@MBristow7  I can see this app is compatible for Splunk Enterprise not for Splunk Cloud but this app has been archived.  ... View more

@Fr3nchee  Before Logstash can send logs, Splunk needs to be configured to receive them.   Open your Splunk instance and Create a new HEC data input.  Go to Settings > Data Inputs > HTTP Event Collector.  Click New Token and give it a name  Select the index where you want the data to be stored (e.g., "logstash"), You have to create the index on HF and also in the indexers.  Copy the token for later use.  Refer this for more info:  Format events for HTTP Event Collector - Splunk Documentation Follow the below documentation for more information: GitHub - bonifield/logstash-to-splunk: writeup about sending Logstash data to Splunk using the HTTP Event Collector  Verify data in Splunk : Go to search head and search for your data you specified eg: index=logstash   ... View more

@Haleb  Hey, take a look at this documentation, I think it covers the same issue you’re running into : Solved: KV Store Failing to start 9.4 .1 - Splunk Community    ... View more

Splunk doesn’t do IP-based restrictions natively, it’s all user-to-role mapping.. They’d need a reverse proxy like NGINX to restrict by IP, but that’s outside Splunk itself. Mixing the two is a category error.  ... View more

@Andre_  No Splunk has no controls based on network source. Only user to role mapping.  This is not doable in the Splunk server configuration.  But a common and effective way to restrict access to Splunk roles based on source IP is to place Splunk behind a reverse proxy (e.g., Apache or NGINX) and configure the proxy to handle IP-based restrictions.   However, I haven’t experimented with this approach yet.    Define roles on the Splunk platform with capabilities - Splunk Documentation  About configuring role-based user access - Splunk Documentation   ... View more

@ej87897I recommend raising a support ticket to troubleshoot this issue. ... View more

@Gryphus  Since only 1 is available, it's not fully searchable, meaning the search factor is not met. However, all data should still be searchable, as there is at least one searchable copy. With one indexer down, the search factor of 2 isn't met, as only one searchable copy is available. This makes indexes not fully searchable, but searches should still work with the up indexer's data. In your case, you have a 2-node cluster, and based on the details, both the replication factor and search factor appear to be set to 2. This means:   Each bucket (the basic unit of index storage) should have a primary copy on one indexer and a replica on the other. Both copies are designated as searchable to meet the search factor of 2. https://community.splunk.com/t5/Deployment-Architecture/Is-it-possible-that-Search-Factor-is-Not-Met-and-All-Data-is/m-p/500305  ... View more

@ej87897  Since the forwarders are still sending data and appear in the Monitoring Console, they’re clearly functional and communicating with the Splunk infrastructure. The problem seems specific to the Deployment Server (DS) and its Forwarder Management UI.   Upgrade pre-9.2 deployment servers   This problem can occur in Splunk Enterprise 9.2 or higher if your deployment server forwards its internal logs to a standalone indexer or to the peer nodes of an indexer cluster. This issue can occur after an upgrade or in a new installation of 9.2 or higher. To rectify, add these settings to outputs.conf on the deployment server: [indexAndForward] index = true selectiveIndexing = true If you add these settings post-upgrade or post-installation, you might need to restart the deployment server. You can see below URL: https://docs.splunk.com/Documentation/Splunk/9.4.1/Updating/Upgradepre-9.2deploymentservers        ... View more

@nieminej  Confirm that the app is consistently named base_app (not base_uf) across the deployment server, UF directory (C:\Program Files\SplunkUniversalForwarder\etc\apps), and serverclass.conf.    Check the contents of base_app on the deployment server ($SPLUNK_HOME/etc/deployment-apps/base_app) and ensure it matches what’s expected on the UF after deployment.   Manually install the UF on a test workstation (bypassing SCCM) and configure it to phone home to the deployment server. Does the issue persist? This isolates whether SCCM is a factor.   I suspect the deployment server is instructing the UF to uninstall base_app due to either, A mismatch between the app’s expected state (as defined in serverclass.conf) and its actual state on the UF after SCCM deployment (OR) A misconfiguration in base_app’s configs causing the UF to misinterpret its deployment instructions. ... View more

