Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tech_g706
tech_g706
Path Finder
Member since:
04-03-2025
10-10-2025
Community Statistics
| Posts | 19 |
| Solutions | 0 |
| Karma Given | 14 |
| Karma Received | 0 |
| Member Since | 04-03-2025 |
Activity Feed
- Posted Persistent Queue on Intermediate Heavy Forwarder on Getting Data In. 10-10-2025 12:46 AM
- Posted XmlWinEventLog:ForwardedEvents sourcetype field extraction issue on Getting Data In. 08-22-2025 03:30 AM
- Posted Re: KVStore Failed 9.4.3 on Getting Data In. 07-23-2025 12:30 AM
- Posted Re: KVStore Failed 9.4.3 on Getting Data In. 07-22-2025 10:53 AM
- Posted KVStore Failed 9.4.3 on Getting Data In. 07-22-2025 09:14 AM
- Karma Re: SA-ldapsearch TA timestamp issue for richgalloway. 06-13-2025 12:24 AM
- Karma Re: SA-ldapsearch TA timestamp issue for livehybrid. 06-13-2025 12:24 AM
- Posted Re: SA-ldapsearch TA timestamp issue on Getting Data In. 06-09-2025 06:34 AM
- Posted SA-ldapsearch TA timestamp issue on Getting Data In. 06-09-2025 04:54 AM
- Karma Re: OpenText NetIQ Logs onboarding via syslog for kiran_panchavat. 05-18-2025 02:44 AM
- Karma Re: OpenText NetIQ Logs onboarding via syslog for kiran_panchavat. 05-14-2025 06:46 AM
- Karma Re: OpenText NetIQ Logs onboarding via syslog for livehybrid. 05-14-2025 06:46 AM
- Posted Re: OpenText NetIQ Logs onboarding via syslog on Getting Data In. 05-14-2025 06:45 AM
- Posted OpenText NetIQ Logs onboarding via syslog on Getting Data In. 05-14-2025 04:52 AM
- Karma Re: Splunk Cloud Index MaxSize Issue for livehybrid. 05-12-2025 01:51 AM
- Posted Splunk Cloud Index MaxSize Issue on Splunk Cloud Platform. 05-08-2025 02:09 AM
- Posted Re: Typo3 logs to Splunk on Getting Data In. 04-20-2025 07:29 AM
- Karma Re: Typo3 logs to Splunk for livehybrid. 04-20-2025 05:47 AM
- Posted Typo3 logs to Splunk on Getting Data In. 04-19-2025 06:33 AM
- Karma Re: Splunk UF version 9.4 version in Windows 2008 R2 machines? for gcusello. 04-14-2025 06:03 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-10-2025
12:46 AM
Hi All, I would like to confirm whether a persistent queue can be used on an Intermediate Heavy Forwarder that receives logs from Universal Forwarders (UFs) and forwards them to Splunk Cloud. After reviewing the documentation, I noticed there are certain restrictions on where a persistent queue can be enabled. Use case: We want to ensure that logs are stored locally on the Heavy Forwarder for at least 5–6 hours in case of a major outage where the Heavy Forwarder is unable to communicate with Splunk Cloud. Once the connection is restored, all logs stored in the queue or on disk should be forwarded to Splunk Cloud without any data loss. Our daily ingestion is around 300GB I would appreciate your recommendations on the best steps to implement this setup. this is the inputs.conf [splunktcp://9997] disabled = 0 connection_host = ip
... View more
Labels
- Labels:
-
heavy forwarder
-
indexer
08-22-2025
03:30 AM
Hi, I’m currently receiving Windows logs in Splunk via the (UF → HF → Splunk Cloud). The logs are being assigned to two sourcetypes: XmlWinEventLog XmlWinEventLog:ForwardedEvents For the XmlWinEventLog sourcetype, field extractions are working correctly. However, for the XmlWinEventLog:ForwardedEvents sourcetype, no field extractions are being applied, even though the log format appears to be the same. Since I am not very familiar with the XmlWinEventLog:ForwardedEvents sourcetype, I would like guidance on how to configure the Heavy Forwarder so that it applies the same field extractions used by XmlWinEventLog to XmlWinEventLog:ForwardedEvents. Thank you for your support.
