@mchoudhary  Multiple appends: Fundamentally, this is the main performance killer. You're running 6 distinct "heavy" searches. Main performance killer is on the transaction in EDR: The transaction "event.DetectId" command is notoriously resource-intensive, especially over a 6-month period. It should be avoided if at all possible, or its scope drastically limited   Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@mohsplunking  @sainag_splunk  already explained very well. But If your goal is simply: UF (collects, basic sourcetype=WinEventLog:Security or sourcetype=linux_secure set by DS) -> HF (aggregates, forwards) -> Indexer (parses fields like EventCode, user, sshd_pid etc.) then you do not need the full Splunk_TA_windows or Splunk_TA_nix on the Heavy Forwarder. The indexers(with TA's) will handle the detailed parsing. But it becomes necessary IF you want the HF to perform actions that rely on the knowledge within that TA (like parsing fields to use for routing, or specific sourcetype recognition that isn't happening on the UF) Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Amira  Identify your exact index and sourcetypre for your data. Make sure your datamodel Cisco_SDWAN root event constraints have the same index and sourcetype. Are there events with the root event constraint search? If not, your syslog data isn't being assigned the correct sourcetype/index that the app's data model expects. Also check Data Model Acceleration status Check the "Status" or "Acceleration" column. Is it enabled? Is it 100% built? - If not, Enable acceleration. If acceleration seems stuck, incomplete, or you suspect corruption - try to rebuild. Disk space summaries full? - Check your indexer disk space via the Monitoring Console (Settings > Monitoring Console > Indexing > Indexes and Volumes). If the volume holding the summaries is full, acceleration will fail. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@Raj_Splunk_Ing  This is generally because API call normally defaults to UTC. So specify time zone in API call. If you are using Splunk python SDK, then try "tz": "America/Chicago" as search parameter. By adding the tz parameter with your local time zone ("America/Chicago" for CST), you instruct Splunk to interpret earliest=-1d@d and latest=-0d@d relative to that timezone, making the API search behave identically to your UI search in terms of the time window. This should resolve the discrepancy in event counts Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@mchoudhary  You can try below sample xml dashboard code <form> <label>Index Sourcetype and Host/Source Explorer</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="selectedIndex" searchWhenChanged="true"> <label>Select Index:</label> <choice value="*">All</choice> <search> <query> | rest splunk_server=local /services/data/indexes | search disabled=0 | stats count by title | fields title | rename title as index_name </query> <earliest>-1s</earliest> <latest>now</latest> </search> <fieldForLabel>index_name</fieldForLabel> <fieldForValue>index_name</fieldForValue> <default>*</default> </input> </fieldset> <row> <panel> <table> <title>Details for Index: $selectedIndex$</title> <search> <query> | tstats values(sourcetype) as sourcetypes, dc(host) as host_count, dc(source) as source_count where index="$selectedIndex$" <!-- Use the token here --> by index | eval sourcetypes = mvjoin(sourcetypes, ", ") </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="count">20</option> <option name="refresh">5m</option> <option name="refresh.auto.interval">300</option> </table> </panel> </row> </form> Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@bgresty I strongly agree with what @livehybrid says. Your 14 characters highlight, pointing towards a configuration that's unintentionally filtering or misinterpreting data based on this field's length which should be in your props/transforms conf. ... View more

@drodman29  As mentioned by everyone,  The action.email.domain_allowlist setting in alert_actions.conf performs a strict, literal string match against the domain part of the email address. It does not natively support wildcards like *.mydomain.com So, when you set action.email.domain_allowlist = *.mydomain.com, Splunk is literally looking for an email address like user@*.mydomain.com, which is not a valid email domain format and thus won't match a@temp.mydomain.com or b@perm.mydomain.com So i believe possible workaround you can do is Scripted Alert Action options. Instead of using the built-in sendemail alert action directly from the Splunk UI for these specific alerts, you configure the alert to trigger a custom script. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks! ... View more

@livehybrid @Kim  Yes you are right, streamfwd.conf natively only takes list of indexer and HEC only directly. The scenario i tested was using indexer discovery on the HF itself, Streamfwd can dynamically take the list of indexers from the outputs.conf. It worked without any issues. The key is that the streamfwd process, after parsing network data, will then attempt to forward it. If its own streamfwd.conf doesn't specify a direct S2S or HEC target, it will fall back to using the Splunk forwarding mechanism configured in outputs.conf. ... View more

@ma620k  Did you defined as an output variable in the custom code block’s configuration? Your variable likely not being exported due to this. Reference - https://docs.splunk.com/Documentation/SOARonprem/6.3.1/Playbook/CustomFunction Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks! ... View more

@Kim  This is a known issue with independent Streamfwd when used with an indexer cluster: After a cluster bundle push and indexer restarts, Streamfwd may lose its knowledge of all available indexers and start sending all data to a single indexer. Workaround - Restart Streamfwd After Indexer Restarts Solution - Use Indexer Discovery Indexer Discovery is the recommended way for forwarders (including Streamfwd) to dynamically learn the available indexers from the master node Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks! ... View more

