Hello Splunk community!  I’m planning a project that involves sending event data from Splunk to Elasticsearch using Kafka, and I haven’t started implementing it yet. I’m looking for your guidance nd assistance to implement this solution efficiently and securely. I would greatly appreciate any advice, recommendations, or ready-to-use tools to help with: Extracting data from a Splunk index. Sending the data to Kafka as a temporary transport layer. Formatting events in JSON with a consistent schema. Ingesting data into Elasticsearch with proper index settings. Any experience, suggestions, or guidance from the community would be highly appreciated    ... View more

Hello, I’m experiencing an issue with my Kafka broker integration with Splunk. The error message I’m seeing is: Kafka Broker Error Topic bytes in The rate, expressed in bytes per second, of the message traffic each topic is receiving from producing clients Error: Kafka topics are not receiving events. Monitor for an hour, if the status does not go back to OK, restart kafka-server. If this does not help, contact Splunk Support. Status code KAFKA-1 I have monitored for more than an hour, and the status did not return to OK. Has anyone faced this issue before or have suggestions on how to fix it? Thanks in advance! ... View more

Hello Splunk Community, I am a new Splunk UBA user and I am currently trying to pull data from Splunk Enterprise into Splunk UBA using time-based searches. I have followed the official UBA documentation and configuration guides, but I am still struggling to fully understand the process due to my limited experience with UBA. Specifically, I am trying to: Configure UBA to pull notable events and risk events from Splunk Enterprise Security. Use time-based searches to collect data efficiently without missing events. Understand how SPL queries and External Alarm categories work in this integration. I would greatly appreciate any guidance, examples, or best practices you can share to help me successfully implement this integration. Additionally, if you could suggest external resources, tutorials, or blogs that explain the process in a beginner-friendly way, that would be extremely helpful. Thank you in advance for your support ... View more

How enaple TLS in splunk platform from ca  ... View more

  Hello everyone, I’m encountering an issue when trying to enable secure HTTPS access on Splunk Web using an SSL certificate issued by a trusted external CA. What I did: Placed the SSL certificate file (splunkWeb.pem) in the following path: $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem Edited the web.conf file with the following settings:   ini CopyEdit [settings] enableSplunkWebSSL = true serverCert = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem privKeyPath = $SPLUNK_HOME/etc/apps/webTLS/certs/splunkWeb.pem   Restarted the Splunk service. Issue: After restarting, Splunk hangs during startup and the web interface does not become available over HTTPS. Questions: Are there additional steps required when using an external SSL certificate? Is the web.conf configuration correct, especially regarding the privKeyPath pointing to the same .pem file as serverCert? Should the private key be in a separate file from the certificate? Any advice or similar experiences would be greatly appreciated. Thank you in advance for your help! ... View more

Hello everyone, I have a network monitoring system that exports data via IPFIX using Forwarding Targets. I am trying to receive this data in Splunk using the Splunk Stream app. The add-on is installed and Stream is enabled, but I am facing the following issues: Templates are not being received properly. The data arrives, but it's unreadable or incomplete. I need full flow data, including summaries or headers from Layer 7 (e.g., HTTP, DNS). My question: Has anyone successfully received and parsed IPFIX data in Splunk? If so, could you share the steps or configurations you used (like streamfwd.conf, input settings, etc.)? Any guidance would be greatly appreciated! Thanks in advance! ... View more

