Thank you for your reply, it was really helpful. The solution works for forwarding logs from Splunk A to Splunk B, but it doesn’t seem to filter out non-UAT logs. In my var_log_*** indexes on Splunk B, I still see hosts that are not UAT. UAT hosts follow a naming pattern like uat-xyz-xyza. I have already placed the props.conf and transforms.conf configuration files into Splunk\etc\system\local. ... View more

@nooproblems  Since you already have add-ons everywhere, does your event include a syslog header? Could you provide a sample log? To ensure the Palo Alto add-on functions properly, make sure the syslog header is not included in your log. If you have syslog header add below to your inputs.conf no_appending_timestamp = true Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@luispulido  As @bowesmana  mentioned, metadata is not reliable always for this use case. I have seen metadata can become outdated if new buckets are created. So i always prefer to run  | tstats latest(_time) as lastSeen where index=<my_index> by host Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

You can read/create dashboard using _audit logs, where all this info can be seen, else you can use the below query index=your_index sourcetype=your_sourcetype | eval hour=strftime(_time,"%H") | stats count by user hour | eventstats avg(count) as avg stdev(count) as std by user | eval zscore=(count-avg)/std | where abs(zscore)>2 OR hour<9 OR hour>17 ... View more

Hi @PrewinThomas  I do have the following data in the indexes.conf file: [volume:cold] path = /splunk-data/cold [volume:hotwarm] path = /splunk-data/hotwarm maxVolumeDataSizeMB = 4500000 [wineventlog] homePath = volume:hotwarm/$_index_name/db coldPath = volume:cold/$_index_name/colddb tstatsHomePath = volume:hotwarm/$_index_name/datamodel_summary thawedPath = /splunk-data/cold/$_index_name/thaweddb   Are there any logs that will tell if there was an issue in resolving these paths? ... View more

Thanks in advance for the help. I’ve created an eventtype="auth_successful" for VPN  logs and I’d like to create field extractions based on this eventtype. I tried using a stanza like this in props.conf: [eventtype=auth_successful] EXTRACT-fields = ... but it didn’t work. It seems Splunk doesn’t support applying props directly to eventtypes (like it does for sourcetype, source, or host). Can someone confirm if this is the case, and what’s the best way to scope extractions so they only apply to events matching this eventtype? Thanks! ... View more

Hi. What version of Splunk are you running? I ran into a bad bug with both Splunk Enterprise 9.3.7 and 9.4.5. The heavy forwarders sending to DNS load balanced indexers get TCPOUT blocked.  This bug does not appear to be on the known issues despite many attempts by me trying to get it added there. It does not happen with 9.2.4. The Splunk JIRA that was opened is SPL-288904  The bug is said to be fixed in the upcoming releases 9.3.9 , 9.4.7, 10.0.3, 10.1 Hopefully soon. A workaround is the setting of dnsResolutionInterval in outputs.conf dnsResolutionInterval = <integer> * The base time interval, in seconds, at which indexer Domain Name Server (DNS) names are resolved to IP addresses. * This is used to compute runtime dnsResolutionInterval as follows: Runtime interval = 'dnsResolutionInterval' + (number of indexers in server settings - 1) * 30. * The DNS resolution interval is extended by 30 seconds for each additional indexer in the server setting. * Default: 300 seconds (5 minutes)   Splunk had recommended we set dnsResolutionInterval =480 (tcpout blocked). I tried 1000 (also blocked).  I have set it to 10000 (ie 10,000) and after ~ 3 days this seems to be working.   ... View more

What would be the additional certificates in that case if I can add to avoid the issue? And where usually we can add those before starting installation? ... View more

@jscraig2006  Thats strange. As you mentioned, rolling a bucket from hot to warm should not change field extraction. Can you keep your props simple, like removing PREAMBLE_REGEX. Below setting should be fine to start with Eg: [mysourcetype] INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 FIELD_NAMES = FileDate,Field_1,Field_2,Field_3 TIMESTAMP_FIELDS = FileDate TIME_FORMAT = %Y-%m-%d %H:%M:%S SHOULD_LINEMERGE = false And validate and confirm the active sourcetype settings. $SPLUNK_HOME/bin/splunk btool props list mysourcetype --debug Then test with sample csv and roll the bucket manually and confirm fields remain correct. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@gpinedo  By default data sharing is enabled, but you have option to disable it. But its always better to go in detail about the license agreement and terms. #https://help.splunk.com/en/splunk-cloud-platform/search/splunk-ai-assistant-for-spl/1.1.1/additional-resources/share-data-in-splunk-ai-assistant-for-spl Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@charbelcharro  Splunk ITSI offers the capability to utilize preloaded standard KPIs for database monitoring or to define custom KPIs, which can then be mapped to a specific service. Additionally, you can leverage the Deep Dive feature to analyze these metrics in greater detail and gain comprehensive insights into service performance(single window). Are you planning to replicate this in Splunk enterprise? Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

