Hi all, I’m trying to add a new connection in Splunk DB Connect but I always get this error popup: <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Not Found</msg> </messages> </response> Symptoms: Can open the DBX UI normally When clicking "New Connection" — page attempts to load, then shows error above Troubleshooting done so far: Confirmed Java installed and JAVA_HOME set Confirmed Task Server is running port 9998 is listening Reinstalled DB Connect and Java OS : Ubuntu 22.04 Splunk Enterprise : 10.0.2 DB Connect : tried 3.18.6 and upgraded to 4.1.2 — same issue Java Version : OpenJDK-17 (tried upgrading to OpenJDK-21 - same issue)   Thankyou for all the help!       ... View more

Hi everyone, I’m currently planning to migrate an existing Splunk Enterprise All-in-One instance (Search Head + Indexer + License Master + Deployment Server in a single node) that also runs Splunk Enterprise Security (ES) into a new Splunk Clustered Architecture, which will include: 1x Cluster Manager 3x Indexers 1x Search Head Cluster (3x SH + 1x Deployer) 1x License Master / Deployment Server 2x Heavy Forwarder The plan is to keep the old All-in-One instance available for historical searches only during the transition, and eventually decommission (recycle) it once all data and workloads have been fully migrated. Additionally, I’m planning to upgrade to the latest versions — Splunk Enterprise v10.x and Splunk Enterprise Security v8.2, if supported and compatible during migration. (Current Version are Splunk Enterprise v9.0.3 and Splunk ES v7.1.0) Specifically: What is the best approach to migrate existing data (apps, add-on, etc), ES configurations, and correlation searches from the All-in-One instance to the new clustered environment? Should I first build the cluster (with ES installed on the SHC) and then migrate data/configurations, or can I reuse parts of the old ES setup directly? What’s the recommended way to integrate the old instance for historical search access during the migration period? What’s the recommended way to handle the UF data sources — e.g., when and how to repoint them to the new Heavy Forwarder? Appreciate any insight, recommendation on what is the better way do to this. Thank you in advance! ... View more

I'm using Splunk Add-on Builder to configure a REST API input for Samsung Knox. REST URL: https://region.manage.samsungknox.com/emm/oapi/audit/read POST Request Headers: Authorization: Bearer <token> Content-Type: application/x-www-form-urlencoded POST Request Body client_id client_secret grant_type timeZone = +07:00 includeProcessInfo = true includeLogData = true The request is successfully sent, but the response always returns timestamps in UTC (+00:00) and doesn't seem to reflect the timeZone (auditTimestampText) or other body parameters i requested. When I test this in Postman, I get the expected log results with localized timestamps and full data. But when I configure the same request in Add-on Builder, the response seems incomplete or ignores the body parameters — especially timeZone. reference for Samsung Knox API (https://docs.samsungknox.com/dev/knox-manage/api/#tag/Audit/operation/read) Any information on how to debug this? or any workaround for this? Thank you. ... View more