Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About deepakc
deepakc
Builder
Member since:
12-15-2017
02-11-2026
Community Statistics
| Posts | 245 |
| Solutions | 25 |
| Karma Given | 16 |
| Karma Received | 73 |
| Member Since | 12-15-2017 |
Activity Feed
- Got Karma for Re: MSCS TA: How to ensure mscs:azure:eventhub sourcetype is mapping to CIM?. Tuesday
- Got Karma for Re: Splunk SSL certificate decryption error. 2 weeks ago
- Karma Spike in 503 errors in the Splunk WebUI after upgrading to 10.0.3 (also affects 9.2.10/9.3.9/9.4.8/10.2.0) for livehybrid. 02-11-2026 11:41 PM
- Got Karma for Re: Splunk Self-signed Certificate Error. Error setting up SSL for TCP data input from file=inputs.conf stanza="SSL. 12-19-2024 05:04 AM
- Got Karma for Re: data durability search factor not met. 10-14-2024 06:44 AM
- Posted Re: How Splunk SVCs getting calculated? on Splunk Cloud Platform. 09-12-2024 01:41 AM
- Posted Re: to provide the list of P1C alerts for JMET cluster from Splunk on Deployment Architecture. 08-14-2024 12:11 PM
- Posted Re: Splunk data to Postgres database on Splunk Search. 08-14-2024 11:38 AM
- Posted Re: Cloudflare integration with Splunk Enterprise (on-prem) on Getting Data In. 08-14-2024 11:33 AM
- Posted Re: Database error while sending data to Dashboard on Splunk Enterprise. 08-02-2024 09:24 AM
- Karma Solutions: "Splunk could not get the description for this event" for hrawat. 07-31-2024 10:39 AM
- Got Karma for Re: 9 Version Heavy Forwarder sending Data to 7 Version Indexer. 07-30-2024 01:59 AM
- Posted Re: Splunk on RHEL9 won't start on Installation. 07-22-2024 10:32 PM
- Got Karma for Re: Timestamp file breakup. 07-19-2024 10:38 AM
- Posted Re: Timestamp file breakup on Getting Data In. 07-19-2024 10:12 AM
- Posted Re: Forward data from Netscout to Splunk on Getting Data In. 07-18-2024 01:44 AM
- Posted Re: Forward data from Netscout to Splunk on Getting Data In. 07-16-2024 11:53 PM
- Got Karma for Re: Error: "There was an error processing the upload...". 07-06-2024 02:51 PM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 07-04-2024 03:52 AM
- Posted Re: Azure Servers not powerful enough on Deployment Architecture. 07-04-2024 01:22 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-12-2024
01:41 AM
This blog should help with some SVC information https://www.splunk.com/en_us/blog/platform/what-is-splunk-virtual-compute-svc.html?locale=en_us
... View more
08-14-2024
12:11 PM
I suspect you want to know about priority alerts, but how will Splunk magically know about this? Its always better to give good context to the Splunk communiy, so what is P1C? and JMET sounds like some internal Splunk environment company code (which you should anonymise) Unless you have say for instance in the saved search title name P1C, example, my_search_P1C, Splunk will not be able to find it or filter on it. Or you will need to use the eval command and for each saveded that you know is a P1C and assign a eval field called priority, but will require a lot of work. Tip: As ever its always best practise to have good business naming conventions, makes things easier in the long run Example using makeresults to assign PC1 | makeresults count=2
| streamstats count as search_num
| eval title=case(search_num=1, "my_savedsearch1", search_num=2, "my_savedsearch2")
| eval priority=if(title=="my_savedsearch1", "P1C", null())
| fields - search_num
... View more
08-14-2024
11:38 AM
If the DB connect is not supported with your current Splunk version, then plan to upgrade Splunk to the supported levels to do what you want. If its not supported, sometimes you can still install and it may work, but you take this risk and that not advisable for production environments.
