Although it probably doesn't explain the intermittent nature of the problem, I've seen fapolicyd interfere with some Splunk Add-On UI pages.  If this were the case you would need to configure an fapolicyd exception.  You can audit fapolicyd using the command: sudo /usr/sbin/fapolicyd --debug-deny Hope this helps! ... View more

I would like to say that its always better to fix the problem at the source and try to mask those details which ever is not needed. If you are not able to then you should have a regex in place and try to check that these raw events match those regex and then try to mask it.  One more way is to have a program running, where you can have the raw events having matching the regex and convert them into a different one this way it will definitely help you. I am sure by now you would have got the answers from the team of experts but however it all depends on your organizations and how well you can perform it.  Below is a link which will help you for the masking of events.  https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/configure-event-processing/anonymize-data ... View more

Yes, you _can_ do that. It's just that managing search filters is less convenient and thus maintenance of search filters is less straightforward than simply selecting index access per role using normal "allowed index" functionality. And you're still using search-time fields for limiting access and those search-time fields can be overriden by your users. There's no way around that as long as you don't have indexed fields to search by. To be fully honest - you already seem to have a relatively convoluted data architecture (judging from what you're saying) and you're stuck on building on top of that unless you do some rearchitecting, which might need quite a lot of effort. That's the point when you should engage an experienced consultant to take a look at your environment and your requirements and give you a more holistic analysis and recommendations. We can give you hints about how Splunk works and what _can_ be done with it but we won't tell you what you _should_ do in the end because we don't know the whole picture and we're not taking responsibility for the final decisions. ... View more

Please stop spamming multiple posts - your question has been asked (again) here - you have been given solutions (which you don't appear to want to use). If anyone can come up with alternatives, they will most likely respond here. ... View more

But service field is not an indexed field. I am writing rex to extract that field from original index and then giving collect command to feed it in summary index. Still srchFilter fails in this case? It should be indexed field from the original index as well? Please confirm ... View more

I tried removing inputs.conf from the TA because I only wanted it for the props/transforms on my search head cluster.  Still got the error.  How? ... View more

Hey @Karthikeya, What @ITWhisperer mentioned is correct. I have currently modified that source code of the dashboard to open the same search in a new tab based on the clicked selection. Paste the following code in your dashboard and it should work as per your requirement.  <form version="1.1" theme="light"> <label>Akamai WAF Dashboard</label> <search id="base_search"> <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid$ source=$source$ </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <description></description> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="configid" searchWhenChanged="true"> <label>Security Configuration ID</label> <choice value="*">All</choice> <fieldForLabel>attackData.configId</fieldForLabel> <fieldForValue>attackData.configId</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf source=$source$ | stats count by attackData.configId</query> <earliest>-5m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="source" searchWhenChanged="true"> <label>Service Name</label> <choice value="*">All</choice> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf attackData.configId=$configid$ |stats count by source</query> <earliest>-5m@m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="time" token="time"> <label>Select Time Range</label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Top 10 Attack Rule IDs</title> <chart> <search base="base_search"> <query> | top limit=10 attackData.rules{}.id | rename attackData.rules{}.id as "Rule ID"</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 Attack Rule Tags</title> <chart> <search base="base_search"> <query> |stats count by attackData.rules{}.tag |sort - count |head 10</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Rule Messages</title> <table> <search base="base_search"> <query>| stats count by attackData.rules{}.message |sort - count |head 10</query> </search> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Rule Action by Count</title> <chart> <search base="base_search"> <query> | stats count by attackData.rules{}.action |sort - count</query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.05</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="clicked_value">$click.value2$</set> <link target="_blank">search?q=index%3D%22waf_app_*%22%20sourcetype%3Dakamai_waf%20%7Cfields%20*%20|search%20attackData.configId%3D$configid$%20source%3D$source$%20%7C%20stats%20count%20by%20attackData.rules%7B%7D.action%20|sort%20-%20count%0A%7C%20search%20attackData.rules%7B%7D.action%3D%22$clicked_value$%22&amp;earliest=$time.earliest$&amp;latest=$time.latest$</link> </drilldown> </chart> </panel> </row> <row> <panel> <title>Rule IDs Trend (5 min)</title> <chart> <search base="base_search"> <query> | timechart count(attackData.rules{}.id) span=5min</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Status Code Trend</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.status</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 IP Addresses</title> <chart> <search base="base_search"> <query> | stats count by attackData.clientIP |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Top 10 HTTP Path Details</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.path |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>HTTP Method Count</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.method |sort - count </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> </chart> </panel> </row> </form>   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! ... View more

