As I said, you need to mvexpand stems before doing the replace. ... View more

Hi @mfleitma, If the datamodel command is slower, there's likely something in your environment defeating the READ_SUMMARY directive added by the search optimizer. In my test environment, this: | datamodel Network_Traffic All_Traffic flat summariesonly=true allow_old_summaries=true | search NOT src_ip=1a00:2a60:3000:1::/64 translates to this: | search (index=main NOT src_ip=1a00:2a60:3000:1::/64 tag=communicate tag=network (index=* OR index=_*)) DIRECTIVES(READ_SUMMARY(allow_old_summaries="true" dmid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX_DM_Splunk_SA_CIM_Network_Traffic" name="Network_Traffic.All_Traffic" predicate="*" summariesonly="true"),READ_SUMMARY(predicate="NOT \"All_Traffic.src_ip\"=1a00:2a60:3000:1::/64"),REQUIRED_TAGS(intersect="t" tags="cloud,pci")) tstats remains problematic with respect to all CIDR matches. Beyond the limitations described by the documentation, for example, the following addresses are equivalent: 1a00:2a60:3000:1::1 1a00:2a60:3000:0001::1 1a00:2a60:3000:0001:0000:0000:0000:0001 but the following tstats search will only match 1a00:2a60:3000:1::1: | tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.src_ip=1a00:2a60:3000:1::1 If your source normalizes IPv6 addresses to a canonical format, i.e., RFC 5952, that may not be a concern; however, bitwise CIDR matching appears to be defeated by tstats, regardless. It may be worth the effort to figure out why the datamodel command is slow in your environment. ... View more

Hi @richgalloway @livehybrid @PrewinThomas .. all three of you gave the right answers. so, following the "first come first served" logic, selecting Rich's answer as the solution. given karma points for all 3, thanks.  for future users reference, pls check these 2 links for detailed info: https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.4/administer-the-app-key-value-store/back-up-and-restore-kv-store https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.0/administer-splunk-enterprise-with-the-command-line-interface-cli/administrative-cli-commands   ... View more

Making buffers too big and removing thruput limits may not yield great results. Try flushing several gigabytes worth of buffers on forwarder's close. Try getting sudden peak of data when a site with several hundreds of endpoints comes back from a site network outage... There are pros and cons to everything 🙂 ... View more

1) A "dev guy" should not be sending anything to a data/inputs endpoint - only the services/collector endpoints.   2) Use the services/collector/raw/1.0 endpoint if you need props and transforms to process your data.  Use the services/collector/event/1.0?auto_extract_timestamp=true endpoint if you only need the timestamp extracted. ... View more

Let me clarify it a bit. We have side A and side B of a TLS connection. When side A initiates a connection to side B (let's say a UF connects to an indexer or an indexer connects to the license master), side B presents a certificate. Normally this would be a certificate for a subject B (certBsub) issued by some intermediate CA (certinterCA), which in turn is normally issued by a root CA (with a certRootCA)- that's a most typical scenario. There might be more intermediate intermediate CAs in chain (certBsub<-certinter1CA<-cetinter2CA<-...<-certRootCA), but that's fairly rare. There might be a certificate directly issued by rootCA (certBsub<-rootCA) but that's also rare since it involves rootCA in operational work which is not very secure. So the proper setup of certificates in such environment would be like this: - side B should have and present to the clients when being connected to a certificate chain consisting of its own subject certificate (certBsub) and intermediate certificates which were used to issue that certificate. Without the rootCA certificate (in practice it's often also presented but it's not needed there) - side A needs to know only the rootCA certificate to be able to verify the whole path of certification from its trusted root to the subject certificate. So the sides do not actually share any certificates. They rely on the fact that side B has a certificate which has been issued by a CA which is trusted by sideA. If you also verify the client, another half of the mechanism works the other way around - apart from the client verifying the server as described above, the client on connection presents its own subject certificate along with possible certification chain up to but not including the rootCA and the server verifies the certification trust with a rootCA certificate it knows. It doesn't mean though that those rootCAs must be the same!   ... View more

Thanks for clarifying. DS lets us rotate the labels on the X axis, but we do not have the ability to rotate the values over each column.   Consider submitting a request for that feature at https://ideas.splunk.com See https://help.splunk.com/en/splunk-enterprise/create-dashboards-and-reports/dashboard-studio/10.0/visualizations/bar-and-column-charts#column-chart-options-0 for the available options. ... View more

