×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
JRW
Splunk Employee
Member since: ‎02-03-2023
‎02-02-2026
Community Statistics
Posts 7
Solutions 0
Karma Given 14
Karma Received 4
Member Since ‎02-03-2023
Activity Feed
Topics I've Started
No posts to display.
View All

Re: The Client forwarder management not showing th...

by Splunk Employee in Deployment Architecture
‎05-16-2024 06:17 AM
4 Karma
‎05-16-2024 06:17 AM
4 Karma
Another fix to try is as follows: Find your distsearch.conf and then find the stanza that has default = true in it. In that stanza, make sure localhost:localhost is listed in the setting below     servers =       For example, it was like this before: distributedSearch:testgroup1 default = true servers = somehostname.company.com Once you find that stanza, add localhost to make it look like this (and it's literal in that it's simply localhost:localhost) distributedSearch:testgroup1 default = true servers = somehostname.company.com, localhost:localhost Restart the DS and from the internal thread within a few minutes/hours the clients should start to populate again   ... View more

Re: Failed to load source for Wordcloud visualizat...

by Splunk Employee in All Apps and Add-ons
‎02-07-2024 12:15 PM
‎02-07-2024 12:15 PM
Solution worked for me ... View more

Re: Issues with pan: Why is firewall_cloud parser ...

by Splunk Employee in Splunk Enterprise Security
‎12-08-2023 04:53 PM
‎12-08-2023 04:53 PM
TYVM for the reply and info ... View more

Re: How to list the changed made to Palo Alto Fire...

by Splunk Employee in Splunk Enterprise
‎09-11-2023 12:06 PM
‎09-11-2023 12:06 PM
There should be a sequence_number field in the config logs that can be correlated with the other logs of the same number to list the changes made to firewall rules ... View more

Re: Issues with pan: Why is firewall_cloud parser ...

by Splunk Employee in Splunk Enterprise Security
‎08-24-2023 01:05 PM
‎08-24-2023 01:05 PM
Can you please share how you fixed the issue? Thx ... View more

Re: Microsoft Intune Data

by Splunk Employee in All Apps and Add-ons
‎07-18-2023 09:59 AM
‎07-18-2023 09:59 AM
Intune logs can be sent to an Event Hub - https://learn.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor - and then Splunk Add-on for Microsoft Cloud Services to ingest the Intune events into Splunk ... View more

Re: Do we have splunk alert if ingest across index...

by Splunk Employee in Monitoring Splunk
‎06-02-2023 10:46 AM
‎06-02-2023 10:46 AM
As with Splunk, a million ways to do it so something basic like the following:   index=<your_index> sourcetype=<your_sourcetype> source=<your_datasource> earliest=-15m (or another time range) | stats sum(<your_volume_field> such as bytes_sent) as data_volume | eval threshold=1000000 # Set desired threshold for data volume | eval is_reduced_volume = if(data_volume < threshold, "Yes", "No") Can get a little more deeper with ML: index=<your_index> sourcetype=<your_sourcetype> source=<your_datasource> earliest=-15m | timechart span=1m sum(<your_volume_field>) as data_volume | fit MLTK_AnomalyScore(data_volume) as anomaly_score | eval threshold=0.9 # Set desired anomaly score threshold | eval is_anomaly = if(anomaly_score > threshold, "Yes", "No") And Lantern may have something they can leverage as well: https://lantern.splunk.com/Splunk_Platform/Use_Cases/Use_Cases_Security/Forensics/Crea[…]work_activity/Hosts_logging_more_or_less_data_than_expected ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-02-2026 03:34 PM
Karma from
Karma given to