... View more
Labels
07-23-2025
12:30 AM
@livehybrid Thanks for the response. Yes, some servers having custom certificates on those servers, we are having issue If I try changing to the default local certificate, then it works root@test02:/opt/splunk/bin# ./splunk cmd openssl verify -verbose -x509_strict -CAfile /opt/splunk/etc/auth/cacert.pem.default /opt/splunk/etc/auth/server.pem_old /opt/splunk/etc/auth/server.pem_old: OK root@test02:/opt/splunk/bin# root@test02:/opt/splunk/bin# root@test02:/opt/splunk/bin# root@test02:/opt/splunk/bin# ./splunk cmd openssl verify -verbose -x509_strict -CAfile /opt/splunk/etc/auth/cacert.pem /opt/splunk/etc/auth/server.pem error 20 at 0 depth lookup: unable to get local issuer certificate ./splunk cmd btool server list --debug kvstore /opt/splunk/etc/system/default/server.conf [kvstore] /opt/splunk/etc/system/default/server.conf clientConnectionPoolSize = 500 /opt/splunk/etc/system/default/server.conf clientConnectionTimeout = 10 /opt/splunk/etc/system/default/server.conf clientSocketTimeout = 300 /opt/splunk/etc/system/default/server.conf dbCursorOperationTimeout = 300 /opt/splunk/etc/system/default/server.conf dbPath = $SPLUNK_DB/kvstore /opt/splunk/etc/system/default/server.conf defaultKVStoreType = local /opt/splunk/etc/system/default/server.conf delayShutdownOnBackupRestoreInProgress = false /opt/splunk/etc/system/default/server.conf disabled = false /opt/splunk/etc/system/default/server.conf initAttempts = 300 /opt/splunk/etc/system/default/server.conf initialSyncMaxFetcherRestarts = 0 /opt/splunk/etc/system/default/server.conf kvstoreUpgradeCheckInterval = 5 /opt/splunk/etc/system/default/server.conf kvstoreUpgradeOnStartupDelay = 60 /opt/splunk/etc/system/default/server.conf kvstoreUpgradeOnStartupEnabled = true /opt/splunk/etc/system/default/server.conf kvstoreUpgradeOnStartupRetries = 2 /opt/splunk/etc/system/default/server.conf minSnapshotHistoryWindow = 5 /opt/splunk/etc/system/default/server.conf oplogSize = 1000 /opt/splunk/etc/system/default/server.conf percRAMForCache = 15 /opt/splunk/etc/system/default/server.conf port = 8191 /opt/splunk/etc/system/default/server.conf replicaset = splunkrs /opt/splunk/etc/system/default/server.conf replicationWriteTimeout = 1800 /opt/splunk/etc/system/default/server.conf shutdownTimeout = 100 /opt/splunk/etc/system/default/server.conf sslVerifyServerCert = false /opt/splunk/etc/system/default/server.conf sslVerifyServerName = false /opt/splunk/etc/system/default/server.conf storageEngine = wiredTiger /opt/splunk/etc/system/default/server.conf storageEngineMigration = false
... View more
07-22-2025
10:53 AM
Here are some internal logs: 2025-07-22T17:37:22.629Z I NETWORK [conn1078] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain. Ending connection from 127.0.0.1:43286 (connection id: 1078) 2025-07-22T17:37:22.629Z E NETWORK [conn1078] SSL peer certificate validation failed: self signed certificate in certificate chain T 2025-07-22T17:37:22.125Z I NETWORK [conn1077] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain. Ending connection from 127.0.0.1:43272 (connection id: 1077) h 2025-07-22T17:37:22.125Z E NETWORK [conn1077] SSL peer certificate validation failed: self signed certificate in certificate chain
... View more
07-22-2025
09:14 AM
Hi, I upgraded Splunk Enterprise from 9.2.3 to 9.4.3, and the KVSotre status is failed. It was migrated successfully to 7.0.14 on one server automatically, but on the second server, migration did not start upon upgrade. Is there a solution to restore the KVstore status and migrate to 7.0.14? It is a standalone server and not part of clustered environment. Some servers also have KVStore status Failed on the version 9.2.3, and I want to change the status before starting to upgrade them to 9.4.3 This member: backupRestoreStatus : Ready disabled : 0 featureCompatibilityVersion : An error occurred during the last operation ('getParameter', domain: '15', code: '13053'): No suitable servers found: `serverSelectionTimeoutMS` expired: [Failed to connect to target host: 127.0.0.1:8191] guid : xzy port : 8191 standalone : 1 status : failed storageEngine : wiredTiger versionUpgradeInProgress : 0
... View more
Labels
- Labels:
-
other
06-09-2025
06:34 AM
@richgalloway My understanding is that, if indextime is today so _time should have been the same since there is no delay during ingestion. Here is the default props.conf that comes with the SA-ldapsearch TA: (there is no transform.conf) [source::.../var/log/splunk/SA-ldapsearch.log] sourcetype = SA-ldapsearch [SA-ldapsearch] EXTRACT-vars = Level=.+, (?<log_source>Pid=.+, File=.+, Line=.+), (?<message>.*)
... View more
06-09-2025
04:54 AM
Hi, I am experiencing issue with SA-ldapsearch TA. I am using this search to validate the timestamp index = <index name> | eval bucket=_bkt | eval diff = _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") | table indextime capturetime diff _raw I can see that, the indextime = 2025-06-08 05:00:20 but capturetime = 2020-01-13 10:00:01 Splunk is ingesting the latest ldap events but _time field is having timestamps of 2020. In the raw event, there are multiple timestamps available: "whenCreated":"2018-06-05 10:43:19+00:00 "whenChanged":"2024-02-11 13:52:37+00:00 "pwdLastSet":"2019-07-24T06:41:44.698530Z "lastLogonTimestamp":"2019-07-24T06:41:44.282975Z but I am not able to understand how the TA is extracting the 2020 timestamp from the raw as there is no such timestamp in the raw event.
