×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
ASierra
Explorer
Member since: ‎06-22-2021
‎02-16-2026
Community Statistics
Posts 8
Solutions 0
Karma Given 4
Karma Received 5
Member Since ‎06-22-2021
Activity Feed
View All

February 2026 Patches - Break RPC calls to DC

by in Monitoring Splunk
‎02-16-2026 05:38 AM
‎02-16-2026 05:38 AM
There have been reports that the February 2026 MS update kills the RPC call to the Domain Controllers for various versions of the UF agent. This results in an MSRPC call storm to all domain controllers over and over until it drains resources. Check your _internal logs for  splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=1579 msec splunk-winevtlog.exe"" splunk-winevtlog - Failed to set properties for event; EventRecordID=16354 channel="Application" error=6 Fix: A restart of the UF service on the local machines fixes the issue. ... View more
Labels

Re: Azure AD SSO to F5 SP

by in Getting Data In
‎08-27-2024 12:06 PM
1 Karma
‎08-27-2024 12:06 PM
1 Karma
In the Azure Splunk Enterprise Application, under Users and Groups, I add my Azure security groups that have the members that want access inside them. Then you go into the Single sign-on portion and review the Attributes and Claims. You should have an entry that says "groups" as the claim name. Under the value, it should be set to "Groups assigned to the application" and Source Attribute as "Group ID". This will send just the groups assigned to the application that the sign-in user is a part of instead of every single group which might go over the limit. In the splunk side, you enter your AD group name or sometimes with other versions it has to be the object-id of the azure group and then map it to the correct internal splunk role you have created for that team.   ... View more

Re: Splunk Enterprise 9.1.3: Universal Forwarder c...

by in Splunk Enterprise
‎02-26-2024 05:20 AM
‎02-26-2024 05:20 AM
Mine was failing also until I added the parameter above and install went through fine. ... View more

Re: Can the REST call to delete a user from Splunk...

by in Security
‎12-23-2022 05:39 AM
1 Karma
‎12-23-2022 05:39 AM
1 Karma
This is to remove a SAML user that has left the organization. Before deleting, reassign any objects, reports, and alerts that user may have.   curl -k -u <adminaccount>:<password> --request DELETE https://<instancename>.splunkcloud.com:8089/services/admin/SAML-user-role-map/username@domain.com ... View more

Re: Azure AD SSO to F5 SP

by in Getting Data In
‎02-21-2022 02:48 PM
3 Karma
‎02-21-2022 02:48 PM
3 Karma
This is done through Azure group filtering options in the Enterprise App for Splunk that you created. Add the security groups that you want to give access to the Splunk App in users and groups Go into Single-signon, click edit Attributes and Claims. Click on the first claim option that was automatically created usually user.groups [SecurityGroup] Change from "Security groups" to "Groups assigned to the application". No more issues with users that have large membership groups. Not sure why I didn't find this answer anywhere else. @bpdubs  ... View more

App validation failed: App does not support search...

by in Splunk Dev
‎12-01-2021 06:12 AM
‎12-01-2021 06:12 AM
I'm new to this! Our custom app stopped working on Splunk Cloud and was told by support to change an xml file below from app.html to search.html because of a Cloud change. However, when I go to reupload the same app, I get the error that app validation failed: App does not support search head cluster environments. It passes all the vetting just gives that error at the end. What could it possibly be looking for? Again, new to this so can't find the answer in google.. 🐵   <?xml version="1.0"?> <view template="pages/search.html" type="html" isDashboard="False"> <label>Search</label> </view>   ... View more
Labels

Find change in installed antivirus software versio...

by in Splunk Search
‎10-22-2021 05:58 AM
‎10-22-2021 05:58 AM
Starting our journey into Splunk and need some help. I am trying to send and alert when a new version of antivirus is installed on our machines. I am monitoring the application windows event log, so it would be something like grab the version from 20 minutes ago in the logs and if different than current version send the alert. "Message=Windows Installer installed the product. Product Name: Antivirus Software. Product Version: 1.0.0.000.1. Product Language: 001. Manufacturer: Antivirus. Installation success or error status: 0" Any ideas on how to start this search? ... View more
Labels

Re: microsoft office 365 reporting add-on stopped ...

by in All Apps and Add-ons
‎07-01-2021 07:53 AM
‎07-01-2021 07:53 AM
For anyone getting errors, you should update the query from OLD URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate NEW URL: https://outlook.office365.com/ecp/MessageTrace/MessageTraceResults.aspx?$filter=StartDate   The url base in the SPL should also be udpated to:  https://outlook.office365.com/ecp ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-16-2026 05:31 AM
Karma from
Karma given to
View All