ... View more

Yes, the upgrader has to run as root to do its work, but the end result should be the UF running as the specified non-root user.  If that is not happening then it's a problem that should be reported using one of the methods previously mentioned. ... View more

If you can't submit a case then submit it as an RFE at https://ideas.splunk.com ... View more

I suggest you submit a case to Splunk Support.  The upgrader should not assume the UF runs as root.  Running as root is a Bad Practice. ... View more

Use the splunk offline --enforce-counts command to take down each indexer one at a time.  Splunk will handle moving data as necessary.  Make sure the RF/SF is met and all indexes are searchable before moving on to the next indexer. ... View more

It looks like you researched it well.  I like your plan. Yes, you will need an on-prem DS to manage your UFs unless you have a separate tool (like Ansible) for that. Replacing Cribl with Edge Processor is worth looking into as it may save you some money.  EP cannot yet do everything Cribl can, however.  I agree with putting EP nodes close to the data sources. I have not used EP for syslog so I can't comment on that.  I found SC4S to be a good syslog solution, but it's been a few years since I've used it. ... View more

Perhaps this article will help. Also, you can get agent info from any SH by searching the _ds_* indexes. ... View more

We don't know what customizations Splunk may have made to postgres.  Installing code from another source may introduce incompatibilities. Code not released by Splunk may not be supported by Splunk. Changing delivered files may trigger File Integrity Check warnings. ... View more

After configuring SAML, did you map group names to Splunk roles?  Does your Identity Provider contain group names for each user that will have access to Splunk?  Without both of those, Splunk has no way to know what permissions to grant the user. ... View more

Check https://advisory.splunk.com and install the version of Splunk that fixes that vulnerability. Do NOT attempt to patch postgres independently. ... View more

Mandate ... View more

Creating a scripted or modular input is difficult without some programming knowledge, but AI should be able to help.  I understand Claude is good at programming.   Splunk Support is for break/fix issues, not scripting.  Splunk ODS can offer advice, but cannot create a script for you.  Splunk Professional Services, however, can create it. Whether you choose a scripted or modular input, adding checkpointing is a good idea to protect against interruptions in the input. ... View more

See https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.2/get-other-kinds-of-data-in/get-data-from-apis-and-other-remote-data-interfaces-through-scripted-inputs or https://help.splunk.com/en/splunk-enterprise/developing-views-and-apps-for-splunk-web/9.4/modular-inputs/create-modular-inputs   ... View more