@gabo  Java 17 enforces stricter TLS/SSL algorithm constraints than older Java versions. Also your Microsoft JDBC driver 1.3.2 is very old which may not support this. So try upgrade the JDBC Driver and test it or downgrade your java to 11 and test Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@verbal_666  Yes with identical headers and identical file paths, CRC collisions will happen even if you increase initCrcLen or set crcSalt. So I think, the best solution is to rotate logs with unique filenames per day or add unique content in the header so CRC changes. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@JWGOV  Can you try below REST API directly from the CLI splunk _internal call /services/apps/local/dbx/_reload -auth admin:PASSWORD Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@egko  Your Splunk Enterprise 8.1x is outdated, and Splunk Enterprise Security 7.0.1 is likely incompatible, causing the KV Store to fail (from "Ready" to "Failed") when ES loads. Upgrade Splunk Enterprise, then upgrade ES to a compatible version. #https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.0/upgrade-or-migrate-splunk-enterprise/how-to-upgrade-splunk-enterprise Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Anders333  The lookup file is created with the fields _time and test, then you run stats values(test) as testing. This produces a new field testing in the search results. Splunk lookup files are schema‑flexible. If later commands introduce new fields, splunk adds them as new columns, even if they’re empty for existing rows. If you need only testing field then write your outputlookup command after your stats. Eg: | makeresults | eval test = "this is a testing thing" | stats values(test) as testing | outputlookup append=false test.csv Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@quangtran  Modify your transofms.conf [route_UAT] REGEX = ^uat-.* SOURCE_KEY = MetaData:Host DEST_KEY = _TCP_ROUTING FORMAT = uat_indexer ... View more

@quangtran  Yes you can route the data using props.conf and transforms.conf on Splunk A to selectively route events based on the host field. You can achieve this by filtering host/sourcetype/source ... For eg: props.conf [var_log_*] TRANSFORMS-routing = route_UAT transforms.conf [route_UAT] REGEX = UAT SOURCE_KEY = MetaData:Host DEST_KEY = _TCP_ROUTING FORMAT = uat_indexer outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:uat_indexer] server = splunkB_IP:9997 Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@nooproblems  Since you already have add-ons everywhere, does your event include a syslog header? Could you provide a sample log? To ensure the Palo Alto add-on functions properly, make sure the syslog header is not included in your log. If you have syslog header add below to your inputs.conf no_appending_timestamp = true Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@luispulido  As @bowesmana  mentioned, metadata is not reliable always for this use case. I have seen metadata can become outdated if new buckets are created. So i always prefer to run  | tstats latest(_time) as lastSeen where index=<my_index> by host Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Commvault  The API is returning volume:hotwarm/... instead of an absolute filesystem path because your index is defined using volume references in indexes.conf. Splunk does not expand those into full paths unless the volume stanza itself has an absolute path configured. you can combine the two REST endpoints (/services/data/indexes and /services/data/index-volumes) to show full path. Try something below, | rest /services/data/indexes | fields title homePath_expanded coldPath_expanded | rex field=homePath_expanded "(?<homeVol>volume:[^/]+)" | rex field=coldPath_expanded "(?<coldVol>volume:[^/]+)" | join type=left homeVol [ | rest /services/data/index-volumes | fields title volume_path | rename title as homeVol volume_path as homeBase ] | join type=left coldVol [ | rest /services/data/index-volumes | fields title volume_path | rename title as coldVol volume_path as coldBase ] | eval homePathResolved=replace(homePath_expanded,homeVol,homeBase) | eval coldPathResolved=replace(coldPath_expanded,coldVol,coldBase) | table title homePathResolved coldPathResolved Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@BradOH  You can use functions like anomalydetection, outlier or build a baseline of normal hours and compare against current events. Below example shows anomaly values based on hour index=your_index sourcetype=your_sourcetype user=* | eval hour=strftime(_time,"%H") | stats count by user, hour | anomalydetection method=histogram action=filter Refer below for the usage of anomalydetection #https://help.splunk.com/en/splunk-enterprise/spl-search-reference/10.0/search-commands/anomalydetection Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@SOAR_098  