... View more
Labels
- Labels:
-
props.conf
-
Windows
05-14-2025
06:45 AM
@livehybrid @kiran_panchavat thank you very much. | set the props like this, and field extractions are fine now. [netiq] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)<\d+> TIME_PREFIX = rt= TIME_FORMAT = %s%3N MAX_TIMESTAMP_LOOKAHEAD = 20 KV_MODE = auto TRUNCATE = 99999
... View more
05-14-2025
04:52 AM
Hi All, Anyone who has worked with OpenText NetIQ Logs before? We are receiving the NetIQ logs via syslog, but the sourcetype is set as default 'syslog', and field extractions are not performed properly. Since I do not find any Splunk TA for NetIQ logs, I would need some suggestions for the source type assignment for NetIQ logs. Thank you
... View more
Labels
- Labels:
-
heavy forwarder
-
sourcetype
05-08-2025
02:09 AM
Hey everyone, I have a question on Splunk Cloud Index MaxSize. I am having an issue with Splunk Cloud Index MaxSize. My index max size is set to 500GB, but the current size has reached 530GB, and some latest events (from last week) are not in the index but are going to archive storage. We have 3 months of searchable retention and 3 months of archive, and the archive dashboard is showing the latest event from last week. We have 8 indexers, which are clustered, and two dedicated search heads (not clustered). My question is, can I update the index maxsize (to unlimited) on the GUI, and will it replicate to all the indexers and 2 search heads, or should I open a support case for that? The second question is, can I restore the logs that went to archiving due to a maxsize issue to a searchable index again?
... View more
04-20-2025
07:29 AM
@livehybrid Thanks for the response. Regex is working fine, and 4 fields are extracted (log_level, request_id, component, message) Are these four fields the only ones for typo3 logs, and should this work for every typo3 log format? I did not find an official documentation on typo3 logs format. The message field contains some nested field value pairs as well. In addition, message values have multi-line events as well, so I had to adjust props.conf like this: SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^\w{3},\s+\d+\s+\w+\s+\d{4}\s+\d{2}:\d{2}:\d{2}\s+\+\d{4} Thanks
... View more
04-19-2025
06:33 AM
Hi, I need recommendations on typo3 logs source type. Be default, I set source type as "typo3" in inputs.conf but logs are not parsed properly. I did not find any Splunk TA for typo3 that can help in parsing. Anyone have experience onboarding typo3 logs? Thank you!
... View more
Labels
- Labels:
-
sourcetype
-
universal forwarder
04-14-2025
05:29 AM
Thanks, Upon checking the logs, it seems MongoDB is not running on the heavy forwarder, and that would be required. ta_netskopeappforsplunk_netskope_alerts_v2.log splunklib.binding.HTTPError: HTTP 503 Service Unavailable -- KV Store initialization failed. 2: splunkd.log: ERROR KVStoreConfigurationProvider [15442 KVStoreConfigurationThread] - Failed to start mongod on first attempt reason=KVStore service will not start because kvstore process terminated ERROR KVStoreConfigurationProvider [15442 KVStoreConfigurationThread] - Could not start mongo instance. Initialization failed. ERROR KVStoreBulletinBoardManager [15442 KVStoreConfigurationThread] - Failed to start KV Store process. See mongod.log and splunkd.log for details. INFO KVStoreConfigurationProvider [15442 KVStoreConfigurationThread] - Mongod service shutting down
... View more
04-14-2025
05:25 AM
Hi, We have some Windows 2008 R2 machines where UF 7.2 is running, and in Splunk Cloud CMC, we are getting the forwarder status as critical. My question is, can we install 9.4 or above 9 on the Windows 2008 R2 machines? If not, what is the minimum supported UF version for Windows 2008 R2, and possible workaround to mitigate the critical status notification on Splunk Cloud CMC? Thank you!
