I would like to run a copy of  PROD Indexer servers’ VMs in another site (DR setup) without mapping Cold Storage, to validate environment readiness. Could you please advise if any of the below approaches are suitable, or if there are other recommended options? Option A -Take VM snapshot or backup copy of PROD indexers. Deploy in test site without mounting cold storage disks. Before starting Splunk, edit /opt/splunk/etc/system/local/indexes.conf (or deployment-specific conf path): Hash out/remove coldPath entries for each index. Splunk will start and treat the indexes as having only hot/warm storage. ======================================================================================================================================================== Option B – OPTIMISTIC_ABOUT_FILE_LOCKING = 1 What it does: This setting tells Splunk to ignore file lock checks during boot (commonly used on NFS mounts or shared storage). Pros: Indexers will start even if file locks are not available. Let’s bring up DR indexers without cold storage attached. Impact: Unknown ================================================================================================================================================================ Option C – Temporary Cold Storage + Increase maxWarmDBCount What it does: Attach temporary 200GB cold storage. Increase maxWarmDBCount from 300 → 1000, which allows more warm buckets to be retained before rolling to cold. Pros: Keeps logs warm longer (delays need for cold storage). Reduces immediate cold storage dependency during DR migration. ... View more

The splunkfwd user is created by default in version 9.1, and seeing the warning "User splunkfwd does not exist - using root" while upgrade. the upgrade guide does not say that creating the splunkfwd user is mandatory for Universal Forwarder installations or upgrades. Upgrade the universal forwarder | Splunk Docs "When you upgrade, the RPM/DEB package installer retrieves the file owner of SPLUNK_HOME/etc/myinstall/splunkd.xml. If a previous user exists, the RPM/DEB package installer will not create a splunkfwd user and instead will reuse the existing user. If you wish to create a least privileged user, that is, the splunkfwd user, you must remove the existing user first." the warning appears during the upgrade regarding the missing splunkfwd user, there are no permission issues, and the forwarder is functioning properly with "splunk" User. Appreciate your guidance on whether it is mandatory to create the splunkfwd user for Universal Forwarder9.4.0 or higher version? Note: in this topic Splunk enterprise and Splunk UF not installed on the same machine ... View more

How will get /add pre-populated fields as checkboxes severity field ... View more

Hi ,   How to convert 2025-03-13T11:03:38Z to the "%d/%m/%Y %I:%M:%S ". I have tried this, but it didn't work. | eval Lastevent=strftime(last_seen, "%d/%m/%Y %I:%M:%S %p") ... View more

Hi All, I'm build below query for Delayed Forwarder for Phone home for 2 hour and Not Sending Data to indexes more than 15 min through append command as single correlation search. However, query is not working with append command where calculating time duration of data sent and last phone connection.  Kindly suggest if any change in query can fix the calculation. index=_internal host=index1 source=*metrics.log* component=Metrics group=tcpin_connections kb>1 | eval os=os+" "+arch | eval ip=sourceIp | eval type="Datasent" | stats max(_time) as _time values(hostname) as hostname values(fwdType) as fwdType values(version) as version values(os) as os by sourceIp | append [ search index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log" "/services/broker/phonehome/connection" |rex field=uri "_(?<fwd_name>[^_]+)_(?<fwd_id>[-0-9A-Z]+)$" | eval type="Deployment" | dedup fwd_name | stats max(_time) as lastPhoneHomeTime values(fwd_name) as hostname values(useragent) as fwdType values(version) as version values(type) as types by clientip | convert ctime(lastPhoneHomeTime) | table clientip lastPhoneHomeTime hostname fwdType version] | stats dc(type) as num_types values(type) as types values(hostname) as hostname values(fwdType) as fwdType values(version) as version values(os) as os max(_time) as most_recent_data values(lastPhoneHomeTime) as most_recent_settings by ip | eval data_minutes_ago=round((now()-most_recent_data)/60, 1), settings_minutes_ago=round((now()-most_recent_settings)/60, 1) | search settings_minutes_ago>120 OR data_minutes_ago>15 | convert ctime(most_recent_data) ctime(most_recent_settings) | sort types data_minutes_ago settings_minutes_ago | stats max(_time) as lastPhoneHomeTime values(fwd_name) as hostname values(useragent) as fwdType values(version) as version values(type) as types by clientip | convert ctime(lastPhoneHomeTime) | table clientip lastPhoneHomeTime hostname fwdType version] | stats dc(type) as num_types values(type) as types values(hostname) as hostname values(fwdType) as fwdType values(version) as version values(os) as os max(_time) as most_recent_data values(lastPhoneHomeTime) as most_recent_settings by ip | eval data_minutes_ago=round((now()-most_recent_data)/60, 1), settings_minutes_ago=round((now()-most_recent_settings)/60, 1) | search settings_minutes_ago>120 OR data_minutes_ago>15 | convert ctime(most_recent_data) ctime(most_recent_settings) | sort types data_minutes_ago settings_minutes_ago     ... View more