It sounds like your Heavy Forwarder (HF) is struggling to handle the high volume of Akamai logs (30k events in 5 minutes), which may be causing the GUI to become slow or unresponsive. The error in splunkd.log about the TA-Akamai-SIEM modular input timing out (exceeding 30,000 ms) suggests the modular input script is overloaded. Since data ingestion continues and splunkd is running, the issue is likely related to resource contention or configuration. Here’s how you can troubleshoot and resolve it: Check HF Resource Usage: Monitor CPU, memory, and disk I/O on the HF using top or htop (Linux) or Task Manager (Windows). High resource usage could indicate the HF is overwhelmed by the Akamai log volume. Use the Splunk Monitoring Console (| mcatalog) or | rest /services/server/info to check system metrics like CPU usage or memory consumption on the HF. Tune Modular Input Timeout: The TA-Akamai-SIEM modular input is timing out after 30 seconds (30,000 ms). Increase the timeout in $SPLUNK_HOME/etc/apps/TA-Akamai-SIEM/local/inputs.conf: ini   [TA-Akamai-SIEM://<input_name>] interval = <your_interval> execution_timeout = 60000 # Increase to 60 seconds Restart the HF after making this change ($SPLUNK_HOME/bin/splunk restart). Optimize TA-Akamai-SIEM Configuration: Check the interval setting for the Akamai input in inputs.conf. A very short interval (e.g., 60 seconds) with high data volume (30k events/5 min) could overload the modular input. Consider increasing the interval (e.g., to 300 seconds) to reduce the frequency of API calls. Verify the API query filters in the TA configuration. Narrow the scope (e.g., specific Akamai configurations or event types) to reduce the data volume if possible. Address GUI Unresponsiveness: The GUI slowdown may be due to splunkd prioritizing data ingestion over web requests. Check $SPLUNK_HOME/etc/system/local/web.conf for max_threads or http_port settings. Increase max_threads if it’s too low: ini   [settings] max_threads = 20 # Default is 10; adjust cautiously Confirm the HF’s web port (default 8000) is accessible via telnet <HF_IP> 8000 from your machine. Inspect splunkd.log Further: Look for additional errors in $SPLUNK_HOME/var/log/splunk/splunkd.log related to TA-Akamai-SIEM or resource exhaustion (e.g., memory or thread limits). Check for errors in $SPLUNK_HOME/var/log/splunk/web_service.log for GUI-specific issues. Scale or Offload Processing: If the HF is underpowered, consider upgrading its hardware (more CPU cores or RAM) to handle the 30k events/5 min load. Alternatively, distribute the load by deploying multiple HFs and splitting the Akamai inputs across them, forwarding to the same indexers. Ensure the TA-Akamai-SIEM add-on is only installed on the HF (not the Search Head or indexers) to avoid unnecessary processing. Engage Splunk Support: Since Support reviewed the diag file, ask them to specifically analyze the TA-Akamai-SIEM modular input logs and any resource-related errors in splunkd.log. Share the timeout error and data volume details. ... View more

Hi @Karthikeya  Are you running on-prem or in Splunk Cloud? This could be a number of things, including misconfiguration of limits.conf or a roles' concurrency settings but is typically caused by resource constraints - put simply, there are more searches running than the system can handle. If you are on-prem head over to the Monitoring Console and look at the "Search Activity: Instance" and "Scheduler Activity: Instance" for more insight into what is going on. Does any specific searches/users stand out here?  What is the load on your Splunk infrastructure looking like? If you are running Splunk Cloud then head over to the Cloud Monitoring Console - See https://help.splunk.com/en/splunk-cloud-platform/administer/admin-manual/9.3.2411/monitor-your-splunk-cloud-platform-deployment/usethe-search-dashboards for more info on the dashboard which might help relating to the search performance. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

@deepdiver From all messages present here it appears something around KVStore here you can check KVStore status first using below command: ./splunk show kvstore-status If its up and running then its good otherwise you have to check first Splunkd logs to get the exact ERROR logs. ... View more

Where is the input defined? You should be able to disable it where it is defined. If you have access to the command line on the machine, do: splunk btool inputs list --debug | fgrep "<the input name>"  Where the input is defined, you can go to the config file and delete the input, or disable it. ... View more

