About YJ

YJ · ‎03-26-2024

Hi Paul, That was what I was suspecting, the service account permission to access the Servicenow. The only problem i have is getting the other team(Servicenow) to provide info for my troubleshooting as they are denying that it is their end with issue. I was thinking since the service account is an AD account, there will surely be a security group assign to the service account . I have actually point out that the service account did not have any grouping assigned to it thus there could be a possibility that the servicenow account does not have the permission to access the Servicenow. There were actually similar issues where we found that some AD users security group were missing after an issue happened. I will try to go through this path and check on the permission again.. Thanks for the advice.

YJ · ‎03-12-2024

Referring to the below inputs.conf for one of my windows server , as you can see, there is some whitespace at the end of the first line before the closing bracket. The "folderA" is the folder where the contents, splunk should be ingesting but is not (there are multiple log files inside). Is there a possibility that because of this whitespace Splunk may not be ingesting the logs? And if yes, any explanation on this so that we can explain/advise to the client. " [monitor://C:\Program Files\somepath\folderA ] index=someindex sourcetype=somesourcetype "

YJ · ‎03-05-2024

Hi, Have anyone faced this issue where you received a Unauthorized 401 error response from ServiceNow? The scenario is as below. We are using a AD service account userA to interact with ServiceNow for incident creation . On Splunk Side, we are using Basic Auth. On AD, user account is set to never expired. So far below we have checked the service account status. No changes was made but the issue was sudden. Ran the query >index=_internal sourcetype="ta_snow_ticket host IN ( search head) Above query was the one, we saw the Return code is 401 (Unauthorized) What else can be checked? As of now, we are planning to reset the service account password and try again. But if it works the issue is finding what cause the password to be changed when it have been set to never expires.

YJ · ‎11-16-2023

I am currently integrating Splunk SOAR with Forcepoint Web Security. I am testing out the connectivity but getting error that SSL:UNSUPPORTED PROTOCOL. Forcepoint currently support up till TLS 1.1 anyway I can set/modify for SOAR/forcepoint to utilize 1.1 in the meantime instead of 1.2?

YJ · ‎11-03-2023

Does Splunk UBA use/require below Log4j 1.2? Currently below was flagged during the VA scanning thus I am not sure whether we can remove or require to update it? Apache Log4j 1.2

YJ · ‎10-23-2023

My current Splunk infra setup is clustered for Search Heads and Indexers. and we are using deployer and cluster master to manage configs for the respective SH and IDX. For example, can I manually placed an updated config in SH1 and then run a rolling restart so they will sync/replicate with each other. ? This is in the event the Deployer is down. But eventually once the Deployer is up , we will place the updated config in Deployer. So that when we run a sync, it will not affect/remove the file from the SH cluster. Will there be any issues in this scenario?

YJ · ‎09-04-2023

i got this error failed to: delete_local_spark_dirs on and failed to:force_kill_spark_jvms on when i run /opt/caspida/bin/Caspida start-all . Any idea how i can resolve this? -I was not able to access the web ui and I was running the cmd (on UBA manager) /opt/caspida/bin/Caspida stop-all . There was an error . And when I tried to run the start-all, it shows the same error.

YJ · ‎08-28-2023

Hi, Just to confirm/enquire more on this, what you meant is that we will be creating a service/script to run on the particular server ? Or there is already a Splunk default config file which have the settings for us to edit.

YJ · ‎08-28-2023

Hi, Thanks for the info. "There will be negative impacts on performance if the forwarder workload requires memory more than the specified limit." - This was also one of our concerns as we do have some UF that are configured to monitor quite a number of locations eg. > 20. In your experience, so far how much memory might be used in this case? So far I have seen Splunk services using up to 4GB on Windows server and impacting other constructs, but the cause was due to the Splunk UF installation was not installed properly and causing memory leak.

YJ · ‎08-27-2023

I am hoping someone could provide some comments/replies to check if we are able to limit the max memory usage for Splunk Universal Forwarders. If yes, Is the config filename "limit.conf" ? Just to add also, -Will there be any issues arising from limiting the memory usage? -I understand we can also limit the memory usage(have not tested yet) on the OS level, any advantages/disadvantages? Where can I also get a formal solution from Splunk which mentioned that the configuration is possible.

Posts	10
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎08-25-2023

Online Status	Offline
Date Last Visited	‎03-28-2024 03:31 AM

Splunk Not ingesting

Receiving a 401 Unauthorized error response from S...

Splunk SOAR

Splunk UBA VA

Clustered environment Search Head/Indexers

Splunk UBA manager

Is there Splunk Memory limit configuration?

Re: Receiving a 401 Unauthorized error response fr...