... View more
08-14-2024
11:33 AM
Getting data in requires a number of steps and investigation work. Some high level notes/tips 1. The first thing you need to do is to determine what data you want from Cloudflare, they offer a number of services right?. 2. Investigate what options they provide in getting the data you want, logs, API, syslog etc. 3. You then look and explore Splunkbase (type in Cloudflare) and see if there is a Add-on (this is what typically helps you collect the data) you will need to do some homework and find out if it meets your methods of getting the data from step 2. Once you have this you need to Deploy the TA as per the instructions and connect to the data source.
... View more
08-02-2024
09:24 AM
What do you mean by data labs, can you please provide for the Splunk community a better posed question. What is you set up, is datalabs a provider of some sort of data? Is there a TA for for this or are you using the DB connect app if supported Did this work before, what changed. Have you developed a custom dashboard with panels that searches the data. ------------------------------------------------------- NOTE: Data is presented in the dashboards by the way of searches (SPL code) which is then set up inside of the dashboards. Data is typically indexed into an index, Data model, index, summary index, or accelerated report and this comes from Splunk many different inputs methods. I would suggest start by looking at the dashboards SPL (Search code) and troubleshoot from there. Look at the index (index=my_index) example and then workout where the inputs is coming from. The TA's normally have some kind of inputs that perform collection every so often, if used you need to check the settings.
... View more
07-22-2024
10:32 PM
Start by checking that you have port 8000 available - check firewall ports The SSH issue is again most likely related to ports/access 22 (but this is not a splunk issue) Speak to an Linux OS admin, as your issue's seem to be OS config related.
... View more
07-19-2024
10:12 AM
1 Karma
Splunk is all about time series data, so you can search data/events using various times etc, so what this means, you need to ensure you have well formatted logs with a time stamp, which is what Splunk loves and try's to break the events based on the timestamp. Splunk has the capability to auto detect most common log formats and timestamps, but this is not best practice for custom logs, its better to ensure you parse and format the timestamp correctly. As you have a custom log file it looks , you will need to create a new sourcetype for it and apply props and transforms configuration to it, which will then parse and ensure the time stamp is correct. First try and understand the props concepts and apply that to your log file, it will requires some props code trial and error, until your get it to work as expected. Start here: https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Improving_data_onboarding_with_props.conf_configurations
... View more
07-18-2024
01:44 AM
Yes HEC is often used when you cant use UF/syslog etc. https://docs.splunk.com/Documentation/Splunk/9.2.2/Data/UsetheHTTPEventCollector
... View more
07-16-2024
11:53 PM
At a high level: 1. I would first look at the integration manual they state in the app - - Omnis Data Streamer 6.3.5 Splunk Integration Guide - look for data onboarding or something on those lines. 2. The App you have is just for mainly displaying data and, I think you would need the look the the TA - NETSCOUT Omnis Data Streamer App Add-on | Splunkbase (This is what helps get the data parsed and in to splunk) Start by working out your exact Netscout device and the options it provides in terms of data (json/syslog/log files etc), look at the manual and workout what they suggest and follow that plan, test it and ingest it. Then use the App to help display the results. Splunk has many options in getting data in, UF/Syslog/HEC and supports many different formats of data, such as Json, but first you must do some home work and work out the details.
