×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
JRW
Splunk Employee
Member since: ‎02-03-2023
‎10-14-2025
Community Statistics
Posts 7
Solutions 0
Karma Given 13
Karma Received 4
Member Since ‎02-03-2023
Activity Feed
Topics I've Started
No posts to display.
View All

Re: The Client forwarder management not showing th...

by Splunk Employee in Deployment Architecture
‎05-16-2024 06:17 AM
4 Karma
‎05-16-2024 06:17 AM
4 Karma
Another fix to try is as follows: Find your distsearch.conf and then find the stanza that has default = true in it. In that stanza, make sure localhost:localhost is listed in the setting below     servers =       For example, it was like this before: distributedSearch:testgroup1 default = true servers = somehostname.company.com Once you find that stanza, add localhost to make it look like this (and it's literal in that it's simply localhost:localhost) distributedSearch:testgroup1 default = true servers = somehostname.company.com, localhost:localhost Restart the DS and from the internal thread within a few minutes/hours the clients should start to populate again   ... View more

Re: Failed to load source for Wordcloud visualizat...

by Splunk Employee in All Apps and Add-ons
‎02-07-2024 12:15 PM
‎02-07-2024 12:15 PM
Solution worked for me ... View more

Re: Issues with pan: Why is firewall_cloud parser ...

by Splunk Employee in Splunk Enterprise Security
‎12-08-2023 04:53 PM
‎12-08-2023 04:53 PM
TYVM for the reply and info ... View more

Re: How to list the changed made to Palo Alto Fire...

by Splunk Employee in Splunk Enterprise
‎09-11-2023 12:06 PM
‎09-11-2023 12:06 PM
There should be a sequence_number field in the config logs that can be correlated with the other logs of the same number to list the changes made to firewall rules ... View more

Re: Issues with pan: Why is firewall_cloud parser ...

by Splunk Employee in Splunk Enterprise Security
‎08-24-2023 01:05 PM
‎08-24-2023 01:05 PM
Can you please share how you fixed the issue? Thx ... View more

Re: Microsoft Intune Data

by Splunk Employee in All Apps and Add-ons
‎07-18-2023 09:59 AM
‎07-18-2023 09:59 AM
Intune logs can be sent to an Event Hub - https://learn.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor - and then Splunk Add-on for Microsoft Cloud Services to ingest the Intune events into Splunk ... View more

Re: Do we have splunk alert if ingest across index...

by Splunk Employee in Monitoring Splunk
‎06-02-2023 10:46 AM
‎06-02-2023 10:46 AM
As with Splunk, a million ways to do it so something basic like the following:   index=<your_index> sourcetype=<your_sourcetype> source=<your_datasource> earliest=-15m (or another time range) | stats sum(<your_volume_field> such as bytes_sent) as data_volume | eval threshold=1000000 # Set desired threshold for data volume | eval is_reduced_volume = if(data_volume < threshold, "Yes", "No") Can get a little more deeper with ML: index=<your_index> sourcetype=<your_sourcetype> source=<your_datasource> earliest=-15m | timechart span=1m sum(<your_volume_field>) as data_volume | fit MLTK_AnomalyScore(data_volume) as anomaly_score | eval threshold=0.9 # Set desired anomaly score threshold | eval is_anomaly = if(anomaly_score > threshold, "Yes", "No") And Lantern may have something they can leverage as well: https://lantern.splunk.com/Splunk_Platform/Use_Cases/Use_Cases_Security/Forensics/Crea[…]work_activity/Hosts_logging_more_or_less_data_than_expected ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-14-2025 05:44 AM
Karma from
Karma given to