@thanh_on  Yes, you can use license_usage.log to calculate daily data volume per index. simple query to check by index. index=_internal source=*license_usage.log type="Usage" idx=* | timechart span=1d sum(b) as bytes by idx | eval GB=round(bytes/1024/1024/1024, 2) ... View more

@rafiq_rehman  These errors mean the new member’s KV Store is still in standalone mode. Initialize SHC Config on the New Member splunk init shcluster-config \ -auth <admin_user>:<admin_pass> \ -mgmt_uri https://<new_member_host>:8089 \ -replication_port <replication_port> \ -replication_factor <factor> \ -conf_deploy_fetch_url https://<deployer_host>:8089 \ -secret <pass4SymmKey> \ -shcluster_label <label> Add the New Member to the Cluster splunk add shcluster-member -current_member_uri https://<existing_member_or_captain>:8089 Confirm pass4SymmKey and mgmt_uri in $SPLUNK_HOME/etc/system/local/server.conf ... View more

@mchoudhary  You can try below, | tstats summariesonly=false dc(Message_Log.msg.header.message-id) as Blocked from datamodel=pps_ondemand where (Message_Log.filter.routeDirection="inbound") AND (Message_Log.filter.disposition="discard" OR Message_Log.filter.disposition="reject" OR Message_Log.filter.quarantine.folder="Spam*") earliest=-6mon@mon latest=now by _time | eval Source="Email" | eval MonthNum=strftime(_time, "%Y-%m"), MonthName=strftime(_time, "%b") | stats sum(Blocked) as Blocked by Source MonthNum MonthName | eventstats sum(Blocked) as Total by Source | appendpipe [ stats values(Total) as Blocked by Source | eval MonthNum="9999-99", MonthName="Total" ] | sort MonthNum | eval Month=MonthName | table Source Month Blocked Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks!   ... View more

@wipark  Check for Replication Quarantine or Bundle Issues Large or problematic files (e.g., big CSV lookups) can cause replication to fail or be quarantined. Review the metrics.log and splunkd.log on all SHC members for replication errors or warnings Test Manual Change Make a simple change to a standard file (e.g. props.conf) via the UI or REST API and see if it replicates. If standard files replicate but your custom file does not, it’s likely a file location or inclusion issue. If the cluster is out of sync - Force Resync if required eg: splunk resync shcluster-replicated-config Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks! ... View more

@SCK  Snowflake calls Splunk API directly-Possible with Snowflake’s GetSplunk processor Reference-https://docs.snowflake.com/en/user-guide/data-integration/openflow/processors/getsplunk Splunk exports reports to cloud repo-Schedule Splunk Searches/Reports and export the results. Configure Splunk to send the scheduled report output to a supported cloud storage using scripts (Python, Bash), Splunk alert actions...and ingest to Snowflake using external stages Ref-https://estuary.dev/blog/snowflake-data-ingestion/#:~:text=The%20first%20step%20is%20to,stage%20(e.g.%2C%20CSV). Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks! ... View more

@Karthickb2308  No one-click integration for CMDB or ticketing, but REST API and Splunk alert actions make it achievable. Use the ServiceDeskPlus Splunk app for supported ticket actions(If you have Splunk SOAR), or build your own with Python/REST. For CMDB, use exports/API to sync data into Splunk for enrichment and correlation. Also a simple alternative -If you can’t use the API, configure Splunk to send alert emails to ManageEngine’s ticket creation email address (less flexible, but simple). ... View more

@smuderasi  Splunk’s REST Modular Input allows you to ingest data from REST APIs. By default, only the response body (e.g., JSON) is indexed. To also capture the HTTP status code, you need a custom response handler—a Python class that processes the HTTP response and outputs both the status code and the body. ... View more

@Benny87  Some dashboards, saved searches, or macros reference the wineventlog_security eventtype globally—even if your current search is for non-Windows data like firewalls or switches If the event type is missing, disabled, or its permissions are not set to "global," Splunk throws this error regardless of the actual index being searched This can also happen after app upgrades, permission changes, or if the Splunk_TA_windows is not deployed on all relevant search heads and indexers   ... View more

@tinatan There is no way to import an existing deployed add-on back into the Add-on Builder as a project for further editing. You can, however, reconstruct the add-on by copying over the code and configuration files into a new project, but you will lose the Add-on Builder’s UI metadata. ... View more

@berrybob Most probably App may be referencing an environment variable or configuration value that is unset or empty, defaulting to 0 based on the given message. Or may be incompatibility in the version of ESCU or its dependencies with your openshift. ... View more

@Lien  You cannot remove or increase the 500MB/day indexing limit on the Splunk Enterprise Trial or Free license Contact Splunk Sales: For larger-scale testing, request a temporary sales trial or dev/test license, which can provide a much higher daily limit ... View more

@rafiq_rehman  Most probably no captain or kvstore port blocked on this new member. the KVStore cannot reach "Ready" unless a captain is elected and cluster coordination is healthy. If there’s no captain or communication is broken, KVStore remains in "starting" or kvstore default port 8191 might be blocked. If this port is blocked/network issues, KVStore cannot synchronize and will not start Regards, Prewin  Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks! ... View more