I have Cribl Workers running and UFs running on the same machine, I see by tailing splunkd.log that we are not sending any data in the UFs, but I wonder if Cribl is using the UFs infrastructure, so I wonder if, from the Splunk side, we can check if the UFs are being used. Looking forward for your insights. ... View more

Not sure if I can post this question here, but Cribl is a complementary product. Our current license is at 5 TB quota, and we ingest only 337 GBs/day. In the learning material of Cribl University, I saw a reference to a free license of up to 1 TB without distributed administration to the workers, is it possible for us to move from our current 5 TBs license to a free one? ... View more

We have ten indexers in our environment with a replication factor of two, and search factor of one, and I would like to decommission five of those. I already verified that with storage and thruput, the indexers, should handle it just fine. What are the steps to decommission the five indexers safely? and how would I move the data before decommissioning, if that's needed? ... View more

We have this vulnerability on several forwarders - OpenSSL 1.0.2 < 1.0.2zn Multiple Vulnerabilities (https://www.tenable.com/plugins/nessus/296767) Path: /opt/splunkforwarder/bin/openssl Reported version : 1.0.2zm Fixed version : 1.0.2zn Path: /opt/splunkforwarder/lib/libcrypto.so.1.0.0 Reported version : 1.0.2zm Fixed version : 1.0.2zn Path: /opt/splunkforwarder/lib/libssl.so.1.0.0 Reported version : 1.0.2zm Fixed version : 1.0.2zn Interestingly, we also get this vulnerability on our Splunk SOAR - Path: /opt/phantom/splunkforwarder/opt/openssl1/lib/libcrypto.so.1.0.0 Reported version: 1.0.2zl Fixed version: 1.0.2zn Path: /opt/phantom/splunkforwarder/opt/openssl1/lib/libssl.so.1.0.0 Reported version: 1.0.2zl Fixed version: 1.0.2zn What would be the recommended remediation for this? ... View more

I am on version 7.1.0 for my SOAR instance and I see my PostgreSQL version is 15.14. How can I remediate the following? - PostgreSQL 14.x < 14.21 / 15.x < 15.16 / 16.x < 16.12 / 17.x < 17.8 / 18.x < 18.2 Multiple Vulnerabilities - https://www.tenable.com/plugins/nessus/299758 I did a double upgrade from 6.3.x to 7.0.0 and then to 7.1.0, hoping that this would get resolved, but no luck. Our SOAR support expert explained that there is no SOAR version that has the proper PostgreSQL version to remediate this. Is there a workaround for this?  ... View more

On my indexers I have many bundles that are very old (some over 1 year old). What is the best way to configure Splunk to have only the recent bundles? ... View more

We are at 10 indexers ingesting around 400 GBs/day. A homogeneous environment with 1 millisecond wait time (I/O Write). How many indexers is it safe to cut? ... View more

I get this vulnerability log from the search head - /opt/splunk/var/run/searchpeers/<license-master-hostname>-1771029470/apps/splunk_archiver/java-bin/jars/thirdparty/common/log4j-core-2.17.2.jar  So I wonder, what do I have to change to avoid the license master to be configured as a search peer to the search head? ... View more

We are planning to upgrade our current version, 6.3.1 to 7.1.0. I have the following guide for the upgrade, and I was wondering if any other backup methods would be good to include that I'm missing here, or any other validation commands, also, is there anything to look out for? ================================================================================ SPLUNK SOAR UPGRADE: RHEL 8 UNPRIVILEGED (VERSION 6.3.1 TO 7.1.0) ================================================================================ Environment: RHEL 8.10 (Ootpa) Install Type: Unprivileged (User: phantom) SOAR Directory: /opt/phantom ================================================================================ --- PART 1: PRE-UPGRADE BACKUP --- # 1. Navigate to the SOAR bin directory cd /opt/phantom/bin # 2. Run a full backup # This captures your database, configuration, and custom apps. ./ib_backup.py --backup-type full --output /tmp/soar_pre_upgrade_backup.tar.gz # 3. Verify the backup file exists and has size ls -lh /tmp/soar_pre_upgrade_backup.tar.gz --- PART 2: UPGRADE EXECUTION --- # 1. Navigate to /tmp (Avoid /home as it is 96% full) cd /tmp # 2. Extract the RHEL 8 installer you downloaded # The filename will look like: splunk_soar-unpriv-7.1.0-<timestamp>-rhel8.tgz tar -xvf splunk_soar-unpriv-7.1.0-*-rhel8.tgz # 3. Enter the extracted installer directory cd soar-install # 4. Run the preparation script # This script verifies OS dependencies and available space. ./soar-prepare-upgrade --splunk-soar-home /opt/phantom # 5. Execute the upgrade # This stops SOAR services, migrates the database, and restarts services. ./soar-upgrade --splunk-soar-home /opt/phantom --- PART 3: VALIDATION & VULNERABILITY CHECK --- # 1. Check Service Status # All services, including Watchdog (9002), should be 'running' or 'UP'. /opt/phantom/bin/soar_services status # 2. Verify the PostgreSQL Version (The Security Fix) # This confirms you are no longer on a version vulnerable to the CVEs. # Expected: 15.16 or higher. /opt/phantom/usr/bin/psql --version # 3. Confirm Port 9002 is Listening # This is the internal watchdog port. netstat -tulpn | grep 9002 # 4. Verify UI Version # Log into the Web UI -> Administration -> Product Settings. # Confirm the version reflects 7.1.0.   ... View more

I just upgraded the whole environment (Core and UFs) to 9.3.8 to fix a set of vulnerabilities, and now, to my surprise, a new vulnerability came up - https://www.tenable.com/plugins/nessus/299412 And the apparent solution to it is to upgrade to 9.3.9 (or a later version). How do I handle this? ... View more

I realize in the new system I take care of, that all the Windows wineventlogs are being streamed to Splunk via Cribl, and it seems that the data comes cooked. Is data always "cooked" when passing through Cribl? Specifically, if the logs are coming from a Windows Universal Forwarder (UF) and passing through Cribl before hitting the Indexers, does Cribl inherently "cook" the data, or is this a configuration choice within the Cribl Pipeline? How do I maintain control over field extractions? In a traditional setup, we rely heavily on the Splunk Add-on for Microsoft Windows (Windows TA) for index-time and search-time extractions. If the data is being transformed in Cribl, does that bypass the TA’s logic? ... View more

On the search head, we have this vulnerability - Apache Log4j 2.0-beta9 < 2.25.3 MitM Coming from the following paths - We see log4j-core-2.18.0.jar under Splunk_TA_tomcat, splunk_archiver, bin/jars/thirdparty, and searchpeers.   What would be the safest way to take care of this vulnerability? ... View more

On the search head, we have this vulnerability - Apache Log4j 2.0-beta9 < 2.25.3 MitM Coming from the following paths - /opt/etc/apps/Splunk_TA_tomcat/bin/java/jmx-op-invoke-1.2.0/lib/log4j-core-2.18.0.jar /opt/etc/apps/splunk_archiver/java-bin/jars/thirdparty/common/log4j-core-2.17.2.jar /opt/splunk/bin/jars/thirdparty/common/log4j-core-2.17.2.jar /opt/splunk/etc/apps/Splunk_TA_tomcat/bin/java/jmx-op-invoke-1.2.0/lib/log4j-core-2.18.0.jar /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/thirdparty/common/log4j-core-2.17.2.jar /opt/splunk/var/run/searchpeers/<license master host>-1708533831/apps/splunk_archiver/java-bin/jars/thirdparty/common/log4j-core-2.17.2.jar   What would be the safest way to take care of this vulnerability? ... View more