The error SSL certificate problem: self-signed certificate in certificate chain means the system’s CA trust store is incomplete. You need to fix certificate trust so the installer can clone the default playbook repo. Run manually as the phantom user, you will be getting same error message. git ls-remote https://github.com/phantomcyber/playbooks Refer below, #https://community.splunk.com/t5/Splunk-SOAR/quot-Failed-to-bootstrap-playbook-repos-quot-on-clean-install/m-p/709534 Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@jscraig2006  Thats strange. As you mentioned, rolling a bucket from hot to warm should not change field extraction. Can you keep your props simple, like removing PREAMBLE_REGEX. Below setting should be fine to start with Eg: [mysourcetype] INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 FIELD_NAMES = FileDate,Field_1,Field_2,Field_3 TIMESTAMP_FIELDS = FileDate TIME_FORMAT = %Y-%m-%d %H:%M:%S SHOULD_LINEMERGE = false And validate and confirm the active sourcetype settings. $SPLUNK_HOME/bin/splunk btool props list mysourcetype --debug Then test with sample csv and roll the bucket manually and confirm fields remain correct. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@gpinedo  By default data sharing is enabled, but you have option to disable it. But its always better to go in detail about the license agreement and terms. #https://help.splunk.com/en/splunk-cloud-platform/search/splunk-ai-assistant-for-spl/1.1.1/additional-resources/share-data-in-splunk-ai-assistant-for-spl Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@charbelcharro  Splunk ITSI offers the capability to utilize preloaded standard KPIs for database monitoring or to define custom KPIs, which can then be mapped to a specific service. Additionally, you can leverage the Deep Dive feature to analyze these metrics in greater detail and gain comprehensive insights into service performance(single window). Are you planning to replicate this in Splunk enterprise? Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Rushilgupta02  Any Firewall/SELinux reset happened after patching? Did you restart UF after patching? Sometimes UF service may not restart cleanly during patching. Also verify DNS resolution for proxy.splunk.local Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@chandrasekhar46  Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Keigo  Can you also try in the global settings. Refer this #https://community.splunk.com/t5/Installation/Remove-port-from-Splunk-alert-URLS-WITHOUT-changing-actual-web/m-p/677018/highlight/true   ... View more

@Keigo  Yes you can change this. [email] stanza in alert_actions.conf (or in the UI under Settings → Server settings → Email settings) is what Splunk uses when it builds the “View Results” link in alert emails. The hostname key there overrides whatever Splunk would normally derive from the local web listener Edit alert_actions.conf and set the hostname [email] hostname = https://hostname.com or with Splunk UI, Go to Settings > Server settings > Email settings > Find the Link hostname field and set it   Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@msmouse05  Splunkd (the management port on 8089) is still presenting the built‑in SplunkServerDefaultCert. To remediate, you need to replace the default server.pem in $SPLUNK_HOME/etc/auth/ with a certificate issued by your internal CA that has the correct hostname in its CN/SAN, and then update server.conf to point Splunkd at that certificate and its private key. Restart Splunkd afterward so it uses the new cert. Follow below doc #https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.2/secure-splunk-platform-communications-with-transport-layer-security-certificates/configure-tls-certificates-for-inter-splunk-communication Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@tgulgund  I dont think you can use Network Diagram viz on dashboard studio, its designed for classic dashboards. Alternatively you can use Link graph in dashboard studio for showing relations. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@splunkreal  As @livehybrid mentioned, You cannot fully bypass Splunk authentication for maintenance‑mode operations. The splunk offline and splunk enable/disable maintenance-mode commands always require Splunk admin credentials (not Linux root). To automate, you should use either Splunk auth tokens or a service account with pre‑configured credentials in a script. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Gregski11  Yes, this issue exists in version 10.0 as well. GUI workarounds: -Go to Settings → Data Inputs → Remote Event Log Collections → New Event Log Collection, then select   Choose logs from this host and enter localhost. -Alternatively, use Add Data → Monitor → Local Event Logs. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more