If for any reason you arent able to index locally using selectiveIndexing (e.g. small local disk) but can forward to your indexers then I have found that setting the Deployment Server up to be able to search against the search peers also fixes the UI and allows management of the agents without local indexing. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

@chandrasekhar46  Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

@Keigo  Can you also try in the global settings. Refer this #https://community.splunk.com/t5/Installation/Remove-port-from-Splunk-alert-URLS-WITHOUT-changing-actual-web/m-p/677018/highlight/true   ... View more

@msmouse05  Splunkd (the management port on 8089) is still presenting the built‑in SplunkServerDefaultCert. To remediate, you need to replace the default server.pem in $SPLUNK_HOME/etc/auth/ with a certificate issued by your internal CA that has the correct hostname in its CN/SAN, and then update server.conf to point Splunkd at that certificate and its private key. Restart Splunkd afterward so it uses the new cert. Follow below doc #https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.2/secure-splunk-platform-communications-with-transport-layer-security-certificates/configure-tls-certificates-for-inter-splunk-communication Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Hi @tgulgund  It is possible to use Custom Visualizations such as Network Diagram Viz in Dashboard Studio in > Splunk (Cloud) 10.1 but is not yet possible for on-premise users as 10.1 has not been released for on-premise installation. Based on recent release cadence I would expect this to be available for on-premise customers within the next few months. Check out https://help.splunk.com/en/splunk-cloud-platform/create-dashboards-and-reports/dashboard-studio/10.1.2507/visualizations/custom-visualizations for more information. Custom Viz can be selected from the regular Visualization dropdown on Dashboard Studio. Here is an example of D3 Sunburst Custom viz   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

It worked. Thank you! ... View more

Adding to what has already been said - I would not recommend doing OS maintenance without a Splunk admin assist (or at least available on call). It is not OS administrator's area of competence to verify whether Splunk has shut down correctly, started correctly, is working correctly and so on. What if something happens when your environment is in maintenance mode? Will your OS admins be able to handle it properly? I wouldn't expect them to because it's not their job. ... View more

@Gregski11  Yes, this issue exists in version 10.0 as well. GUI workarounds: -Go to Settings → Data Inputs → Remote Event Log Collections → New Event Log Collection, then select   Choose logs from this host and enter localhost. -Alternatively, use Add Data → Monitor → Local Event Logs. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/get-started-with-knowledge-objects/the-sequence-of-search-time-operations#ariaid-title2 KV_MODE-based extractions take place _after_ REPORT and EXTRACT so you can't rely on fields extracted with automatic json parsing in your transform. You might try to rewrite your extraction as a calculated field using text functions but that might be tricky. ... View more

@danielbb  Splunk recommended upgrade path is 3.x.x -> 3.18 ->4.x #https://docs.splunk.com/Documentation/DBX/latest/DeployDBX/MigratefromDBConnectv1 So i recommend to take a backup of your existing dbconnect app and upgrade to 3.18 and verify all your identities and connections are working as expected and then plan for upgrade to 4.x Note: I tested an upgrade straight from an older 3.x release to 4.1, and my config were lost. Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Given the likely performance degradations, why do you want (need) index time extractions? ... View more

Bah...... that's strange... i tried first to delete completely the Deployer "var", totally reinstall the 9.4.5 SH-Cluster, and the problem has gone 🙄  It seems it was a first cluster notification that was stuck somewhere. I also deleted all the "var" from all SHC and relaunched the SHC bootstrap. Nothing happened. Really do not know 😦 SPLUNK has some very strange behavious sometimes 🤔 ... View more

Hi @Jcath  Can you confirm that the ownership of all the files in $SPLUNK_HOME/etc/system/default are set to the correct user that splunk is running as (usually 'splunk') . Unless you have removed any default files Splunk should be able to read the default values from the web.conf there so it seems like it could be a permissions issue. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more