Hi, @dm1 , I will try, if I will be able to find it! Ciao. Giuseppe ... View more

This should be accepted as solution. This workaround works, not sure why Splunk hasn't put this workaround in the known issues section in the docs. ... View more

Hi @dm1 , until today, I always used the second one in many hundreds of project without any issue. the fact that it isn't unsupported it's a new for me, but probably it was an oversight of mine. The first one is Cisco supported so you could use it. About instuctions for ingestion, I'm not a network specialist, but Catalysts, as other network appliances, should send their logs by syslog, so you can directly receive syslogs using Splunk, in an Heavy Forwarder, or (better),creating an rsyslog input that writes syslogs in a file that it is read by Splunk. Ciao. Giuseppe ... View more

You deserve all the kudos.  We had app and custom did the trick.  ... View more

https://docs.splunk.com/Documentation/Splunk/9.2.1/DistSearch/PropagateSHCconfigurationchanges Regarding the etc/passwd changes, my guess would be "don't do it".  I think the encryption of the passwords must be redone.  Use the UI for password changes so it replicates across the cluster. ... View more

Just in case anyone has the same issue as me. My KV store was broken which stopped task server from starting splunkd.log 05-31-2024 01:59:56.804 +0000 ERROR ExecProcessor [1322 ExecProcessor] - message from "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.sh" 01:59:56.804 [main] INFO com.splunk.dbx.utils.SecurityFilesGenerator - Initializing secret kv store collection 05-31-2024 01:59:56.867 +0000 ERROR ExecProcessor [1322 ExecProcessor] - message from "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.sh" 01:59:56.867 [main] INFO com.splunk.dbx.utils.SecurityFilesGenerator - secret KV Store not found, creating mongod.log 2024-05-31T03:20:05.019Z I ACCESS [main] permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open Changing the permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key to 400 and restarting fixed the issue for me ... View more

Hi @dm1 , I'd follow the first solution in three steps: install a new Splunk on AWS, possible the sam version that you have on-premise, not a new version, configure the new Splunk as SH connected to your Indexers, copy the above folders in the AWS Splunk, eventually update your Splunk and apps version. because you don't need to copy the bins or the libraries that are always the same, you need only to copy the confs that you did in your on-premise installation. Ciao. Giuseppe ... View more

Still Searching for a solution and or root cause.  so far we just have to flag as known error and check in time to time to see if anyone else may have come up with a different idea.  but the files are gone as the error states as if the process completed but it still tracking the file and attempts to remove it again?  ... View more

I see that it is quite some time since you posted this question. Just wanted to "second it", as I am working with hardening a Splunk platform myself at the moment and am wondering about the same thing. By chance, have you found any answers? ... View more

Sometimes the fix is right there in the documentation itself: https://docs.splunk.com/Documentation/AddOns/released/AWS/Troubleshooting   I fixed the issue by updating splunk-launch.conf file and adding the custom PORT for Management. The latest version of Aws add on doesn't work with custom management port. It only works on 8089.   ... View more

Apologies. I realised  my understanding of the data was incorrect. I have put the requirement and current data format on this new post https://community.splunk.com/t5/Splunk-Search/How-to-convert-nested-xml-block-into-json-formatted-nested-block/td-p/644381 ... View more

docs here: https://docs.splunk.com/Documentation/ES/latest/Admin/MLTKtroubleshooting#Maximum_group_limit ... View more

This error is interesting because it seems that Splunk's own Python environment is unable to initialise Splunk's own OpenSSL instance. What version of Splunk are you running? ... View more

To solve this problem you need to find and rename the offending bucket. If there is many such buckets it is not possible to manually rename them. How to find and rename the offending standalone buckets? find . -regextype posix-extended -regex '^.*db_[0-9]+_[0-9]+_[0-9]+$' -exec mv {} {}_C199873F-6E72-43D8-B54F-554750ACE904 \; master guid=C199873F-6E72-43D8-B54F-554750ACE904 ... View more

Exactly, I confirm in our environment the issue was mainly due to thruput constraint, but we put 25 MB/s instead of unlimited. The only strange thing that didn't allowed us to quickly identify the root cause was that, for the windows events locally generated by the WEC server itself, the Splunk Universal Forwarder had no delay collecting them. The only delay was observed on forwarding with the Splunk Universal Forwarder the events stored by the Windows Event Collector (WEC) coming from the other machines through Windows Event Forwarding (WEF).   limits.conf [thruput] maxKBps = 25600     To understand the thruput limit in your environment you can use this query (stay quite higher than the maximum you observe)   index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) hostname=your_WEC_host | timechart minspan=30s max(eval(tcp_KBps)) as "KB/s", max(tcp_eps) as "Events/s"     ... View more

Hi  @dm1 I’m a Community Moderator in the Splunk Community. Thanks for contributing as a member in the forum! This question was posted  couple years ago and might not get the attention you need for your own question to be answered. I suggest you please post a brand new question so your issue can get more visibility. To increase your chances of getting help from the community,(Please feel free to link to this answer in your question, but try to describe the issue clearly yourself, in case there are any details that might matter that were different for you from this prior post.) follow these guidelinesin the Splunk Answers User Manual when creating your post.   ... View more

Thanks alot!!! ... View more

It looks like this issue was related to another issue. After that issue got fixed, the issue with sse also got fixed. ... View more

This helped me fix my issue! Thanks! ... View more

Were you able to fix this ? Please share solution. Thanks ... View more

Were you able to fix this ? Please share solution. Thanks ... View more

were you able to fix this ? if yes, please share how. Thanks! ... View more

Thanks @chaker for giving such a valuable suggestion. I will definitely give a try and update on it's outcome. ... View more

what if I installed just JRE and not JDK ? ... View more