@bt2025 You can reset your admin password  Find the passwd file for your instance (/opt/splunk/etc/passwd) and rename it to passwd.bk Create a file named user-seed.conf in your /opt/splunk/etc/system/local/ directory. In the file add the following text: [user_info] PASSWORD = NEW_PASSWORD In the place of "NEW_PASSWORD" insert the password you would like to use. Restart Splunk Enterprise and use the new password to log into your instance from Splunk Web. https://splunk.my.site.com/customer/s/article/Reset-admin-password-for-Splunk-Instance-via-REST-API    ... View more

@krynol  try disabling Security resolution (evt_resolve_ad_obj = 0) etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://Security] evt_resolve_ad_obj = 0   evt_resolve_ad_obj = <boolean> * How the input should interact with Active Directory while indexing Windows Event Log events. * If you set this setting to true, the input resolves the Active Directory Security IDentifier (SID) objects to their canonical names for a specific Windows Event Log channel. * If you enable the setting, the rate at which the input reads events on high-traffic Event Log channels can decrease. Latency can also increase during event acquisition. This is due to the overhead involved in performing AD translations. * When you set this setting to true, you can optionally specify the domain controller name or dns name of the domain to bind to with the 'evt_dc_name' setting. The input connects to that domain controller to resolve the AD objects. * If you set this setting to false, the input does not attempt any resolution. * Default: false (disabled) for all channels Please check this documentation https://splunk.my.site.com/customer/s/article/High-CPU-and-Memory-Usage-After-Splunk-UF-10-Upgrade  ... View more

@MIAS07  If you switch to another license, you cannot return to the Trial. You must install an Enterprise license or switch to Splunk Free. https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.0/configure-splunk-licenses/about-splunk-free#ariaid-title5  If you’ve installed Splunk on a virtual machine, you can remove the current installation and perform a fresh setup. Doing so will allow you to receive another 60-day Enterprise Trial license.  ... View more

@fedayn05 Can you pls check the web_service.log ... View more

@fedayn05  Check the _internal index for the logs in web_service.log. Do you see anything prior to the stopping ? check the "Out Of Memory / OOM" events, the system can kill a process. grep -i 'oom' /var/log/syslog dmesg | grep -i 'oom' dmesg -T | egrep -i 'killed process'   ... View more

@AliMaher Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution. Phantom was a product from Splunk (or acquired by Splunk) that implements a SOAR solution. Over time, Splunk has rebranded or integrated Phantom more tightly with its broader security offerings, and now often refers to it as Splunk SOAR (i.e. Phantom is now part of Splunk’s SOAR offering) https://docs.splunk.com/Documentation/Phantom/4.10.7/User/Intro ... View more

@Cheng2Ready  For JSON / REST APIs more generally, one frequently suggested tool is the REST Modular Input (or using Splunk’s HTTP Event Collector or scripted inputs) to fetch JSON and index it. "RSS/Atom/RDF"‐type apps are built around XML/standard syndicated feeds, not JSON feeds.  ... View more

@geekf  Please review the configuration in your limits.conf file. You can adjust this value as needed. To configure the retention period for users’ search history, create (or edit) the following file: $SPLUNK_HOME/etc/system/local/limits.conf. max_history_length = <integer> * Maximum number of searches to store in history for each user and application. * When 'search_history_storage_mode' has a value of "kvstore", this value is applicable per user only, and not per user and application combination. * Default: 500  https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Limitsconf  ... View more

@thangarun  Splunk MCP Server is supported on both Splunk Enterprise and Splunk Cloud platforms. Please refer to the details provided below.   https://splunkbase.splunk.com/app/7931  https://help.splunk.com/en/splunk-cloud-platform/mcp-server-for-splunk-platform/configure-the-server  ... View more

@maheshnc  In addition to the other steps, make sure to back up the /opt/splunk/bin directory on the Heavy Forwarders. If any custom scripts were placed directly in /opt/splunk/bin, it’s essential to include this directory in your pre-patching backup. ... View more

@whitecat001 Confirm the SPL used in the alert. ... View more

@CyberAarI would recommend not posting Splunk quiz questions in the Community. It would be more beneficial to go through the course videos and documentation thoroughly before attempting the quiz. ... View more