I can confirm @dural_yyz observation. In our case as well this was not an error just weird logging telling you, connection successful but nothing to read. Try reducing frequency of your query or ignore this. ... View more

This depends on what changes you are deploying. Some needs restart and son don’t. You can found more information from docs.splunk.com.  Here is a basic information of clustering https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/Basicclusterarchitecture You should read and try to understand what it means. Unfortunately that doc doesn’t tell everything as it takes too much space and to be honest most of us don’t need to know all those details. ... View more

Hi @Karthikeya , are you sure that you want to apply this extraction at index time? this means a greater job for indexers and this usually depends on the volume of indexed logs for extractions, how many logs must you index daily and in the peak period? here, you can find a comparation between the two modes and a description: https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/Indextimeversussearchtime  Ciao. Giuseppe ... View more

I totally agree with @PickleRick that you needs some local Splunk Partner or sales engineer to go through your current setup and how to proceed with it! To help you we need much more information and also we must see your whole environment, use cases and also understand your business to make any real suggestions to you. If/when you want know more about SmartStore I suggest that you join Splunk’s slack and read and asking more there. https://splunkcommunity.slack.com/archives/CD6JNQ03F ... View more

Hi @Karthikeya  For reference, the following docs page is useful for SmartStore retention settings: https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/SmartStoredataretention maxDataSize = Bucket Size in MB, not the total size of the index Data will be "frozen" when either maxGlobalDataSizeMB or frozenTimePeriodInSecs is met (whichever is first!) - so it is not safe to assume the data will be retained for 6 years if the maxGlobalDataSizeMB setting is not large enough to hold 6 years of data. To clarify my previous post as @PickleRick mentioned - cold buckets in SmartStore indexes are functionally equivalent to warm buckets  - They are essentially the same and cold buckets only exist in circumstances and in any case, the storage on S3 is the same. Let me know if you have any further questions or need clarity on any of these points 🙂 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

@shivanshu1593 @jitbahan @Gowhar @dsainz please help me on the similar issue - https://community.splunk.com/t5/Getting-Data-In/Akamai-add-on-logs-are-not-populating/m-p/743241#M118086 ... View more

@James_ACN @javo_dlg @deepdiver @tofa please help me on the similar issue - https://community.splunk.com/t5/Getting-Data-In/Akamai-add-on-logs-are-not-populating/m-p/743241#M118086 ... View more

@mikefg @RCavazana2023 @cybersecnutant @LeandroNTT please help me on the similar issue ue - https://community.splunk.com/t5/Getting-Data-In/Akamai-add-on-logs-are-not-populating/m-p/743241#M118086 ... View more

The -R parameter is so that you list contents recursivly. If all directories and files are owned by Splunk:Splunk and have 700 (or 600 for files) permissions, that should be OK. ... View more

Hi @Karthikeya  Since you are able to make this work when installing directly on the HF then we should be able to rule out the JRE and Proxy configuration. You've confirmed that you have a license on the HF so there shouldnt be any features disabled which might cause the issue. (And worked directly when installing on the HF). I guess the next question is "what is different" - If it works when directly installing vs deploying DS then we need to work out what is different. How did you set it up on the HF? Did you copy all the files as they were on the HF and then drop them into deployment-apps on the DS? Out of interest, were the client_id and client_secret encrypted in the inputs.conf on the HF? If so then as long as the encryption was done on the same HF then I wouldnt have expected an issue copying the encrypted value. I think the key now is to work out what is different, I would get it working again on the HF then copy the files off. Deploy from the DS and then compare the difference between the files from the working installation vs DS installation. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Ok. As you created an input in that app, it should have created an instance of inputs.conf in the "local" subdirectory - /opt/splunk/etc/TA-AKAMAI_SIEM/local/inputs.conf See that file. It should contain a stanza with your particular input instance definition. There you can add your index=something setting. ... View more

@livehybrid kv store issue is resolved once I installed java. Stuck here on how to assign new created index to all akamai logs? ... View more

Hi @Karthikeya  did you try the btool commands I posted? What did you get back from them? Thanks ... View more

Hi @Karthikeya , you can override the index name before indexing, not after. If you already indexed data, you cannot move data from an index to another. The only way is reidex all the events, paying twice the license. But, why do you want to change the index? An index isn't a database table, you can have also different and etherogeneous data in the same index remember that an index is usually defined based on two parameters: retention and grant accesses. Ciao. Giuseppe ... View more