@splunkisaurus  Why dont you output JSON from your script so Splunk ingests clean structured events. You can also use props.conf if you need to split the events. In that case, you can rely on LINE_BREAKER alone and omit both SHOULD_LINEMERGE and BREAK_ONLY_BEFORE For eg: [nessus_agent_status] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^Running: LINE_BREAKER = ([\r\n]+)Running: TRUNCATE = 0 DATETIME_CONFIG = CURRENT Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@kamalKSharma  Splunkbase restricts downloads to customers who have purchased ES or have been provisioned a trial entitlement. To test Splunk Enterprise Security, you’ll need to request a trial license from Splunk Sales or your Splunk Account Manager Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@inventsekar  The splunk CLI command is not an SPL search command. It’s the Splunk CLI binary, It controls Splunk services ,manages configurations ,performs maintenance tasks like KVStore backup/restore etc.. So for user clarity, the Splunk CLI should remain documented separately in the Admin Manual/CLI Reference, not in the Search Commands page, as it serves administrative functions rather than SPL operations. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@trevorharris  You don’t necessarily need to disable the FortiGate App before upgrading Splunk to v10. The app is officially listed as compatible only up to Splunk v9.4, which means vendor-tested support stops there. However, in practice, many Splunkbase apps continue to function on newer releases even if compatibility hasn’t yet been updated. So better test it on a test/dev instance(splunk 10) to make sure everything works as expected. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@rayleigh29  Did DB Connect function previously? Please verify file permissions for the DB Connect app and ensure the user has adequate read/execute access. splunk stop chown -R splunk:splunk $SPLUNK_HOME/etc/apps/Splunk_DB_Connect chmod -R 755 $SPLUNK_HOME/etc/apps/Splunk_DB_Connect If your kvstore is corrupted, clean the kvstore $SPLUNK_HOME/bin/splunk clean kvstore --app Splunk_DB_Connect Then start splunk and test again. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@ThuLe  Most probably network related. -Check connectivity to Splunk Cloud - telnet inputs1.STACKID.splunkcloud.com 9997 -Check Firewall/SSL inspection recently enabled or changed #https://splunk.my.site.com/customer/s/article/Splunk-Universal-Forwarder-is-not-sending-events-to-Splunk-Cloud Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@jatin3101  50-100 search heads seems pretty large deployment. -You can automate this using SH Deployer for SH Cluster members, Configure server.conf from the deployer and push to all shc members. -Or use Ansible, Puppet, Chef, or even a shell script with SSH to run the command across all SHs in parallel. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@gabo  Java 17 enforces stricter TLS/SSL algorithm constraints than older Java versions. Also your Microsoft JDBC driver 1.3.2 is very old which may not support this. So try upgrade the JDBC Driver and test it or downgrade your java to 11 and test Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@verbal_666  Yes with identical headers and identical file paths, CRC collisions will happen even if you increase initCrcLen or set crcSalt. So I think, the best solution is to rotate logs with unique filenames per day or add unique content in the header so CRC changes. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@egko  Your Splunk Enterprise 8.1x is outdated, and Splunk Enterprise Security 7.0.1 is likely incompatible, causing the KV Store to fail (from "Ready" to "Failed") when ES loads. Upgrade Splunk Enterprise, then upgrade ES to a compatible version. #https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.0/upgrade-or-migrate-splunk-enterprise/how-to-upgrade-splunk-enterprise Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Anders333  The lookup file is created with the fields _time and test, then you run stats values(test) as testing. This produces a new field testing in the search results. Splunk lookup files are schema‑flexible. If later commands introduce new fields, splunk adds them as new columns, even if they’re empty for existing rows. If you need only testing field then write your outputlookup command after your stats. Eg: | makeresults | eval test = "this is a testing thing" | stats values(test) as testing | outputlookup append=false test.csv Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@quangtran  Modify your transofms.conf [route_UAT] REGEX = ^uat-.* SOURCE_KEY = MetaData:Host DEST_KEY = _TCP_ROUTING FORMAT = uat_indexer ... View more

@quangtran  Yes you can route the data using props.conf and transforms.conf on Splunk A to selectively route events based on the host field. You can achieve this by filtering host/sourcetype/source ... For eg: props.conf [var_log_*] TRANSFORMS-routing = route_UAT transforms.conf [route_UAT] REGEX = UAT SOURCE_KEY = MetaData:Host DEST_KEY = _TCP_ROUTING FORMAT = uat_indexer outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:uat_indexer] server = splunkB_IP:9997 Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@nooproblems  Since you already have add-ons everywhere, does your event include a syslog header? Could you provide a sample log? To ensure the Palo Alto add-on functions properly, make sure the syslog header is not included in your log. If you have syslog header add below to your inputs.conf no_appending_timestamp = true Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@luispulido  As @bowesmana  mentioned, metadata is not reliable always for this use case. I have seen metadata can become outdated if new buckets are created. So i always prefer to run  | tstats latest(_time) as lastSeen where index=<my_index> by host Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Commvault  The API is returning volume:hotwarm/... instead of an absolute filesystem path because your index is defined using volume references in indexes.conf. Splunk does not expand those into full paths unless the volume stanza itself has an absolute path configured. you can combine the two REST endpoints (/services/data/indexes and /services/data/index-volumes) to show full path. Try something below, | rest /services/data/indexes | fields title homePath_expanded coldPath_expanded | rex field=homePath_expanded "(?<homeVol>volume:[^/]+)" | rex field=coldPath_expanded "(?<coldVol>volume:[^/]+)" | join type=left homeVol [ | rest /services/data/index-volumes | fields title volume_path | rename title as homeVol volume_path as homeBase ] | join type=left coldVol [ | rest /services/data/index-volumes | fields title volume_path | rename title as coldVol volume_path as coldBase ] | eval homePathResolved=replace(homePath_expanded,homeVol,homeBase) | eval coldPathResolved=replace(coldPath_expanded,coldVol,coldBase) | table title homePathResolved coldPathResolved Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@BradOH  You can use functions like anomalydetection, outlier or build a baseline of normal hours and compare against current events. Below example shows anomaly values based on hour index=your_index sourcetype=your_sourcetype user=* | eval hour=strftime(_time,"%H") | stats count by user, hour | anomalydetection method=histogram action=filter Refer below for the usage of anomalydetection #https://help.splunk.com/en/splunk-enterprise/spl-search-reference/10.0/search-commands/anomalydetection Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@SOAR_098  The error SSL certificate problem: self-signed certificate in certificate chain means the system’s CA trust store is incomplete. You need to fix certificate trust so the installer can clone the default playbook repo. Run manually as the phantom user, you will be getting same error message. git ls-remote https://github.com/phantomcyber/playbooks Refer below, #https://community.splunk.com/t5/Splunk-SOAR/quot-Failed-to-bootstrap-playbook-repos-quot-on-clean-install/m-p/709534 Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@jscraig2006  Thats strange. As you mentioned, rolling a bucket from hot to warm should not change field extraction. Can you keep your props simple, like removing PREAMBLE_REGEX. Below setting should be fine to start with Eg: [mysourcetype] INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 FIELD_NAMES = FileDate,Field_1,Field_2,Field_3 TIMESTAMP_FIELDS = FileDate TIME_FORMAT = %Y-%m-%d %H:%M:%S SHOULD_LINEMERGE = false And validate and confirm the active sourcetype settings. $SPLUNK_HOME/bin/splunk btool props list mysourcetype --debug Then test with sample csv and roll the bucket manually and confirm fields remain correct. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@gpinedo  By default data sharing is enabled, but you have option to disable it. But its always better to go in detail about the license agreement and terms. #https://help.splunk.com/en/splunk-cloud-platform/search/splunk-ai-assistant-for-spl/1.1.1/additional-resources/share-data-in-splunk-ai-assistant-for-spl Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@charbelcharro  Splunk ITSI offers the capability to utilize preloaded standard KPIs for database monitoring or to define custom KPIs, which can then be mapped to a specific service. Additionally, you can leverage the Deep Dive feature to analyze these metrics in greater detail and gain comprehensive insights into service performance(single window). Are you planning to replicate this in Splunk enterprise? Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@kn450  Whats your setup? Multiple products sending syslog traffic to splunk syslog receiver? or do you have any syslog-ng/rsyslog setup? If you have multiple products better to use syslog-ng/ryslog to listen syslog port(single or dedicated port) and filter incoming messages by pattern, host, or facility and then send them to different destinations. Eg: # Source: listen for syslog on UDP 514 source s_net { udp(ip(0.0.0.0) port(514)); }; # Filters based on client IP filter f_productA { netmask(192.168.x.x/32); }; filter f_productB { netmask(192.168.x.x/32); }; # Destinations: write to different files destination d_productA { file("/var/log/productA.log"); }; destination d_productB { file("/var/log/productB.log"); }; # Log paths log { source(s_net); filter(f_productA); destination(d_productA); }; log { source(s_net); filter(f_productB); destination(d_productB); }; Then use splunk inputs.conf for each product and assign correct sourcetype,index.... If you can’t split at syslog, you can still do it on the Splunk side. Use props.conf with a TRANSFORMS stanza to rewrite the sourcetype based on a regex match Eg: # props.conf [nix:syslog] TRANSFORMS-set_sourcetype = set_productA, set_productB # transforms.conf [set_productA] REGEX = ProductA DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::productA_syslog [set_productB] REGEX = ProductB DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::productB_syslog   Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more