I am creating the new index and getting the below error. Please find the below configurations.    [splunk@ap2-cclabs658055-idx1 ~]$ /opt/splunk/bin/splunk start   Splunk> Another one.   Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Problem parsing indexes.conf: Cannot load IndexConfig: idx=_audit Configured path 'volume:primary/_audit/db' refers to non-existent volume 'primary'; 1 volumes in config Validating databases (splunkd validatedb) failed with code '1'.  If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue [splunk@ap2-cclabs658055-idx1 ~]$    indexes.conf :  # Parameters commonly leveraged here: # maxTotalDataSizeMB - sets the maximum size of the index data, in MBytes, # over all stages (hot, warm, cold). This is the *indexed* volume (actual # disk space used) not the license volume. This is separate from volume- # based retention and the lower of this and volumes will take effect. # NOTE: THIS DEFAULTS TO 500GB - BE SURE TO RAISE FOR LARGE ENVIRONMENTS! # # maxDataSize - this constrains how large a *hot* bucket can grow; it is an # upper bound. Buckets may be smaller than this (and indeed, larger, if # the data source grows very rapidly--Splunk checks for the need to rotate # every 60 seconds). # "auto" means 750MB # "auto_high_volume" means 10GB on 64-bit systems, and 1GB on 32-bit. # Otherwise, the number is given in MB # (Default: auto) # # maxHotBuckets - this defines the maximum number of simultaneously open hot # buckets (actively being written to). For indexes that receive a lot of # data, this should be 10, other indexes can safely keep the default # value. (Default: 3) # # homePath - sets the directory containing hot and warm buckets. If it # begins with a string like "volume:<name>", then volume-based retention is # used. [required for new index] # # coldPath - sets the directory containing cold buckets. Like homePath, if # it begins with a string like "volume:<name>", then volume-based retention # will be used. The homePath and coldPath can use the same volume, but # but should have separate subpaths beneath it. [required for new index] # # thawedPath - sets the directory for data recovered from archived buckets # (if saved, see coldToFrozenDir and coldToFrozenScript in the docs). It # *cannot* reference a volume: specification. This parameter is required, # even if thawed data is never used. [required for new index] # # frozenTimePeriodInSecs - sets the maximum age, in seconds, of data. Once # *all* of the events in an index bucket are older than this age, the # bucket will be frozen (default action: delete). The important thing # here is that the age of a bucket is defined by the *newest* event in # the bucket, and the *event time*, not the time at which the event # was indexed. # TSIDX MINIFICATION (version 6.4 or higher) # Reduce the size of the tsidx files (the "index") within each bucket to # a tiny one for space savings. This has a *notable* impact on search, # particularly those which are looking for rare or sparse terms, so it # should not be undertaken lightly. First enable the feature with the # first option shown below, then set the age at which buckets become # eligible. Am35yNvd # enableTsidxReduction = true / (false) - Enable the function to reduce the # size of tsidx files within an index. Buckets older than the time period # shown below. # timePeriodInSecBeforeTsidxReduction - sets the minimum age for buckets # before they are eligible for their tsidx files to be minified. The # default value is 7 days (604800 seconds). # Seconds Conversion Cheat Sheet # 86400 = 1 day # 604800 = 1 week # 2592000 = 1 month # 31536000 = 1 year [default] # Default for each index. Can be overridden per index based upon the volume of data received by that index. #300GB #homePath.maxDataSizeMB = 300000 # 200GB #coldPath.maxDataSizeMB = 200000 # VOLUME SETTINGS # In this example, the volume spec is not defined here, it lives within # the org_(indexer|search)_volume_indexes app, see those apps for more # detail. One Volume for Hot and Cold [volume:primary] path = /opt/splunk/var/lib/splunk 500GB maxVolumeDataSizeMB = 500000 # Two volumes for a "tiered storage" solution--fast and slow disk. #[volume:home] #path = /path/to/fast/disk #maxVolumeDataSizeMB = 256000 # # Longer term storage on slower disk. #[volume:cold] #path = /path/to/slower/disk #5TB with some headroom leftover (data summaries, etc) ##maxVolumeDataSizeMB = 4600000 # SPLUNK INDEXES # Note, many of these use historical directory names which don't match the # name of the index. A common mistake is to automatically generate a new # indexes.conf from the existing names, thereby "losing" (hiding from Splunk) # the existing data. [main] homePath = volume:primary/defaultdb/db coldPath = volume:primary/defaultdb/colddb thawedPath = $SPLUNK_DB/defaultdb/thaweddb [history] homePath = volume:primary/historydb/db coldPath = volume:primary/historydb/colddb thawedPath = $SPLUNK_DB/historydb/thaweddb [summary] homePath = volume:primary/summarydb/db coldPath = volume:primary/summarydb/colddb thawedPath = $SPLUNK_DB/summarydb/thaweddb [_internal] homePath = volume:primary/_internaldb/db coldPath = volume:primary/_internaldb/colddb thawedPath = $SPLUNK_DB/_internaldb/thaweddb # For version 6.1 and higher [_introspection] homePath = volume:primary/_introspection/db coldPath = volume:primary/_introspection/colddb thawedPath = $SPLUNK_DB/_introspection/thaweddb # For version 6.5 and higher [_telemetry] homePath = volume:primary/_telemetry/db coldPath = volume:primary/_telemetry/colddb thawedPath = $SPLUNK_DB/_telemetry/thaweddb [_audit] homePath = volume:primary/_audit/db coldPath = volume:primary/_audit/colddb thawedPath = $SPLUNK_DB/_audit/thaweddb [_thefishbucket] homePath = volume:primary/fishbucket/db coldPath = volume:primary/fishbucket/colddb thawedPath = $SPLUNK_DB/fishbucket/thaweddb # For version 8.0 and higher [_metrics] homePath = volume:primary/_metrics/db coldPath = volume:primary/_metrics/colddb thawedPath = $SPLUNK_DB/_metrics/thaweddb datatype = metric # For version 8.0.4 and higher [_metrics_rollup] homePath = volume:primary/_metrics_rollup/db coldPath = volume:primary/_metrics_rollup/colddb thawedPath = $SPLUNK_DB/_metrics_rollup/thaweddb datatype = metric # No longer supported in Splunk 6.3 # [_blocksignature] # homePath = volume:primary/blockSignature/db # coldPath = volume:primary/blockSignature/colddb # thawedPath = $SPLUNK_DB/blockSignature/thaweddb # SPLUNKBASE APP INDEXES [os] homePath = volume:primary/os/db coldPath = volume:primary/os/colddb thawedPath = $SPLUNK_DB/os/thaweddb   ... View more

