@JPR As per your post, this could indicate your Graph API input is not fully authorized. Did you check the internal logs (index=_internal) for any authorization issues or errors?  Granting Directory.Read.All permissions in Entra and ensuring the Graph API input is enabled in the Splunk O365 add‑on should resolve the issue if it's related to authorization issue. Ref:  Configure an integration application in Azure AD - Splunk Add-on for Microsoft Office 365 >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@SplunkExplorer Yes, makes sense since saved searches from different Apps could impact CPU resources on Indexer. Good to sweep through the Deployment capacity manual to properly plan the architecture. >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@livehybrid Apologies for any confusion. By saying diverse sources (in general language), I meant different sourcetypes (in splunk language) only and I am sure @SplunkExplorer understand it well as I have quoted example as well. I was just saying my perspective on his post. 🤗 ... View more

@nafalcon As per the README file for the app, the minimum product version is 6.3.0. Any ISE version on 6.3.0 and above are supported by this SOAR app. Ref:  ciscoise/README.md at main · splunk-soar-connectors/ciscoise · GitHub >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@SplunkExplorer I think the number and type of data sources is a good metric to consider while sizing your splunk deployment as diverse sources increase parsing overhead and search concurrency which can affect indexer throughput. Like say, different log formats require additional CPU/memory for normalization and enrichment which directly impacts scaling your indexer counts. For more information, you can refer to the capacity planning document from Splunk.  Introduction to capacity planning for Splunk Enterprise - Splunk Documentation >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@ankit13  This behavior means SC4S is parsing the events but cannot match them to the Sophos profile because the raw messages are missing a valid RFC3164 header. When the header is absent or malformed, SC4S falls back to the generic nix_syslog classification. Please ensure the Sophos device is configured to send logs with a proper RFC3164 header. Also verify the vendor_product string defined in your files are matching the SC4S profile string exactly. (For example, sophos_xg). Ref: SC4S Logging and Troubleshooting Resources - Splunk Connect for Syslog Web Appliance - Splunk Connect for Syslog >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@LovingSplunk You may first verify the Cluster health status via Monitoring console, ensure RF/SF is met along with checking other indexing panels and then proceed to gracefully take each Indexers offline. Please see reference link for commands. Monitor the bucket fix up activities and give enough intervals in between for Cluster manager to do redistribution of buckets. If you are still seeing the nodes in the CM dashboard, you can remove the peer manually from the manager node's list. Post which you can validate cluster stability using the Monitoring Console dashboards and run sample searches to ensure data is accessible from remaining indexers. Ref: Monitoring: Indexing: Indexer Clustering: Service Activity | Splunk Enterprise (last updated 2026-01-09T19:16:34.696Z) Taking a peer offline: [See permanently section, explained by @richgalloway ]  Take a peer offline | Splunk Enterprise (last updated 2025-07-04T12:42:42.910Z) Remove a peer from Manager node's list:  Remove a peer from the manager node's list | Splunk Enterprise (last updated 2025-07-04T13:04:33.376Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@ankit13 You could verify whether the splunk_metadata.csv file contain the correct vendor_product, metadata, value that match the Sophos syslog profile. If the metadata (in your case index) entry does not match the Sophos profile name defined in SC4S, events may default to the main index. Read the reference link provided to understand about proper formatting in splunk_metadata.csv file which would help you to fix the issue. Ref: Splunk Connect for Syslog: Turnkey and Scalable Syslog GDI - Part 3 | Splunk >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@Glasses2 I would also plan similarly in your scenario, on the Edge processor nodes, you can position them close to the data sources for enrichment and routing. This is acceptable, but generally for high-volume syslog ingestion, Splunk Connect for Syslog (SC4S) remains the recommended solution. Overall, UFs feeding Cloud indexers, DS for management, EP or SC4S for syslog, and HFs only where necessary. I would highly recommend you refer Splunk’s Validated Architecture documentation for definitive sizing and placement. Hope it helps. Ref: Splunk Validated Architectures >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@tomapatan Do you see any internal warnings or errors related to your custom TA or app? If yes, please share that to understand the potential issue better. Additionally, you can try disabling and re-enabling the app once to see if the app loads the full context? Please try this from an incognito window to make sure you don't have cache issues.  >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@kjain041523 As mentioned, the easiest way to use the Monitoring Console's built in License Usage report under Settings > Licensing. Keep in mind that only the License Manager and Monitoring Console have access to the license_usage.log information from where we are pulling the usage information. You can query _internal index alternatively from your License Manager. Use the below references to understand license_usage.log to build your custom query if required. Please note that the _internal index usually has shorter retention (often 30 days by default), so you may not have four months of data unless retention has been increased in your indexes.conf file. Ref: Create a report based on licence_usage.log | Splunk What Splunk software logs about itself | Splunk Enterprise (last updated 2025-07-04T12:39:10.038Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@Kat7 You could write a Python script to automate the ingestion by calling PDQ Connect's API to get the required data and send it to Splunk HEC endpoint. You may use the below references to setup the integration. You may use a cron job/task scheduler to run the script at specific intervals. Hope it helps. Ref:  PDQ Connect API – PDQ Connect Help Center Set up and use HTTP Event Collector in Splunk Web | Splunk Enterprise (last updated 2025-07-03T23:08:11.008Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@becksyboy1 No worries, let us know how it goes. The below Claude documentation on enabling and configuring OpenTelemetry for Claude Code might as well help to setup. Monitoring - Claude Code Docs >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️  Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@becksyboy1 There is no Claude-specific TA in Splunkbase, but the Splunk Distribution of OpenTelemetry Collector could be the official supported path. You can configure the collector to receive Claude’s OTLP logs and forward them into Splunk via HEC.  Ref: Get started with the Splunk Distribution of the OpenTelemetry Collector | Observability Cloud (last updated 2025-12-16T00:36:46.496Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@0xAli For Fidelis EDR, you may reach out to the vendor directly to see alternative way to ingest logs as no supported apps or add-ons are published in Splunkbase. Only SOAR app is present currently on Splunkbase for Fidelis. Found an app for Forcepoint firewall which is supported by vendor and provided the integration documents and app link for your reference.  Forcepoint app: Forcepoint Insights SIEM App | Splunkbase Log Export Splunk App Forcepoint Next-Gen Firewall and Splunk | Forcepoint Integration Docs Fidelis EDR: (Old app link, no longer supported/archived) Fidelis Endpoint Splunk Add-On | Splunkbase SOAR app: Fidelis Network | Splunkbase >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@HexalNull When only a subset fails, the issue is usually environmental rather than compatibility. You could check system differences like any hardened policies that could interfere with the installer. Check for any Group policy restrictions or UAC settings. You could also try installing the suggested versions to those failed servers to see how it goes as well. >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@0xAli As per your setup, Splunk Enterprise Security (ES) deployment with a search head cluster along with the adhoc search head serves a distinct role. It is configured to handle interactive, non-scheduled searches and dashboards, like adhoc searches run by users during an investigation and stuff like that, effectively offloading general workloads from the ES cluster. You can configure the setting 'adhoc_searchhead = true' in server.conf. This setting configures a member as an ad-hoc search head. This adhoc search head member does not run scheduled jobs and handles adhoc search requests. Another strategy is you can also make the captain node in a cluster as adhoc search head to reduce its compute load since it manages the cluster member functions. Use the setting 'captain_is_adhoc_searchhead' to reduce compute load on the captain. The idea is to keep ES workloads isolated on the ES SH cluster, while the adhoc SH provides a place for users to run exploratory searches and dashboards without impacting correlation searches or risk analysis. On the app installation part, you can install any supported or custom apps or add-ons as required that provide visualization or reporting requirements for your environment. Refer the server.conf link provided for referencing the setting. Hope it clarifies. Ref: server.conf | Platform (last updated 2026-02-07T13:35:36.291Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@HexalNull That's the catch. You are running a legacy OS and the Splunk UF version you are installing might not be compatible with Windows server 2016. Please refer the below article published and try the resolution mentioned. You could try version 9.2.9 and see if it succeeds the installation. Solution:  Windows Server 2016 Not Supported for Splunk Enterprise 9.2 and Higher (Including Splunk 10) | Splunk >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@VijaySrrie Found the resolution for a similar issue recorded in Splunk KB and see if it helps. Make sure you run the SPL mentioned and see if the error log matches and then proceed with the resolution.  index=_internal source="*dbxquery*" log_level=ERROR Solution:  Error in 'dbxquery' command: External search command exited unexpectedly | Splunk >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@HexalNull Try running the MSI with admin privileges using Run as administrator option to see if it solves the issue. >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@CharlesGFI Perfect, glad that it helped. Thanks. ... View more

@mangelastro The Confluence Cloud Audit Log Ingestor app's last version was released on September 26, 2024 and built by Hurricane Labs. You can reach out to Hurricane labs via email (Support email: splunk-app@hurricanelabs.com) to see if they plan to release any supported app versions for v10.  Ref:  https://developer.atlassian.com/cloud/admin/organization/rest/intro/#about >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@SiddhatNegi  As per your screenshot, the vulnerability is related to PostgreSQL which Splunk bundles as part of its internal services. To remediate the vulnerability, upgrade Splunk Enterprise version to the latest maintenance release that includes PostgreSQL 17.8. Please do not attempt to patch PostgreSQL separately as it's part of Splunk bundle and can cause issues. You can review the Splunk advisory and search for the respective CVE number. If you can share the CVE details and Splunk version you are running, we can assist further to locate the actual version to fix it. Ref: Splunk Vulnerability Disclosure >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more