Hi Splunkers, I am new to handling certificates but it seems to be the resolution that I need to resolve the unsecure browser issue when accessing my Splunk UI. We have been given a certificate in .cer generated from a csr in which we listed the DNS of our Splunk instance. Now I understand that we can generate a .pem out of this .cer but I am unclear as to the private key to use based on the parameters that we need to set in web.conf [settings] enableSplunkWebSSL = true privKeyPath = <.key here> serverCert = /home/user/certs/mycacert.pem Reference: https://docs.splunk.com/Documentation/Splunk/9.0.5/Admin/Webconf Would anyone be able to provide direction on this please? Thanks a lot. Cheers! ... View more

Hi Splunkers,   Has anyone used a pdf file to load/open as part of a dashboard? (Not a link to the pdf file)   Thanks in advance. Kind Regards, Ariel ... View more

Hi fellow Splunkers, Good day. We are noticing that applications in our Splunk Cloud Platform is not sorted by App Label unlike our Splunk Enterprise platform? Would anyone be able to suggest if there is a way to sort the apps list dropdown in Splunk Cloud?   Thanks a lot in advance. Kind Regards! ... View more

Hi Fellow Splunkers, Good day. I am currently migrating some applications from On-Prem to Splunk Cloud. From app vetting, would anyone be able to suggest of possible fixes/resolutions for this  check_hotlinking_splunk_web_libraries check? The errors points to JS files that works well in On-Prem and are in their correct location in packaging an application (appserver/static)   Name: check_hotlinking_splunk_web_libraries Description: Check that the app files are not importing files directly from the search head. Details: Embed all your app's front-end JS dependencies in the /appserver directory. If you import files from Splunk Web, your app might fail when Splunk Web updates in the future. Bad imports: ['vizapi/SplunkVisualizationBase', 'vizapi/SplunkVisualizationUtils'] File: /tmp/tmp4bxeox7h/splunk_app/appserver/static/visualizations/VUmeter/src/visualization_source.js   Appreciate any help/advise. Thank you. ... View more

Hi fellow Splunkers, Good day.  Would there be a way to configure a specific index to be searchable for a specific srchTimeWin? Say the example below. Scenario: Splunk User has a user role with a search time win of 1 yr for all non-internal indexes. We wanted a specific index to be searchable for 2 years only for the same user (the rest by 1yr searchable).   Test already done: Create a new role and assign to a test user (with the user role) with the new role being searchable to the index of concern with srchTimeWin of 2years. However, all indexes were made searchable to 2 yrs as a result. Thanks in advance. Kind Regards, Ariel ... View more

Hi Splunkers, Good day. My HEC tokens are currently configured in the Indexer Cluster, and during Indexer Bundle Push specifically during bundle reload, the HEC logging drops to 0. Is this normal? HEC logs are indexing during bundle validation, indexer rolling restart, but not during the bundle reload. Bundle Validation -> Bundle Reload -> Indexer Rolling Restart HEC logging is also not distributed properly across indexers. Seeking advise. Thank you and Kind Regards, Ariel ... View more

Hi Splunk Community. Good day. I am trying to add an AWS EC2 created instance with Splunk installed to it (standalone) as a slave to an on-prem Splunk License server. However, I am getting the error below. ERROR LMTracker - failed to send rows, reason='Unable to connect to license master=https://XXXXXXX:8089 Error connecting: Connection reset by peer' From checking, both Splunk are up in the master and slave. I can see a connection from a curl test in the slave to the master. * Rebuilt URL to: telnet://XXXXXXX:8089/ * Trying 10.XX.XXX.XX... * TCP_NODELAY set * Connected to XXXXXXX (10.XX.XXX.XX) port 8089 (#0)   Please help advise. Thanks All. Cheers! ... View more

Hi Splunkers, Good day. I am trying to perform search time masking using a Calculated Field to replace _raw with the required result. This goes fine for me for my particular data of concern. However, it goes complex somehow when that particular field in the same event has to be masked another way. Citing an example below to explain more clearly. Masking - 16 digits 2021/01/21 - 01:15 AM <ACT>1234567890123456</ACT> Result: 2021/01/21 - 01:15 AM <ACT>123456######3456</ACT>   However, if I see 15 digits for this field, masking should be 5 ##### rather than 6 for 16digits. Masking - 15 digits 2021/01/25 - 01:15 AM <ACT>987654321012345</ACT> Result: 2021/01/25 - 01:15 AM <ACT>987654#####2345</ACT> Since the same field, _raw, is being worked on. I reckon this is not possible. props.conf [<sourcetype>] EVAL-_raw = replace(_raw,"(\d{6})(\d{5,6})(\d{4})","\1######\3")   Please let me know of your thoughts/suggestions. Thanks in adv. Cheers! ... View more

Hi All, We observed ConnectTimeOutException failures for some of our DB Connect Inputs. Can someone advise what may cause this error and how to resolve it? [QuartzScheduler_Worker-32] ERROR org.easybatch.core.job.BatchJob - Unable to write records org.apache.http.conn.ConnectTimeoutException: Connect to X.X.X.X:8088 [/X.X.X.X] failed: Read timed out at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:109) at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89) at com.splunk.dbx.server.dbinput.task.processors.HecEventWriter.writeRecords(HecEventWriter.java:48) at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203) at org.easybatch.core.job.BatchJob.call(BatchJob.java:79) at org.easybatch.extensions.quartz.Job.execute(Job.java:59) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) Thank you in advance. Kind Regards, Ariel ... View more

Good day fellow Splunkers. We have been using Website Monitoring for some Urls, and there is this particular webpage where we are encountering Web Ping Failures/response_code 504. Can someone advise how is this response code being encountered? Is it also possible to have this error encountered whilst timed_out is False? Thank you in advance. ... View more

I have a file, service.log, that is configured to be monitored and indexed in Splunk. When checking in Splunk, some of the events in the log file are indexed multiple times. The Splunk version of my forwarder is 6.5.3. I have already checked that the events in my log file are unique. Same in inputs.conf with a single entry. Can someone help advise? Thank you. Responses are appreciated. ... View more