... View more
07-04-2024
03:52 AM
That's odd one, never seen that, I've have installed many Splunk instances on RHEL/CentOS/Fedora (7/8), over the years and not the other flavours so much, and with systemctl and not initd. There may be a parameter that could be changed, in the Splunkd.service file, example TimeoutStopSec=360 lower this perhaps, it's not something I've done or ever had to, and only do in a lab test server and see if that makes a difference) https://docs.splunk.com/Documentation/Splunk/9.2.2/Workloads/Configuresystemd#Configure_systemd_manually Other areas to further troubleshoot/investigate Ensure the splunk user has the below: (Add to Wheel or sudoers) and see if that makes a difference Non-root users must have super user permissions to manually configure systemd on Linux. Non-root users must have super user permissions to run start, stop, and restart commands under systemd https://docs.splunk.com/Documentation/Splunk/9.2.2/Workloads/Configuresystemd#Configure_systemd_manually
... View more
07-04-2024
01:22 AM
This indicates that the CPU is spending a significant amount of time waiting for I/O (typically disk) as your ingesting/parsing data/searching, so with Splunk you need to size it sufficiently, otherwise you will get those messages, remember Splunk is a workhorse and needs resources: Have a look at the below to posts, I recently had replied to around iowait https://community.splunk.com/t5/Splunk-Enterprise/IOWAIT-Mystery-What-is-it-Is-it-important/m-p/690256#M19597 https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Enterprise-how-does-it-detect-IOWAIT-warning-or-error/m-p/690444#M19605 Go through these questions https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Performancechecklist Look at the guide in terms of performance recommendations https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Summaryofperformancerecommendations In summary I think you will need to bump up your specifications, but for a dev environment, you can ignore those messages, unless it's starts to crawl and become unbearable.
... View more
07-02-2024
10:18 AM
If splunk hangs and there are timeout issues, it could be a number of things, what I have seen in the wild , is this normally relates to performance or the undelying storage system and the amount of ingest that may and can cause these types of issues. Timeouts could relate to the network, whats the latency like between the Splunk instances. How much volume of data are you ingesting, can the Splunk instances handle this? https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Summaryofperformancerecommendations 1. Check that your CPU/MEM, DIsk I/O meets the requirments, if thats ok then its something else that needs investigation. #Reference hardware https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware 2. Check that THP has been disabled - plenty of topics on this on google and this community https://docs.splunk.com/Documentation/Splunk/9.2.1/ReleaseNotes/SplunkandTHP 3. Check that ulimits has been configured again, plenty of topics on this on google and this community Check ulimits have been configured
... View more
07-02-2024
09:58 AM
Why not provide a better summary of your issues, so the Splunk community can then respond. It’s much better to a summary your Splunk environment, what you are trying to do, what have you done to troubleshoot and provide any errors in logs. (Also redact and sensitive information).
... View more
07-02-2024
09:53 AM
This is most likley not possible due to security risks
... View more
07-02-2024
03:58 AM
It sounds like some sort of setting related to connection issue: A few thinsg to check: Is there a firewall between your DB connect server and the HEC server? Ensure the port(s) are availble Ensure on Splunk HEC server, you have global settings enabled: Click Settings > Data Inputs. Click HTTP Event Collector. Click Global Settings. In the All Tokens toggle button, select Enabled. Some other aspects to check and troubleshoot: #Check if the Hec collector is healthy curl -k -X GET -u admin:mypassword https://MY_Splunk_HEC_SERVER:8088/services/collector/health/1.0 #Check if HEC stanzas with config are configured /opt/splunk/bin/splunk http-event-collector list -uri https://MY_Splunk_HEC_SERVER:8089 #Check the settings using btool /opt/splunk/bin/splunk cmd btool inputs list --debug http
... View more
06-18-2024
09:20 AM
1 Karma
1.If you have your SSO/MFA data ingested and parsed correctly, also using Splunk's TA's most of them come with out of the box tags that can be used to search for the data type. Simple Example - This will search for authentication data across your defined indexes - and present the results (The tags search for authentication data) You can add your sourcetypes as well index=linux OR index=Windows OR index=my_SSO_data tag=authentication You can find the tags via GUI – easy way, or inspects the TA itself (eventtypes and tags) 2. If you have not ingested data then you need to ensure the below. Example Okta SSO / MFA - Okta would provide authentication data somewhere, in logs or API, you then need to onboard this data into Splunk, ensure there is a TA that helps with the parsing and tagging, then analyse the data, to see what it gives you and run various queries to give you the results you are looking for. Windows Event logs normally give you authentication data, based on AD / Logon events, they also provide Azure AD/ Entra, so if you used these you again would need to ingest that data into Splunk first and then run queries. Side note: Using Splunk you can check with TA’s have tags for authentication | rest splunk_server=local services/configs/conf-tags