@CyberAar  The in function must be used with functions like case and if to evaluate conditions and return results based on those conditions.   case: The case function allows you to evaluate multiple conditions and return a value when a condition is true. It can be used with in to check if a value matches any of the specified values in a set. if: The if function evaluates a condition and returns one value if the condition is true and another if it is false. It can be used with in to create conditional logic based on whether a value is in a set. The validate function is not a standard SPL function. It is not designed to work with the in function or to evaluate conditions in this context. Instead, validate might be confused with a custom function or a term from another context, but it does not apply here in Splunk's SPL.   Using in with if    Using in with case   Using validate   ... View more

@sarit_s6  Refer this https://community.splunk.com/t5/Deployment-Architecture/Normal-User-role-to-access-and-add-Data-Inputs-in-Search-Head/m-p/325531  ... View more

@sarit_s6  Note: In nearly all cases, capabilities whose names begin with edit_ give users the ability to perform create, read, update, and delete operations for the feature with which they associate. For example, the edit_udp capability grants you the ability to create, read, update, and delete UDP network inputs - even if you do not have access to edit other types of inputs. Exercise caution when assigning edit_ capabilities. https://help.splunk.com/en/splunk-cloud-platform/administer/manage-users-and-security/9.3.2411/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities  ... View more

@sarit_s6Does the user have the capability to create a new input? https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities#ariaid-title3  ... View more

@sarit_s6  The add-on is configured so that all users have read access, while only Admin and Power User roles have write access. [] access = read : [ * ], write : [ admin, sc_admin, power ] export = system [views] access = read : [ * ], write : [ admin ] export = none ... View more

@sarit_s6  Which role has been assigned to the user? Is the user set as a regular User, a Power User, or an Admin? ... View more

@Joey3848  You can send unwanted incoming events to nullQueue to discard them during data routing and filtering.  https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad  ... View more

@Joey3848If you’re removing “everything older than X”, set time-based retention on the index and let Splunk expire those buckets automatically.   frozenTimePeriodInSecs = <nonnegative integer> * The number of seconds after which indexed data rolls to frozen. * If you do not specify a 'coldToFrozenScript', data is deleted when rolled to frozen. * NOTE: Every event in a bucket must be older than 'frozenTimePeriodInSecs' seconds before the bucket rolls to frozen. * The highest legal value is 4294967295. * Default: 188697600 (6 years) [noisy_index] # keep ~365 days frozenTimePeriodInSecs = 31536000 NOTE: The delete command does not reclaim disk space. ... View more

@salohiddin  Refer this https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf  start_from = <string> * How the Event Log input is to chronologically read the Event Log channels. * A value of "oldest" means that the input reads Windows event logs from the oldest to the most recent. * A value of "newest" means that the input reads Windows event logs in reverse, from the most recent to the oldest. After the input consumes the backlog of events, it stops. * If you set this setting to "newest", and at the same time give the 'current_only' setting a value of "false", the combination can result in the input indexing duplicate events. * Do not set this setting to "newest" and at the same time give the 'current_only' setting a value of "true". This results in the input not collecting any events because you told it to read existing events from newest to oldest and read only incoming events concurrently, which is a logically impossible combination. * Default: oldest   ... View more

@coddydaddy88 Confirm that [CUSTOMER_INDEX] exists. Ensure your user role has read access to that index. Please check internal logs ... View more

@coddydaddy88  Splunk Cloud may have an IP allow list configured, restricting HEC requests to specific IPs. If the Azure Web Apps outbound IP addresses are not included, requests may be accepted but not processed https://splunk.my.site.com/customer/s/article/Unable-to-ingest-data-though-the-HEC-token  ... View more

@StephenD1  Deployment clients only talk to one Deployment Server URI. There’s no built-in failover, and there’s no DS clustering/HA. If the DS is down or unreachable, UFs keep running with the last downloaded configs and retry on the next phone-home. If you really need HA on your DS, the best option is to use VMWare. Clone your primary DS and leave it down, then bring it back up if you need it. Another (probably better) option is to store / version control your DS configs in GitHub (or similar repo) so that you can quickly spin up another instance in case you have issues with the primary. https://lantern.splunk.com/Splunk_Success_Framework/Platform_Management/Preparing_for_failures_in_the_Splunk_utility_tier  https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Deploymentclientconf#.5Btarget-broker:deploymentServer.5D  ... View more