@Na_Kang_Lim  Yes, you can definitely use props.conf and transforms.conf to scale this broader and make your field extractions more manageable. ... View more

 JSON is valid, you can proceed with extracting the required fields in Splunk using spath | makeresults | eval _raw="Mar 18 02:32:19 MachineName python3[948]: DEBUG:root:... Dispatching: {'id': '<id>', 'type': 'threat-detection', 'entity': 'threat', 'origin': '<redacted>', 'nature': 'system', 'user': 'system', 'timestamp': '2025-03-17T19:32:17.974Z', 'threat': {'id': '<redacted_uuid>', 'maGuid': '<redacted_guid>', 'detectionDate': '2025-03-17T19:32:17.974Z', 'eventType': 'Threat Detection Summary', 'threatType': 'non-pe-file', 'threatAttrs': {'name': '<filename>.ps1', 'path': 'C:\\Powershell\\Report\\<filename>.ps1', 'md5': '<redacted_hash>', 'sha1': '<redacted_hash>', 'sha256': '<redacted_hash>'}, 'interpreterFileAttrs': {'name': 'powershell.exe', 'path': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe', 'md5': '097CE5761C89434367598B34FE32893B', 'sha1': '044A0CF1F6BC478A7172BF207EEF1E201A18BA02', 'sha256': 'BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436'}, 'severity': 's1', 'rank': '100', 'score': '50', 'detectionTags': ['@ATA.Discovery', '@ATA.Execution'], 'contentVersion': null}, 'firstDetected': '2025-03-17T19:32:17.974Z', 'lastDetected': '2025-03-17T19:32:17.974Z', 'tenant-id': '<redacted_tenant_id>', 'transaction-id': '<redacted_transaction_id>'}" | rex field=_raw "Dispatching:\s*(?<json_data>{.*})" | eval json_data = replace(json_data, "'", "\"") | eval json_data = replace(json_data, "\\\\", "\\\\\\\\") | spath input=json_data path=threat.threatAttrs.name output=threat_filename | spath input=json_data path=threat.threatAttrs.path output=threat_filepath | spath input=json_data path=threat.severity output=threat_severity | spath input=json_data path=threat.score output=threat_score | table threat_filename, threat_filepath, threat_severity, threat_score @Na_Kang_Lim ... View more