| rename eai:acl.app AS app, title AS tag
| table app tag authentication This will show you the eventtypes which are associated with tags | rest splunk_server=local services/configs/conf-eventtypes
| rename eai:acl.app AS app, title AS eventtype
| table app search eventtype
... View more
06-17-2024
10:07 AM
Your data that's already in ingested needs to be made CIM complaint, it might be worth spending some time getting your head around the CIM concepts, after this you can look at developing correlation rules. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Complying_with_the_Splunk_Common_Information_model
... View more
06-17-2024
07:26 AM
At a high level: Splunk can ingest most types of logs data, using different methods of collection. Splunk works on Key Value pairs - so if IBMi can send the data, with this data, you can then search it. The first thing to do is to look at the IBMi data and workout what format it is and how to collect that data, example, is it in a text log file, Json, XML, DB, syslog or API. You then need to set up the data collection method, this could involve a UF(Splunk Agent), Hec using HTTP API, or syslog etc, this has to be based on your environment and preferred method of collecting IBMi data, and place that data into an index. You then need to look at if there's a Splunk Add on in Splunkbase for IBMi data, this is used for parsing the data, if there isn’t one, you then need to develop Splunk props and transforms for the parsing of the data. You then have to make the IBMi, Data CIM complaint, so analyse what type of data it is, extract it via parsing and map those fields to CIM fields, so Splunk SIEM ES can make use of that data.
... View more
06-17-2024
04:39 AM
No worries, glad it worked out out 🙂
... View more
06-17-2024
04:38 AM
I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used. but causes issues when same inside of another app (I know Splunk for saved searches sends a message with same name or duplicate, but I don’t think it does for lookups) So, something like this alert may help | rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-*
| stats count by attribute
```Filter or add ones that are OK as they may be other attributes that use similar lookups in the same App context```
```| search NOT attribute="LOOKUP-my_ok_lookup1" NOT attribute="LOOKUP- my_ok_lookup2"```
| eval duplicate=if(count > 1, "Yes", "No")
| where count > 1 You can then find out, explore if there are other apps that use the same name attribute: Example in your case eventcode | rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-eventcode Have play and see if this helps.
... View more
06-17-2024
01:07 AM
From the Error, it states "failed to parse license because: The license payload seems to be empty" Its normally XML format so you should be able to check it and that its not corrupted etc. If your still having lic issues then contact Splunk to ensure you have the correct license. Follow these steps: https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Installalicense
... View more
06-17-2024
01:00 AM
It could be several things blocking you. TcpOutputFd (this is normally a networking or config setting) You have set the whitelist and disabled the FW. Other things to check: Check your network allows for the HF to route outbound to Splunk cloud Deploy the Splunk Credentials Package to the HF - https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/ConfigSCUFCredentials Check you can connect – try this command: openssl s_client -connect inputs1.MY_STACK_NAME>.splunkcloud.com:9997 Further than that more troubleshooting is required. But it’s usually a networking that’s blocking.
... View more
06-17-2024
12:36 AM
1 Karma
The index data lives on the Splunk indexer Server's . You typically use a Splunk Universal Forwarder or Heavy forwarder or some other means to send data to the Indexers and they get stored into a bucket(folder). So login to your Splunk indexers and go to the storage volume and see the data there. See the table section "What the index directories look like" this will show you the paths https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/HowSplunkstoresindexes
... View more
06-17-2024
12:25 AM
1 Karma
Support would be something that comes to mind in this process. As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated. I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support https://www.splunk.com/en_us/legal/splunk-software-support-policy.html
... View more
06-14-2024
01:19 AM
In the Gui > Data > Data availability - Click on the Green Base Line Search Button, that will generate the look up, you can then go back to the Data availability and it should display results.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-11-2026
11:41 PM
|
Karma given to