Hi Splunk Community, I'm currently integrating Flowmon ndr as a NetFlow data exporter to Splunk Stream, but I’m encountering a persistent issue where Splunk receives the flow data, yet it’s not decoded properly, and flow sets are being dropped due to missing templates. Here’s the warning from the Splunk log: ``` 2025-06-21 08:34:49 WARN [139703701448448] (NetflowManager/NetflowDecoder.cpp:1282) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 258 received for observation domain id 13000 from device 10.x.x.x. Dropping flow data set of size 328 ``` Setup details: Exporter: Flowmon Collector: Splunk Stream  Protocol: NetFlow v9 (also tested with IPFIX) Transport: UDP  Template Resend Configuration: Every 4096 packets or  600 seconds Despite verifying these settings on Flowmon, Splunk continues to report that the template ID (in this case, 258) was never received, causing all related flows to be dropped. My questions: 1. Has anyone successfully integrated Flowmon with Splunk Stream using NetFlow v9? 2. Is there a known issue with Splunk Stream not handling templates properly from certain exporters? 3. Are there any recommended Splunk Stream configuration tweaks for handling late or infrequent templates? Any insights, experiences, or troubleshooting tips would be greatly appreciated. Thanks in advance! ... View more

opt/caspida/bin/Caspida setuphadoop ...............................Failed to run sudo -u hdfs hdfs namenode -format >> /var/vcap/sys/log/caspida/caspida.out 2>&1 Fri Jun 2 17:06:11 +07 2023: [ERROR] Failed to run hadoop_setup [2]. Fix errors and re-run again. Error in running /opt/caspida/bin/Caspida setuphadoop on 192.168.126.16. Fix errors and re-run again. i execute the command /opt/caspida/bin/caspida setup but stopped here hadoopsetup can't run, i don't know the cause yet. someone please help me. I put some install logs here ... View more

Hi Splunk Community, I’m working on a use case where data is stored in Elasticsearch, and I’d like to use Splunk solely as an interface for visualizing and querying the data using SPL (Search Processing Language) — without ingesting or storing the data again in Splunk, to avoid duplication and unnecessary storage costs. My main questions are: Is there a way to connect Splunk directly to Elasticsearch as an external data source? Can Splunk query external data (like from Elasticsearch) using SPL, without indexing it? Are there any available add-ons, modular inputs, or scripted solutions that allow this type of integration? Is this approach officially supported by Splunk, or would it require a custom integration? I’m aware that tools like Logstash or Kafka can be used to bring data into Splunk, but that’s exactly what I’m trying to avoid — I don’t want to duplicate the data storage. If anyone has experience with a similar setup, or any recommendations, I’d greatly appreciate your input. Thanks in advance!   ... View more

Dear Splunk Community, I am currently working on a project focused on identifying the essential data that should be collected from endpoints into Splunk, with the goal of avoiding data duplication and ensuring efficiency in both performance and storage. Here’s what has been implemented so far: The Splunk_TA_windows add-on has been deployed. The inputs.conf file has been configured to include all available data. Sysmon has been installed on the endpoints. The Sysmon inputs.conf path has been added to be collected using the default configuration from the Splunk_TA_windows add-on. In addition, we are currently collecting data from firewalls and network switches. I’ve attached screenshots showing the volume of data collected from one endpoint over a 24-hour period. The data volume is quite large, especially in the following categories: WinRegistry Service Upon reviewing the data, I noticed that some information gathered from endpoints may be redundant or unnecessary, especially since we are already collecting valuable data from firewalls and switches. This has led me to consider whether we can reduce the amount of endpoint data being collected without compromising visibility. I would appreciate your input on the following: What are Splunk's best practices for collecting data from endpoints? What types of data are considered essential for security monitoring and analysis? Is relying solely on Sysmon generally sufficient in most security environments? Is there a recommended framework or guideline for collecting the minimum necessary data while maintaining effective monitoring? I appreciate any suggestions, experiences, or insights you can share. Looking forward to learning from your expertise. ... View more

Description: Hello, I am experiencing an issue with the "event_id" field when transferring notable events from Splunk Enterprise Security (ES) to Splunk SOAR. Details: When sending the event to SOAR using an Adaptive Response Action (Send to SOAR), the event is sent successfully, but the "event_id" field does not appear in the data received in SOAR. Any assistance or guidance to resolve this issue would be greatly appreciated. Thank you ... View more