@Na_Kang_Lim  Check if json_data is Correctly Extracted   | makeresults | eval _raw="Mar 18 02:32:19 MachineName python3[948]: DEBUG:root:... Dispatching: {'id': '<id>', 'type': 'threat-detection', 'entity': 'threat', 'origin': '<redacted>', 'nature': 'system', 'user': 'system', 'timestamp': '2025-03-17T19:32:17.974Z', 'threat': {'id': '<redacted_uuid>', 'maGuid': '<redacted_guid>', 'detectionDate': '2025-03-17T19:32:17.974Z', 'eventType': 'Threat Detection Summary', 'threatType': 'non-pe-file', 'threatAttrs': {'name': '<filename>.ps1', 'path': 'C:\\Powershell\\Report\\<filename>.ps1', 'md5': '<redacted_hash>', 'sha1': '<redacted_hash>', 'sha256': '<redacted_hash>'}, 'interpreterFileAttrs': {'name': 'powershell.exe', 'path': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe', 'md5': '097CE5761C89434367598B34FE32893B', 'sha1': '044A0CF1F6BC478A7172BF207EEF1E201A18BA02', 'sha256': 'BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436'}, 'severity': 's1', 'rank': '100', 'score': '50', 'detectionTags': ['@ATA.Discovery', '@ATA.Execution'], 'contentVersion': null}, 'firstDetected': '2025-03-17T19:32:17.974Z', 'lastDetected': '2025-03-17T19:32:17.974Z', 'tenant-id': '<redacted_tenant_id>', 'transaction-id': '<redacted_transaction_id>'}" | rex field=_raw "Dispatching:\s*(?<json_data>{.*})" | eval json_data = replace(json_data, "'", "\"") | eval json_data = replace(json_data, "\\\\", "\\\\\\\\") | eval json_data = replace(json_data, "'null'", "null") | table json_data Output:-    { "id": "<id>", "type": "threat-detection", "entity": "threat", "origin": "<redacted>", "nature": "system", "user": "system", "timestamp": "2025-03-17T19:32:17.974Z", "threat": { "id": "<redacted_uuid>", "maGuid": "<redacted_guid>", "detectionDate": "2025-03-17T19:32:17.974Z", "eventType": "Threat Detection Summary", "threatType": "non-pe-file", "threatAttrs": { "name": "<filename>.ps1", "path": "C:\\Powershell\\Report\\<filename>.ps1", "md5": "<redacted_hash>", "sha1": "<redacted_hash>", "sha256": "<redacted_hash>" }, "interpreterFileAttrs": { "name": "powershell.exe", "path": "C:\\Windows\\System32\\WindowsPowerShell\u000b1.0\\powershell.exe", "md5": "097CE5761C89434367598B34FE32893B", "sha1": "044A0CF1F6BC478A7172BF207EEF1E201A18BA02", "sha256": "BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436" }, "severity": "s1", "rank": "100", "score": "50", "detectionTags": [ "@ATA.Discovery", "@ATA.Execution" ], "contentVersion": null }, "firstDetected": "2025-03-17T19:32:17.974Z", "lastDetected": "2025-03-17T19:32:17.974Z", "tenant-id": "<redacted_tenant_id>", "transaction-id": "<redacted_transaction_id>" }   ... View more

@MichalG1  The script /opt/splunk/var/run/searchpeers/splunk-1742240975/apps/myapp/bin/geoip_max_lookup.py might not have the correct permissions for Splunk to execute it.   Check the file permissions and ensure the script is executable. Run this on the Splunk server: ls -l /opt/splunk/var/run/searchpeers/splunk-1742240975/apps/myapp/bin/geoip_max_lookup.py If it’s not executable, make it so: chmod +x /opt/splunk/var/run/searchpeers/splunk-1742240975/apps/myapp/bin/geoip_max_lookup.py ensure the file is owned by the user running Splunk (often splunk): chown splunk:splunk /opt/splunk/var/run/searchpeers/splunk-1742240975/apps/myapp/bin/geoip_max_lookup.py ... View more

@blanky  I kindly request you to raise a support ticket for further troubleshooting. You may refer to the details below if they are helpful. Search Factor and Replication Factor is not met on Cluster Manager | Splunk ... View more

@SN1  To expand the Region field into individual rows for each value, you can use the makemv command to convert the Region field into a multivalue field (if it's not already) and then use mvexpand to generate a row for each value. makemv: Converts the Region field into a multivalue field using the comma as a delimiter. mvexpand: Expands each multivalue Region into separate rows.   | makeresults count=5 | eval DeviceName = "mt_20736887n11.homag.com", Region = "NA,EMEA", DeviceType = "Workstation", OSType = "Windows10", OSVersion = "10.0" | append [| makeresults count=1 | eval DeviceName = "par-t-1801.homag-group", Region = "EMEA", DeviceType = "Workstation", OSType = "Linux", OSVersion = "null"] | append [| makeresults count=1 | eval DeviceName = "usbrelais.homag.com", Region = "NA", DeviceType = "Workstation", OSType = "Windows10", OSVersion = "10.0"] | makemv delim="," Region | mvexpand Region | table DeviceName Region DeviceType OSType OSVersion   ... View more

@blanky  If the bucket status is stuck on "Waiting 'target_wait_time' before replicating bucket" for a week, that’s a clear sign something’s gone wrong in your indexer clustering setup.   Ensure there are no network issues between the indexers. Network problems can impede bucket replication.   Check this documentation for more information: Bucket replication issues - Splunk Documentation    ... View more

