An upgrade to version 10.2.2 solves the issue ... View more

Splunk 10.0.x is not the latest version.  Try 10.2.x. ... View more

Thanks for your help here.  We installed the extension in our Splunk instance and it wants,   Name: API Key: Org ID: Name is just to describe the connection from what I understand. I gave our splunk admin an API key I created with an account that had org level access.   Provided our org ID But we're getting 401 errors When testing the API key it looks like I have to provide an email address and the token to pull down the audit logs.   How did you get around this?     ... View more

@JPR As per your post, this could indicate your Graph API input is not fully authorized. Did you check the internal logs (index=_internal) for any authorization issues or errors?  Granting Directory.Read.All permissions in Entra and ensuring the Graph API input is enabled in the Splunk O365 add‑on should resolve the issue if it's related to authorization issue. Ref:  Configure an integration application in Azure AD - Splunk Add-on for Microsoft Office 365 >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

The useACK remark actually doesn't make much sense in syslog context. You can't stop the source on the receiver's side. Especially with UDP. But even with TCP sources rarely queue anything. They usually just send or not depending whether there is connectivity and then forget about the event entirely. (with some notable exceptions like Checkpoint's Log Exporter). ... View more

Generally, as with any performance-related question, you'll get a "it depends" answer. Every Splunk environment is different and every customer has different requirements, use cases, usage patterns and so on. So the general guidelines outlined in sizing guide and taught in architecting class are just that - guidelines for a typical scenario. Then the details creep in. The number of data sources or "kinds" of data sources shouldn't _directly_ affect the number of indexers. But if you have certain limitations regarding those data sources and maybe additional constraints regarding performance for different kinds of data it might affect your overall architecture up to the point of spinning up a completely separate cluster for specific type of data. It's all in the details. Oh, and retention on its own doesn't affect the _number_ of indexers that much either. Again - directly. If you have additional physical constraints because you simply can't get more than X TB per single server, that might indeed force you to scale your environment horizontally just to fit all this data but it's not because of Splunk requirements but more because of the hardware limitations. And then comes the smartstore...   ... View more

I need to add here that now we are talking about use of O11y not traditional SCP or Enterprise stacks. ... View more

Hi, I’ve bumped the version using the Add‑on Builder. I checked the two most recent versions, and it’s been done correctly - one shows an increment in the build number from the previous version. ... View more

@nafalcon As per the README file for the app, the minimum product version is 6.3.0. Any ISE version on 6.3.0 and above are supported by this SOAR app. Ref:  ciscoise/README.md at main · splunk-soar-connectors/ciscoise · GitHub >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

@ankit13  This behavior means SC4S is parsing the events but cannot match them to the Sophos profile because the raw messages are missing a valid RFC3164 header. When the header is absent or malformed, SC4S falls back to the generic nix_syslog classification. Please ensure the Sophos device is configured to send logs with a proper RFC3164 header. Also verify the vendor_product string defined in your files are matching the SC4S profile string exactly. (For example, sophos_xg). Ref: SC4S Logging and Troubleshooting Resources - Splunk Connect for Syslog Web Appliance - Splunk Connect for Syslog >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >>   ... View more

@LovingSplunk You may first verify the Cluster health status via Monitoring console, ensure RF/SF is met along with checking other indexing panels and then proceed to gracefully take each Indexers offline. Please see reference link for commands. Monitor the bucket fix up activities and give enough intervals in between for Cluster manager to do redistribution of buckets. If you are still seeing the nodes in the CM dashboard, you can remove the peer manually from the manager node's list. Post which you can validate cluster stability using the Monitoring Console dashboards and run sample searches to ensure data is accessible from remaining indexers. Ref: Monitoring: Indexing: Indexer Clustering: Service Activity | Splunk Enterprise (last updated 2026-01-09T19:16:34.696Z) Taking a peer offline: [See permanently section, explained by @richgalloway ]  Take a peer offline | Splunk Enterprise (last updated 2025-07-04T12:42:42.910Z) Remove a peer from Manager node's list:  Remove a peer from the manager node's list | Splunk Enterprise (last updated 2025-07-04T13:04:33.376Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

We have appiled bug fix related to version 9.3.8 and managed to resolve the issue. ... View more

Hi @kjain041523 may i know if the issue is resolved or do you have further queries? if its resolved, could you pls accept it as solution, thanks      ---------------------------------------------------------------------------------------------- If this post or any post addressed your question, could you pls: Give it karma to show appreciation PS - As of Apr 2026, my Karma Given is 2290 and my Karma Received is 494, lets revamp the Karma Culture! Thanks and best regards, Sekar ---------------------------------------------------------------------------------------------- ... View more

@Kat7 You could write a Python script to automate the ingestion by calling PDQ Connect's API to get the required data and send it to Splunk HEC endpoint. You may use the below references to setup the integration. You may use a cron job/task scheduler to run the script at specific intervals. Hope it helps. Ref:  PDQ Connect API – PDQ Connect Help Center Set up and use HTTP Event Collector in Splunk Web | Splunk Enterprise (last updated 2025-07-03T23:08:11.008Z) >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

Hi @0xAli  For Forepoint Firewall, I believe they brand this as Forcepoint NGFW which they have an integration document for at https://forcepoint.github.io/docs/ngfw_and_splunk/#source-code which references a TA (Data ingestion) and App (Dashboards/searches/extractions) on GitHub - however these havent been updated for over 5 years so I theres no guarantee these will still work. Its worth reaching out to your account team at Forcepoint to see if they have updated guidance on this. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

It's onprem environment. ... View more

Have you found any common baseline for those failing servers? Like DC or other special purpose servers? Are there any local host based FW or network shares or disks in use? Anything what is different than those servers where install has succeeded? ... View more

@VijaySrrie Found the resolution for a similar issue recorded in Splunk KB and see if it helps. Make sure you run the SPL mentioned and see if the error log matches and then proceed with the resolution.  index=_internal source="*dbxquery*" log_level=ERROR Solution:  Error in 'dbxquery' command: External search command exited unexpectedly | Splunk >> If this post addressed your question, you can: Give it karma to show appreciation 👍 Mark it as the solution if it solved your issue ✔️ Add a comment if you’d like more details ✏️ Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise. >> ... View more

How about that FlashArray storage? Is it shared with those applications which are generated that traffic peaks? And are all indexers using this same array? How it is connected to indexers and other nodes which are using it? Could it be also "network" congestion between it and other nodes? ... View more

@CharlesGFI Perfect, glad that it helped. Thanks. ... View more

Hi @kknairr / i do have a value for REGION but it is returning as null when i click on the map marker could you please suggest here ... View more

Good that it is all working for you again. It sounds like you were doing the right thing all along and that there was something about your environment at the time which was causing this (intermittent) issue. If it happens again, please provide more detail about your environment (obfuscated, of course), in case there is something that someone could suggest needs tweaking. ... View more

Thanks for the reply, this is a very helpful response. Unfortunately, the data is coming in as a metric, so the first command will have to be mstats, where we will loose the precission. I will accept as the correct solution anyways, since i guess this would be the only way to actually handle numbers of such precission. ... View more

Hi @Poojary  Here is a sample N8N workflow if it helps... you need to set the base URL to https://yourInstance:8089 and use token for authentication. Once you have setup the Splunk connector auth and base endpoint you can leverage the credential for the HTTP Request. N8N doesnt have a node for listing dashboards so in this example Im using https://yourEndpoint:8089/services/data/ui/views Code for the workflow is at https://gist.github.com/livehybrid/f5db3b4c3f57b315cf69acababe4e16d (too big to post here) 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more