Hello. I am trying to get SAML authentication working on Splunk Enterprise using our local IdP, which is SAML 2.0 compliant.  I can successfully authenticate against the IdP, which returns the assertion, but Splunk won't let me in. I get this error: "Saml response does not contain group information." I know Splunk looks for a 'role' variable, but our assertion does not return that. Instead, it returns "memberOf", and I added that to authentication.conf: [authenticationResponseAttrMap_SAML] role = memberOf I also map the role under roleMap_SAML. It seems like no matter what I do, no matter what I put, I get the "Saml response does not contain group information." response.  I have a ticket open with tech support, but at the moment, they're not sure what the issue is.  Here's a snippet (masked) of the assertion response: <saml2:Attribute FriendlyName="memberOf" Name="urn:oid:1.2.xxx.xxxxxx.1.2.102" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string"> xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:some-group </saml2:AttributeValue> </saml2:Attribute> Feeling out of options, I asked ChatGPT (I know, I know), and it said that the namespace our assertion is using may be the issue. It said that Splunk uses the "saml" namespace, but our IdP is returning "saml2". I don't know if that's the actual issue nor, if it is, what to do about it.  splunkd.log shows the error message that I'm seeing in the web interface: 12-12-2024 15:14:24.611 -0500 ERROR Saml [847764 webui] - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=memberOf err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute I've looked at the Splunk SAML docs, but don't see anything about namespacing, so maybe ChatGPT just made that up.  What exactly is Splunk looking for that I'm not providing?  If anyone has any suggestions or insight, please let me know. Thank you! ... View more

Hello. I cannot find a solution to this one here... I have logs in one Splunk instance. I've exported them to CSV and want to perform a one-time ingest of that CSV into a new on-prem Splunk Enterprise instance.  I have the CSV and can import it. However, I can't figure out how to preserve each row/event's original 'host', timestamp, and 'sourcetype' entry. When I do the import, it records the 'host' as the Splunk indexer, and the timestamp as the date of the import, which makes sense but is not the desired behavior. Here is a sample row of the CSV:   _time,host,index,source,sourcetype 2024-11-19T11:36:05.000-0500,host1.example.com,test-index,/var/log/messages,syslog 2024-11-19T11:36:05.000-0500,host2.example.com,test-index,/var/log/messages,syslog   I removed the _raw column, but I can include it if necessary. How do I import these events while preserving the event time, host, and sourcetype fields? Is this even possible?  I looked around here and can't find anyone with this scenario.  Thank you in advance!   ... View more

Hello. We are trying to upgrade our Splunk UFs from 8.1.9 to 9.0.1. We use a configuration management tool (Puppet) to upgrade our UFs. This has worked fine until the leap to 9.0.1. We are experiencing a timeout during a kvstore migration. This appears to be a known issue, and I employed the solution found here.  The solution (or workaround) appears simple: Edit server.conf and add this: [kvstore] disabled = true And that works. However, I'm concerned about the consequences of this fix. I'm not familiar with the kvstore or how it works, etc. Is there any harm in using this workaround?  Thank you in advance. ... View more

Hi. I am running a Splunk query from the CLI and would like to export the results as rawdata to a file.  When I specify a value in maxout, it honors that number and exports the correct number of events. However, I want all of the events - unlimited. So I set maxout to 0, per the documentation. When I do this, it exports nothing. The search just sits there forever, exporting nothing. Even if it's a quick and simple search.  Here is my query: splunk search "index=ldap earliest=01/24/2022:00:00:01 latest=01/25/2022:23:59:00" -output rawdata -maxout 0 > /mnt/splunk-backups/test/ldap-raw-test.log  I want all events to be outputted as rawdata to the specified file. Am I missing something? We are running Splunk Enterprise 8.1.4. Thanks in advance! ... View more

Hello. We are planning an upgrade from Splunk 7.2.1 to Splunk 8.0.x. For best practices, we'd like to back up our indexes prior to the upgrade, but we're having an issue: our backup solutions can never keep up with the amount of incoming data, and we can't (won't) turn Splunk off for a long enough time to freeze incoming traffic for a full backup. It's many terabytes of data... Some indexes are more important than others, so I was kicking around backing up just the 'critical' indexes. If we upgrade and the indexes become corrupted, we could still restore the important indexes. Is that sound logic? Can indexes be restored piece-meal like that? Our environment is simple: one Indexer/Search head with a bunch of UFs. Also, if anyone has any recommendations for backing up Splunk indexes, please let me know. I've read Splunk's docs as well as posts on here on how to do it but, as I mentioned, the backups just can't keep up with the incoming stream. Thanks! ... View more

Hi. We a Dashboard that informs us of the date a service account password was changed/reset. Passwords need to be reset no later than every 700 days, but we'd like Splunk to alert us 6 months prior to that deadline. Our date field looks like this: 2019-11-15T15:27:42.416732Z From that date, we need to alert when that account password is 520 days old (700 days minus 6 months/180 days). So in the above example, we need to receive an alert on April 18, 2021, to remind us to schedule a password reset for that account. We are getting the account name date of the last password set from Active Directory, in case that matters. In other words, is there a way to do "Calendar arithmetic" in Splunk? I have no idea where to even begin with this. Thank you! ... View more

Hi. I'm trying to configure DBConnect on my Splunk instance (Splunk 7.2.4 on RHEL). I can't make any progress because of this error: OSError: [Errno 2] No such file or directory validate java command: /usr/java/latest/bin/java. That is the correct location of java. It's Oracle java version 1.8.0_231. JAVA_HOME is set: echo $JAVA_HOME /usr/java/latest The splunk user ('splunk') has full rights to access this installation of java. -rwxr-xr-x. 1 root root 8534 Oct 5 06:15 /usr/java/latest/bin/java As you can see, it has wide-open read/execute permissions, and I've manually verified that the splunk user can use java. I then ran this command: /opt/splunk//bin/splunk cmd python -c "import os; print(os.environ)" And see that JAVA_HOME is set: {'USER': 'splunk', 'LOGNAME': 'splunk', 'JAVA_HOME': '/usr/java/latest', ....... What am I missing here? I've seen similar posts with this question, but no good solutions. Thank you in advance. ... View more