@reyo If you are referring to Splunk ES App,  As @PickleRick mentioned, Its a paid, premium product, and Splunk does not allow anyone to download it freely from Splunkbase. It does not appear as downloadable for accounts without an ES entitlement. #https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.3/introduction/licensing-for-splunk-enterprise-security Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

You require mltk_admin role capabilities to configure connection management. By any chance can you switch to enterprise trial license or get a dev license. ... View more

@nonno_pinto  Its not because of license limit. Did you configure Connection Management settings under AI Toolkit? Make sure your role have mltk_admin inheritance capabilities also for this. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@kn450  After restart if its processing quickly then most probably it points to a queueing or processing bottleneck. Also it can be because of multiple reasons like fewer worker process, queues getting full, long running plaubooks etc.. Check for warnings/errors and see if it's highlighting anything. Refer below to increase the worker process, if its having smaller numbers. #https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/manage-your-splunk-soar-on-premises-system-health-and-performance/tune-performance-by-managing-splunk-soar-on-premises-feature Also check Administration → System Health. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@dm1  Which version of the app are you running, and does your Splunk deployment only have Python 3.7? Can you check which Python runtimes are available on your Splunk instance, and if you have a 3.7+ runtime, explicitly reference that in the app’s commands.conf and test the command again. $SPLUNK_HOME/bin/splunk cmd python3 -V Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@mgjk  Perpetual license ≥100GB/day should not disable your search. What does your license stack look like on the license server? If it's showing a trial license or a stack <100GB, that could trigger search disablement. If it's a proper 100GB license, try reinstalling the license and verify. Otherwise, contact Splunk or your account manager to request a license reset key. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

It looks like Connection refused from your destination(192.168.56.1). Can you confirm 9997 is listening on 192.168.56.1. Also run a telnet to this and confirm the connection status. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@apatel_qualys  Which app context are you in when this happens? Can you switch to the Search app, navigate to Settings → Event types from there, and check if the same redirect occurs? Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@CHIBUIKEM  Should I use my Splunk Enterprise password? No, you should not use your Splunk Enterprise password. Also what's the wrong output/response you are mentioning here. Can you share the errors you are getting. Try below and see how it goes, Check the Forwarder's internal Logs and check for the errors. telnet your splunk enterprise port 9997 from your vm change your VM's network adapter to "Bridged" mode and test Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@manthantsarwade  On the limits setting i dont think classic and victoria have much difference, other than the below highlighted ones. #https://help.splunk.com/en/splunk-cloud-platform/administer/admin-manual/10.1.2507/get-started-managing-splunk-cloud-platform/determine-your-splunk-cloud-platform-experience For this scenario, my suggesstion would be Avoid relying on KV_MODE=json for very large payloads. Use spath in searches or detection rules for critical fields. Use field aliases or EVAL in props.conf for the most important fields, so they’re always available without depending on auto‑KV. For detection rules- explicitly call spath to guarantee extraction. Performance - extracting 250+ fields at search time can be expensive. Focus on the subset of fields that detection rules truly need. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@manthantsarwade  The [kv] limit in limits.conf does apply to KV_MODE=json as well as KV_MODE=auto. If you cant increase your resources, then instead of relying on auto‑KV, you can extract required fields with spath at search time. Also you can try with INDEXED_EXTRACTIONS This extracts JSON fields at index time, bypassing the [kv] search‑time limit. Eg: [your_sourcetype] INDEXED_EXTRACTIONS = json Note: When 'INDEXED_EXTRACTIONS = JSON' for a particular source type, do not also set 'KV_MODE = json' Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@danielbb  As @livehybrid  mentioned, The fastest, safest, and least disruptive way to do this is to upgrade from 9.3.3 to 9.4.5. Then you can plan the jump to the 10.x. This is a major version upgrade and requires more planning. Test Upgrade to 10.x on (dev/staging servers) and validate Splunk apps, add‑ons, and custom scripts against Splunk 10 changes and then plan to upgrade UF's also. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@SN1  From your Splunk server, test the webhook URL. Eg: with curl, curl -H 'Content-Type: application/json' -d '{"text":"Test message from Splunk"}' https://outlook.office.com/webhook/... Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@SN1  You can create incoming webhooks in teams and configure alert in Splunk and use webhook action under Trigger Actions or run a script to perform the same. Refer below for creating incoming webhooks in Teams. #https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook?tabs=newteams%2Cdotnet Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@JyPl4wNYu7GV1uL  How are you rotating your log file? Are you using logrotate.conf with copytruncate or create option? And what's your inputs.conf and props.conf for this. Also Is this only for audit.log? Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@splunkisaurus  Why dont you output JSON from your script so Splunk ingests clean structured events. You can also use props.conf if you need to split the events. In that case, you can rely on LINE_BREAKER alone and omit both SHOULD_LINEMERGE and BREAK_ONLY_BEFORE For eg: [nessus_agent_status] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^Running: LINE_BREAKER = ([\r\n]+)Running: TRUNCATE = 0 DATETIME_CONFIG = CURRENT Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@kamalKSharma  Splunkbase restricts downloads to customers who have purchased ES or have been provisioned a trial entitlement. To test Splunk Enterprise Security, you’ll need to request a trial license from Splunk Sales or your Splunk Account Manager Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@inventsekar  The splunk CLI command is not an SPL search command. It’s the Splunk CLI binary, It controls Splunk services ,manages configurations ,performs maintenance tasks like KVStore backup/restore etc.. So for user clarity, the Splunk CLI should remain documented separately in the Admin Manual/CLI Reference, not in the Search Commands page, as it serves administrative functions rather than SPL operations. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@trevorharris  You don’t necessarily need to disable the FortiGate App before upgrading Splunk to v10. The app is officially listed as compatible only up to Splunk v9.4, which means vendor-tested support stops there. However, in practice, many Splunkbase apps continue to function on newer releases even if compatibility hasn’t yet been updated. So better test it on a test/dev instance(splunk 10) to make sure everything works as expected. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@rayleigh29  Did DB Connect function previously? Please verify file permissions for the DB Connect app and ensure the user has adequate read/execute access. splunk stop chown -R splunk:splunk $SPLUNK_HOME/etc/apps/Splunk_DB_Connect chmod -R 755 $SPLUNK_HOME/etc/apps/Splunk_DB_Connect If your kvstore is corrupted, clean the kvstore $SPLUNK_HOME/bin/splunk clean kvstore --app Splunk_DB_Connect Then start splunk and test again. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@ThuLe  Most probably network related. -Check connectivity to Splunk Cloud - telnet inputs1.STACKID.splunkcloud.com 9997 -Check Firewall/SSL inspection recently enabled or changed #https://splunk.my.site.com/customer/s/article/Splunk-Universal-Forwarder-is-not-sending-events-to-Splunk-Cloud Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@jatin3101  50-100 search heads seems pretty large deployment. -You can automate this using SH Deployer for SH Cluster members, Configure server.conf from the deployer and push to all shc members. -Or use Ansible, Puppet, Chef, or even a shell script with SSH to run the command across all SHs in parallel. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@gabo  Java 17 enforces stricter TLS/SSL algorithm constraints than older Java versions. Also your Microsoft JDBC driver 1.3.2 is very old which may not support this. So try upgrade the JDBC Driver and test it or downgrade your java to 11 and test Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@verbal_666  Yes with identical headers and identical file paths, CRC collisions will happen even if you increase initCrcLen or set crcSalt. So I think, the best solution is to rotate logs with unique filenames per day or add unique content in the header so CRC changes. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more