Hello Team, I have integrated Linux Hosts with my Splunk. I installed the splunk add-on for Linux , and it gaves me 3 source types (linux_secure, linux_messages_syslog and linux_audit) .  This is my inputs.conf on Splunk Forwarder :  [monitor:///var/log/auth.log] disabled = false sourcetype = linux_secure index = linux_hosts [monitor:///var/log/syslog] disabled = false sourcetype = linux_messages_syslog index = linux_hosts [monitor:///var/log/audit/audit.log] disabled = false sourcetype = auditd index = linux_hosts The First issue i have is that The Endpoint Data Model doesn't accept thoses source types except for linux_secure, so Correlation searches are not bringing any notables. The second issue is regarding Notables , i changed the source type from linux_audit to auditd. And i took a correlation search as an axample , I run its SPL on search and it brings result , but On the Entreprise security no notable is generated. Could you please help me fix This. Thank you for your time.       ... View more

Hello Team, I hope you are doing well , I have just integrated linux and windows logs via Splunk Forwarder. The question i have is does the logs must come with a specific source type in order to be read by Entreprise security or not.  Because i have gone through this with firewall integration , i have set the wrong source type and i got the logs on splunk but it were not read at all by splunk entreprise. Thank you for your time. Kind regards, ... View more

Hello Team, I wanna ask something that I really cannot figure out by myself , I have a splunk entreprise Installed on an  ubuntu with over 2 To , 32 Go of RAM and 38 CPU.  With all these I still get so many delayed searches (up to 97%) :  ""The percentage of non high priority searches delayed (99%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance."" I really do not know the reason , is it because we are using ES Security or what exactly. Thank you for your time. Kind regards, ... View more

Hello, I hope you are doing well. I did integrate my firewall fortigate to Splunk using udp syslog , what i did exactly is that I created a new source type and associated it with FortigateSplunkApp.  All was good until now that I am configuring Splunk ES , the issue is that correlation searches use the Network-Traffic Data model and my source type is not part of that Data Model i get no notables. The question is there a way i can ass my source type to be part of the Network_Traffic Data Model Thank you, ... View more

Hello everyone, I have just deployed Splunk ES and I am getting a lot of these errors : "Health Check: msg="A script exited abnormally with exit status: 1" input="./opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threatmatch.py" stanza="threatmatch://registry_value_text"" I run the following SPL : index=_internal sourcetype=splunkd threatmatch.py and the results are :  INFO ExecProcessor [2071531 ExecProcessor] - New scheduled exec process: /opt/splunk/bin/python3.9 /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threatmatch.py Any idea please how can i resolve this , as it causes delayed searches for Splunk ES. Thank you   ... View more

Hello Splunkers, I am new to splunk , I am using Splunk Entreprise 10.0 running on ubuntu,  and I seem to be having an issue where the web interface stops after a few minutes(sometimes up to 3 hours). I then must issue "splunk start" to bring it back but it stops working again after awhile.The issue is that It is not indexing during that time off.  Do you please have any idea or suggestions about this issue? Thank you so much for you attention. ... View more