Dear  All , Some Dynamic Sources in my environment are ingesting more data into Splunk and License limit get breach. So Is there any way to detect this source as outliner through MLTK . i.e. Cisco ASA Source type  has multiple sources(firewall) which ingest around 10 GB data on daily basis  suddenly one day  license usage reach to 20 GB. how to identify which source sent more data into Splunk without creating manual threshold or average of data. ... View more

In Current Splunk deployment  we have 2 HFs, One used for DB connect another one used for the HEC connector and other. And the requirement is if One HF goes done other HF can handle all the functions.   so  is there High Availability option available for Heavy forwarder OR for DB connect APP ? ... View more

Is it possible to get each day first login event( EventCode=4634)  as "logon" and Last event of   (EventCode=4634) as Logoff and calculate total duration . index=win sourcetype="wineventlog" EventCode=4624 OR EventCode=4634 NOT | eval action=case((EventCode=4624), "LOGON", (EventCode=4634), "LOGOFF", true(), "ERROR") | bin _time span=1d | stats count by _time action user ... View more

Dear All, I would like to introduced the DR Site along with active log ingestion (SH cluster + Indexers cluster ). is there any formula for calculator to estimate the bandwidth  to Forward the data from Site1 to Site2. ... View more

In Distributed Clustered Deployment with SHC - Multisite (M4 / M14) model, is there any additional license required ? Is there any downtime require while connection Site A with Site N with Multisite (M4 / M14)  model ?   ... View more

Dear All, Is there any delay option in Splunk multisite M4/M14? Requirement:  Site A is Active site and Site N passive site. Data ingestion from Active site should be in real time and data from site N would be Ingest at 1 AM every day.  Is there any option in mu ... View more

Dear All, Please suggest how to create separate incident review dashboard for different team. OR How the notable will separated base on Teams.  i.e. Windows Team - Windows Team can only check windows related notable  Unix Team -Linux Team can only check Unix related notable  SOC Team - Soc Team can check all the notable  ... View more

Splunk Python readiness app Not being push from deployer to the SH cluster . The deployer server is running as MC, LM, Indexer master node, deployment server.  Tried to push the APP with merge_to_default push mode on deployer. Any suggestion for the troubleshoot this issue.  ... View more

Field is not extracted properly for Windows event log  where Ip address mark as "Client IP" Try to extract Field below Regexs but no luck, in _internal logs Regexs was applied to the prorp.conf Successfully. Please Suggest if anyone face this issue. Regex 1 (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) Regex 2 [^+]Client\s+IP\:\s+(?<ip>\d+.\d+.\d+.\d+)\s+ ... View more

Easiest way to exclude ingestion of events for a specific IP address from a SourceType at UF level OR Syslog-NG   ... View more

Hi All, Can you please guide and suggest, How to onboard the MACOS 13 logs into Splunk. Logs related to Web browser history and and network connection logs from MACOS 13 Systems. ... View more