Can anyone advise the SE linux configurations for the Splunk universal forwarders ?  ... View more

Hello Team, we have selected the rising column feature of DBX that allows Splunk to incrementally import new database records. But it’s not working and getting old logs into our Splunk aswell.  we need logs from the 01st March 2022 but we are receiving logs from the last year 2021.  select * from xxxxxxxxxxxxxxx SELECT * FROM your_table WHERE LoginDt > ? ORDER BY LoginDt ASC checkpoint value : 3/1/2022 00:00:00.000 ... View more

Hello Guys,  We have to integrate one of the SQL server with Splunk and the current version is  SQL 2012. We are using splunk db connect app to configure it.  Kindly confirm if SQL team can upgrade to 2017 , is it compatible with splunk db connect or do they need to upgrade it to SQL 2019 ?  Provide any solutions/documents on this . ... View more

Hello Team, We are trying to integrate one of the SQL data base using the splunk db connect add-on and we are getting the below error.  Id MS SQL 2012 is compatible with the below db connect and splunkversions ? Splunk DB Connect Version: 3.5.1 Build: 4 Splunk Enterprise : 8.1.7.2 DB version is Microsoft SQL Server 2012 ERROR : The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:xxxxxxxxxxxxxxxxxxxxxxxxxxxx ... View more

We have installed the CISCO WEBEX MEETING ADD ON FOR SPLUNK in the heavy forwarder to on board the logs, but we are getting the below connection error. kindly advise me where i missed. I hope this is related to some proxy issue.  2022-02-20 16:36:43,766 WARNING pid=3953874 tid=MainThread file=connectionpool.py:urlopen:745 | Retrying (Retry(total=5, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb34aed6050>: Failed to establish a new connection: [Errno -2] Name or service not known')': /WBXService/XMLService 2022-02-20 16:36:27,753 WARNING pid=3953874 tid=MainThread file=connectionpool.py:urlopen:745 | Retrying (Retry(total=6, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb34aec5d50>: Failed to establish a new connection: [Errno -2] Name or service not known')': /WBXService/XMLService 2022-02-20 16:36:13,741 WARNING pid=3953874 tid=MainThread file=connectionpool.py:urlopen:745 | Retrying (Retry(total=9, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb34aec55d0>: Failed to establish a new connection: [Errno -2] Name or service not known')': /WBXService/XMLService 2022-02-20 16:36:07,939 ERROR pid=3952469 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/ta-cisco-webex-meetings-add-on-for-splunk/bin/ta_cisco_webex_meetings_add_on_for_splunk/aob_py3/urllib3/connection.py", line 157, in _new_conn (self._dns_host, self.port), self.timeout, **extra_kw File "/opt/splunk/etc/apps/ta-cisco-webex-meetings-add-on-for-splunk/bin/ta_cisco_webex_meetings_add_on_for_splunk/aob_py3/urllib3/util/connection.py", line 61, in create_connection ... View more

We have upgraded from 8.1.6 to 8.1.7.2 and we are not able to see the resource details in the overview page. PFA screenshot. Kindly advise. Is this known issue ?  ... View more

Error :    java.lang.RuntimeException: java.lang.RuntimeException: java.sql.SQLException: Missing defines   ... View more

We are getting the below error while executing the query.  com.microsoft.sqlserver.jdbc.SQLServerException: The value is not set for the parameter number 1.   Kindly advise on the resolution.  ... View more

Deployment server is not downloading apps and getting the below error.  12-13-2021 08:38:53.140 +0300 WARN ClientSessionsManager - ip=x.x.x.x name=xxxxxx Updating record for sc=xxxxxx app=xxxxxx : action=Download result=Fail checksum=xxxxxxxxxxx ... View more

Hello Team,  We need to integrate the puppet integration with splunk for the security related events are pushed to our Splunk SIEM. is this good to use HEC tokens for this ? or syslog is fine ?    ... View more

Splunk DB Connect: Why am I getting "The value is not set for the parameter number 1" when updating the SQL query in the Edit Input panel?   ERROR :    com.microsoft.sqlserver.jdbc.SQLServerException: The value is not set for the parameter number 1.   ... View more

we need to delete three files from the index  I have used the |delete command to clean the indexed data and it’s deleted but still its showing under the source field. source='/var/log/splunk/syslog/******/********' | delete source='/var/log/splunk/syslog/******/********' | delete source='/var/log/splunk/syslog/******/********' | delete ... View more