... View more
Labels
- Labels:
-
universal forwarder
-
Windows
04-11-2025
02:40 AM
Hi, I have a question on Netskope onboarding to Splunk. I installed to TA-NetSkopeAppForSplunk (4.1.0) on Splunk cloud and configured the API tokens provided by Netskope, and logs are flowing. However, the same add-on and tokens are configured on Splunk Enterprise (Intermediate Heavy Forwarder), and logs are not arriving. I tried using multiple local Splunk Enterprise instances for testing, and no logs. Any recommendations on what could be the issue with the Enterprise version while it is working fine on Cloud?
... View more
Labels
- Labels:
-
heavy forwarder
-
other
-
scripted input
04-05-2025
09:29 AM
Thanks for the response. The issue has been resolved by creating a new configuration file and moving the configurations there. Syslog-ng was not letting me modify the default conf file.
... View more
04-05-2025
04:41 AM
Hi, I setup the syslog-ng to receive syslog from devices and splunk HF on the same server will read those logs files. However I am not able to restart the syslog-ng and getting error. syslog-ng is running as root and log file directory owned by splunk user. Job for syslog-ng.service failed because the control process exited with error code. and systemctl status syslog-ng.service × syslog-ng.service - System Logger Daemon Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; preset: enabled) Active: failed (Result: exit-code) since Sat 2025-04-05 11:39:04 UTC; 9s ago Docs: man:syslog-ng(8) Process: 1800 ExecStart=/usr/sbin/syslog-ng -F $SYSLOGNG_OPTS (code=exited, status=1/FAILURE) Main PID: 1800 (code=exited, status=1/FAILURE) Status: "Starting up... (Sat Apr 5 11:39:04 2025" CPU: 4ms Apr 05 11:39:04 if2 systemd[1]: syslog-ng.service: Scheduled restart job, restart counter is at 5. Apr 05 11:39:04 if2 systemd[1]: syslog-ng.service: Start request repeated too quickly. Apr 05 11:39:04 if2 systemd[1]: syslog-ng.service: Failed with result 'exit-code'. Apr 05 11:39:04 if2 systemd[1]: Failed to start syslog-ng.service - System Logger Daemon.
... View more
04-04-2025
04:34 AM
@bowesmana Thanks for the response. We are using SVCs model. We have Splunk ES and other resource intensive apps. I am looking for a way to optimize searches as the current indexer memory utilization is 99% since last 2 months. I used the CMC dashboard and that showing me the DM acceleration searches are the most expensive ones.
... View more
04-03-2025
04:40 AM
Hi, I am seeking recommendations on optimizing the most resource-intensive saved searches in my Splunk Cloud instance to reduce Indexers CPU utilization, which is consistently at 99%. We are using Splunk ES, SA-NetworkProtection apps. By CMC, these are the most expensive ones and take around 30-40 minutes to complete. _ACCELERATE_DM_Splunk_SA_CIM_Authentication_ACCELERATE_ _ACCELERATE_DM_Splunk_SA_CIM_Network_Traffic_ACCELERATE_ _ACCELERATE_DM_Splunk_SA_CIM_Vulnerabilities_ACCELERATE_ _ACCELERATE_DM_Splunk_SA_CIM_Endpoint.Services_ACCELERATE _ACCELERATE_DM_Splunk_SA_CIM_Network_Sessions_ACCELERATE_ _ACCELERATE_DM_Splunk_SA_CIM_Change_ACCELERATE_ _ACCELERATE_DM_SA-NetworkProtection_Domain_Analysis_ACCELERATE_ _ACCELERATE_DM_DA-ESS-ThreatIntelligence_Threat_Intelligence_ACCELERATE_ Any recommendations on how I can optimize without disabling them? Thank you
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-10-2025
12:36 AM
|
Karma given to