@blanky  You can run below search on your cluster master to get a list of bucket that have status="bucket hasn't rolled yet" | rest splunk_server=local /services/cluster/master/fixup level=replication_factor | table title, latest.reason | rename latest.reason AS LatestReason | rename totle AS bucketID | regex LatestReason="bucket hasn't rolled yet" | table buckekID Once you got the bucketId, simple run below command on your Cluster Master will roll the bucket. curl -k -u admin:changme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets -d "bucket_id=<BUCIET_ID>” For example, curl -k -u admin:changeme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets -d "bucket_id=_internal~4520~11111111-1111-1111-1111-111111111111” ... View more

@blanky  look at the cluster master’s logs (splunkd.log) for errors related to the problematic index. ... View more

@BookerRick  First, the command you provided seems incomplete or mistyped: pc.tgz|tar -xvf *. It looks like you might have meant something like tar -xvf Splunk-9.4.0-pc.tgz   Since the installation package is a .tar file you should be able to use the guidelines for *nix installations:   Install a *nix universal forwarder - Splunk Documentation   The file might have been corrupted during download or transfer. Verify the integrity of the tarball. Splunk provides checksums (e.g., MD5 or SHA256) on their download page. On AIX, you can use cksum or sum to generate a checksum, though cksum is more standard cksum Splunk-9.4.0-pc.tgz Compare the output (checksum value and file size) with the value provided by Splunk. If they don’t match, re-download the file from Splunk’s official site and retry the extraction. The default tar command on AIX may not fully support the tarball format created for Splunk 9.4.0 or 9.4.1, especially if it was generated on a different system (e.g., Linux) with a newer tar version or different compression options.   Try using GNU tar (sometimes called gtar) instead of the native AIX tar. GNU tar is more robust and widely compatible. You can obtain it from the IBM AIX Toolbox for Open Source Software or another trusted source   If the tarball was transferred to AIX via FTP or SCP, it might have been corrupted or transferred in ASCII mode instead of binary mode ... View more

@Nraj87  | makeresults | eval last_seen = "2025-03-13T11:03:38Z" | eval Lastevent = strftime(strptime(last_seen, "%Y-%m-%dT%H:%M:%SZ"), "%d/%m/%Y %I:%M:%S %p")   ... View more

@vpantangi  If you want a single query to combine all these knowledge objects, you can use append or union, but the fields will differ slightly, so you’ll need to normalize them. Here’s an example:   | rest splunk_server=local /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") AND disabled=0 | eval type="Correlation Search" | rename title as name, eai:acl.app as app | table type, name, app, description, search | append [ | rest splunk_server=local /servicesNS/-/-/configs/conf-macros | eval type="Macro" | rename title as name, eai:acl.app as app | table type, name, app, definition | where disabled=0 ] | append [ | rest splunk_server=local /servicesNS/-/-/configs/conf-transforms | where match('filename', ".+") AND disabled=0 | eval type="Lookup" | rename title as name, eai:acl.app as app | table type, name, app, filename ] | append [ | rest splunk_server=local /servicesNS/-/-/saved/searches | where disabled=0 AND NOT match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | eval type="Saved Search" | rename title as name, eai:acl.app as app | table type, name, app, description, search ]       ... View more

@vpantangi  To list all enabled saved searches (including those not tagged as correlation searches):   | rest splunk_server=local /servicesNS/-/-/saved/searches | rename eai:acl.app as app, title as search_name | table search_name, app, search, disabled, description | where disabled=0     ... View more

@vpantangi  Additionally, to list lookup files present in the filesystem:   | rest splunk_server=local /servicesNS/-/-/data/lookup-table-files | rename title as lookup_file, eai:acl.app as app | table lookup_file, app   ... View more

@vpantangi  To list all lookup definitions (files and configurations) in Splunk ES:     | rest splunk_server=local /servicesNS/-/-/configs/conf-transforms | where match('filename', ".+") | rename title as lookup_name, eai:acl.app as app | table lookup_name, filename, app, disabled | where disabled=0     ... View more