Glad to see the old posts still have value 😊 Just a minor addition to consider - timechart will create buckets of _time depending on the time period you are looking at, so if you are searching a week, it will give you 1 day buckets and if you search 24h it will give you 30 minute buckets. When you do stats by _time if you have lots of data per second, then your stats will generate a lot of results, so if you do use the stats technique mentioned, it's worth considering a  | bin _time span=X to define the bucket. If you don't know in advance what bucket size you want, but know what your minimum would be, e.g. 1h, then add in span=1h simply to reduce the volume. So if you had 1 million events per hour, if you don't do the bin, you would exceed the base search result set, whereas with span=1h you would get a single result per hour.   ... View more

Deduplication at ingest time is tricky bordering on impossible.  Duplicate events may follow different paths and so be undetectable until search time.  Even if they follow a common path, they may be sufficiently far apart that the EP/IP worker can't detect the duplication.   ... View more

When running a Splunk instance you have the license cost (which might be zero if you're using a trial/free license) and the infrastructure cost (the cost of hardware or cloud vm or container in which you spin up a Splunk instance, in cloud case maybe the cost of network traffic, the cost of someone to maintain it and so on). So on-prem vs. cloud vm covers the infrastructure costs. You still need to handle the license part according to your needs - either buy a properly sized license or use the free one (which has limitations) after the trial period ends. If you choose Splunk Cloud service however, you pay for the service subscription which covers both license and Splunk infrastructure costs. Be aware though that you still might need some self-managed components like forwarders or deployment server (for those you should get a so-called zero-bytes license for free but that's a completely different story) ... View more

It's highly unusual for users to be providing certificates to Splunk admins for installation.  Usually, the admin creates the certificate. Instructions for preparing certificates for Splunk are in the Admin Manual. I'm not aware of any tool/command that will tell you if a certificate file is correct or not.  You can use openssl to examine the file, but it's up to you to make sure the file was built as it should be.  If you do use openssl, be sure to use the version provided by Splunk. ... View more

What I received from Splunk support: I would like to inform you that an estimated release date for the version that will fix the vulnerability for version 9.4.7,9.2.11 versions will be released by the end of December and for the 9.3.9,10.0.3 versions, we have an estimated time of arrival (ETA) of the end of March 2026.     ... View more

Hi @ginagodwin  You might find the following helpful for downloading 9.0.5 if this is the version you need: https://livehybrid.github.io/downloadSplunk/?version=9.0.5 You can adjust the target OS etc as required, note 9.0.5.1 UF download URL doesnt work. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Timestamps issues are uncommon in _internal. Splunkd.log will show indexer restarts. Restarting does not clear the health status.  That usually takes 24 hours. Use btool to view the default index settings. $SPLUNK_HOME/bin/splunk btool indexes _internal | grep "system\/default" Btool also can show overrides of default settings.   ... View more

If both indexers will be receiving HEC data (very likely) then both must have the same set of HEC tokens.  Do that by putting the tokens in the inputs.conf file in an app on the CM and deploying it in the cluster bundle. ... View more

@jip31 I know this is an older post, but if you don't have the External Public Egress IPs from your UFs or Enterprise, you can use our Get Public IP Add-on to collect them: https://splunkbase.splunk.com/app/8107 ... View more

Yes. But it's because it stops being a well-formed json object and therefore Splunk cannot parse it as a json object and therefore cannot show you its structure. It just shows you raw event contents. So we're both kinda right. But the underlying cause is not the presentation itself but the inability to parse and interpret the data as json object. ... View more

With timestamp assignment set to CURRENT the TZ setting doesn't matter since the timestamp is getting assigned based on the receving component's OS time. ... View more

Hi @AShwin1119  What mechanism are you using for your syslog ingestion? Are you using Splunk tcp/udp input, Splunk Connect for Syslog (SC4S) or something else (eg rsyslog/syslogng)? The docs (https://www.cisco.com/c/en/us/td/docs/security/cisco-secure-cloud-app/user-guide/cisco-security-cloud-user-guide.html) for the Cisco Security Cloud app show that in a distributed environment you need to install the app on your Splunk Cloud SH.  The docs discuss how to configure the inputs for specific products so please check the link above for more info on how to ingest your specific logs. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

I recommend using the SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) app to confirm your data is CIM-compliant.  Add EVAL and FIELDALIAS settings to props.conf to create CIM-compliant fields as needed.  ... View more

Thanks for the suggestion richgalloway, but yes, I tried that and it resulted in this nav_chart_mode="\2"   ... View more