@quangtran  Yes you can route the data using props.conf and transforms.conf on Splunk A to selectively route events based on the host field. You can achieve this by filtering host/sourcetype/source ... For eg: props.conf [var_log_*] TRANSFORMS-routing = route_UAT transforms.conf [route_UAT] REGEX = UAT SOURCE_KEY = MetaData:Host DEST_KEY = _TCP_ROUTING FORMAT = uat_indexer outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:uat_indexer] server = splunkB_IP:9997 Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@nooproblems  Since you already have add-ons everywhere, does your event include a syslog header? Could you provide a sample log? To ensure the Palo Alto add-on functions properly, make sure the syslog header is not included in your log. If you have syslog header add below to your inputs.conf no_appending_timestamp = true Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@luispulido  As @bowesmana  mentioned, metadata is not reliable always for this use case. I have seen metadata can become outdated if new buckets are created. So i always prefer to run  | tstats latest(_time) as lastSeen where index=<my_index> by host Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Commvault  The API is returning volume:hotwarm/... instead of an absolute filesystem path because your index is defined using volume references in indexes.conf. Splunk does not expand those into full paths unless the volume stanza itself has an absolute path configured. you can combine the two REST endpoints (/services/data/indexes and /services/data/index-volumes) to show full path. Try something below, | rest /services/data/indexes | fields title homePath_expanded coldPath_expanded | rex field=homePath_expanded "(?<homeVol>volume:[^/]+)" | rex field=coldPath_expanded "(?<coldVol>volume:[^/]+)" | join type=left homeVol [ | rest /services/data/index-volumes | fields title volume_path | rename title as homeVol volume_path as homeBase ] | join type=left coldVol [ | rest /services/data/index-volumes | fields title volume_path | rename title as coldVol volume_path as coldBase ] | eval homePathResolved=replace(homePath_expanded,homeVol,homeBase) | eval coldPathResolved=replace(coldPath_expanded,coldVol,coldBase) | table title homePathResolved coldPathResolved Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@BradOH  You can use functions like anomalydetection, outlier or build a baseline of normal hours and compare against current events. Below example shows anomaly values based on hour index=your_index sourcetype=your_sourcetype user=* | eval hour=strftime(_time,"%H") | stats count by user, hour | anomalydetection method=histogram action=filter Refer below for the usage of anomalydetection #https://help.splunk.com/en/splunk-enterprise/spl-search-reference/10.0/search-commands/anomalydetection Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@SOAR_098  The error SSL certificate problem: self-signed certificate in certificate chain means the system’s CA trust store is incomplete. You need to fix certificate trust so the installer can clone the default playbook repo. Run manually as the phantom user, you will be getting same error message. git ls-remote https://github.com/phantomcyber/playbooks Refer below, #https://community.splunk.com/t5/Splunk-SOAR/quot-Failed-to-bootstrap-playbook-repos-quot-on-clean-install/m-p/709534 Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@jscraig2006  Thats strange. As you mentioned, rolling a bucket from hot to warm should not change field extraction. Can you keep your props simple, like removing PREAMBLE_REGEX. Below setting should be fine to start with Eg: [mysourcetype] INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 FIELD_NAMES = FileDate,Field_1,Field_2,Field_3 TIMESTAMP_FIELDS = FileDate TIME_FORMAT = %Y-%m-%d %H:%M:%S SHOULD_LINEMERGE = false And validate and confirm the active sourcetype settings. $SPLUNK_HOME/bin/splunk btool props list mysourcetype --debug Then test with sample csv and roll the bucket manually and confirm fields remain correct. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@gpinedo  By default data sharing is enabled, but you have option to disable it. But its always better to go in detail about the license agreement and terms. #https://help.splunk.com/en/splunk-cloud-platform/search/splunk-ai-assistant-for-spl/1.1.1/additional-resources/share-data-in-splunk-ai-assistant-for-spl Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@charbelcharro  Splunk ITSI offers the capability to utilize preloaded standard KPIs for database monitoring or to define custom KPIs, which can then be mapped to a specific service. Additionally, you can leverage the Deep Dive feature to analyze these metrics in greater detail and gain comprehensive insights into service performance(single window). Are you planning to replicate this in Splunk enterprise? Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@kn450  Whats your setup? Multiple products sending syslog traffic to splunk syslog receiver? or do you have any syslog-ng/rsyslog setup? If you have multiple products better to use syslog-ng/ryslog to listen syslog port(single or dedicated port) and filter incoming messages by pattern, host, or facility and then send them to different destinations. Eg: # Source: listen for syslog on UDP 514 source s_net { udp(ip(0.0.0.0) port(514)); }; # Filters based on client IP filter f_productA { netmask(192.168.x.x/32); }; filter f_productB { netmask(192.168.x.x/32); }; # Destinations: write to different files destination d_productA { file("/var/log/productA.log"); }; destination d_productB { file("/var/log/productB.log"); }; # Log paths log { source(s_net); filter(f_productA); destination(d_productA); }; log { source(s_net); filter(f_productB); destination(d_productB); }; Then use splunk inputs.conf for each product and assign correct sourcetype,index.... If you can’t split at syslog, you can still do it on the Splunk side. Use props.conf with a TRANSFORMS stanza to rewrite the sourcetype based on a regex match Eg: # props.conf [nix:syslog] TRANSFORMS-set_sourcetype = set_productA, set_productB # transforms.conf [set_productA] REGEX = ProductA DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::productA_syslog [set_productB] REGEX = ProductB DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::productB_syslog   Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Rushilgupta02  Any Firewall/SELinux reset happened after patching? Did you restart UF after patching? Sometimes UF service may not restart cleanly during patching. Also verify DNS resolution for proxy.splunk.local Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@chandrasekhar46  Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Keigo  Can you also try in the global settings. Refer this #https://community.splunk.com/t5/Installation/Remove-port-from-Splunk-alert-URLS-WITHOUT-changing-actual-web/m-p/677018/highlight/true   ... View more

@Keigo  Yes you can change this. [email] stanza in alert_actions.conf (or in the UI under Settings → Server settings → Email settings) is what Splunk uses when it builds the “View Results” link in alert emails. The hostname key there overrides whatever Splunk would normally derive from the local web listener Edit alert_actions.conf and set the hostname [email] hostname = https://hostname.com or with Splunk UI, Go to Settings > Server settings > Email settings > Find the Link hostname field and set it   Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@msmouse05  Splunkd (the management port on 8089) is still presenting the built‑in SplunkServerDefaultCert. To remediate, you need to replace the default server.pem in $SPLUNK_HOME/etc/auth/ with a certificate issued by your internal CA that has the correct hostname in its CN/SAN, and then update server.conf to point Splunkd at that certificate and its private key. Restart Splunkd afterward so it uses the new cert. Follow below doc #https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.2/secure-splunk-platform-communications-with-transport-layer-security-certificates/configure-tls-certificates-for-inter-splunk-communication Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@tgulgund  I dont think you can use Network Diagram viz on dashboard studio, its designed for classic dashboards. Alternatively you can use Link graph in dashboard studio for showing relations. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@splunkreal  As @livehybrid mentioned, You cannot fully bypass Splunk authentication for maintenance‑mode operations. The splunk offline and splunk enable/disable maintenance-mode commands always require Splunk admin credentials (not Linux root). To automate, you should use either Splunk auth tokens or a service account with pre‑configured credentials in a script. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Gregski11  Yes, this issue exists in version 10.0 as well. GUI workarounds: -Go to Settings → Data Inputs → Remote Event Log Collections → New Event Log Collection, then select   Choose logs from this host and enter localhost. -Alternatively, use Add Data → Monitor → Local Event Logs. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@danielbb  Splunk recommended upgrade path is 3.x.x -> 3.18 ->4.x #https://docs.splunk.com/Documentation/DBX/latest/DeployDBX/MigratefromDBConnectv1 So i recommend to take a backup of your existing dbconnect app and upgrade to 3.18 and verify all your identities and connections are working as expected and then plan for upgrade to 4.x Note: I tested an upgrade straight from an older 3.x release to 4.1, and my config were lost. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@abhisplunk1  Can you try below, [extracting_plugin_path] SOURCE_KEY = pluginText REGEX = (?s)Path\s*:\s*(?<plugin_path>.+?)(\\r|\\n) REPEAT_MATCH = true MV_ADD = true   Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@inventsekar  On busy DCs script can take longer than the default timeout to query. Can you run the powershell directly and see how long its taking and adjust your timeout accordingly. & 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-WinDNSAnalytical-inputs\bin\get_dns_analytics.ps1' Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Thats interesting. Looks like bug or UI glitch. Any possibility for you to test this on version 10.x? ... View more

@Jcath  Can you run $SPLUNK_HOME/bin/splunk btool web list --debug This lists the effective web.conf settings and where they are loaded from, share this Regards, Prewin If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more