Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About MaverickT
MaverickT
Communicator
Member since:
05-16-2013
03-04-2026
Community Statistics
| Posts | 82 |
| Solutions | 8 |
| Karma Given | 28 |
| Karma Received | 41 |
| Member Since | 05-16-2013 |
Activity Feed
- Got Karma for Re: Splunk MCP Server returns fabricated/hallucinated data with Claude Desktop. 03-13-2026 07:16 AM
- Posted Re: Splunk MCP Server returns fabricated/hallucinated data with Claude Desktop on All Apps and Add-ons. 03-04-2026 01:46 PM
- Got Karma for Splunk App for Stream 8.1.5 broken on Splunk Enterprise 10.2.0. 02-19-2026 05:25 AM
- Posted Splunk App for Stream 8.1.5 broken on Splunk Enterprise 10.2.0 on All Apps and Add-ons. 02-19-2026 04:24 AM
- Posted Re: Splunk MCP Server returns fabricated/hallucinated data with Claude Desktop on All Apps and Add-ons. 02-10-2026 03:05 PM
- Karma Re: After upgrade 10.0 to 10.2.0, Forwarder Management Web UI is unavailable for kduensing. 02-05-2026 11:50 PM
- Posted Splunk MCP Server returns fabricated/hallucinated data with Claude Desktop on All Apps and Add-ons. 02-05-2026 11:24 PM
- Tagged Splunk MCP Server returns fabricated/hallucinated data with Claude Desktop on All Apps and Add-ons. 02-05-2026 11:24 PM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 01-26-2026 04:30 AM
- Karma Re: Splunk Enterprise Security 8.2.2 download not available for isoutamo. 10-07-2025 12:01 PM
- Posted Splunk Enterprise Security 8.2.2 download not available on Splunk Enterprise Security. 10-06-2025 07:18 AM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 06-02-2025 10:38 AM
- Posted Re: Upgrade to ES8 - Investigations are not shown in MissionControl on Splunk Enterprise Security. 04-17-2025 03:08 AM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 04-01-2025 06:38 AM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 03-18-2025 10:16 AM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 03-03-2025 01:11 PM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 01-09-2025 01:13 PM
- Posted Re: KVstore unable to start after upgrade to Splunk Enterprise 9.4 on Splunk Enterprise. 01-08-2025 01:55 PM
- Posted Re: KVStore does not start when running Splunk 9.4 on Deployment Architecture. 01-08-2025 01:54 PM
- Posted KVStore does not start when running Splunk 9.4 on Deployment Architecture. 01-08-2025 01:43 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
03-04-2026
01:46 PM
1 Karma
On February 27. Splunk MCP Server 1.0.2 was released that fixes this issue. What's New (Build 1.0.2) • Fix: Handles a race condition while creating a new secret for token encryption. • Fix: Mirrors the structuredContent field payload to the content text field. • Enhancement: Adds support for configuring an MCP URL using port 443.
... View more
02-19-2026
04:24 AM
1 Karma
So I just upgraded to Splunk Enterprise 10.2.0 and Stream stopped working. After some digging through the logs I found two separate issues, both caused by Python 3.13 compatibility problems. Sharing the fixes here in case anyone else hits this. What I saw in the logs First error: AttributeError: 'RawConfigParser' object has no attribute 'readfp'. Did you mean: 'read'? Second error: /opt/splunk/etc/apps/splunk_app_stream/appserver/controllers/captureipaddresses.py cannot be executed by Python: module 'collections' has no attribute 'MutableSet' What's going on Splunk 10.2.0 ships with Python 3.13, which removed some APIs that have been deprecated: RawConfigParser.readfp() was removed in Python 3.12 collections.MutableSet was removed in Python 3.10 The second error is a bit tricky — I wasted some time looking through captureipaddresses.py for MutableSet and found nothing. Turns out the real culprit is a bundled library that the controller imports: /opt/splunk/lib/python3.13/site-packages/IPy.py. The fixes 1. Fix stream_utils.py cp /opt/splunk/etc/apps/splunk_app_stream/bin/splunk_app_stream/utils/stream_utils.py \
/opt/splunk/etc/apps/splunk_app_stream/bin/splunk_app_stream/utils/stream_utils.py.bak
sed -i 's/config\.readfp/config.read_file/g' \
/opt/splunk/etc/apps/splunk_app_stream/bin/splunk_app_stream/utils/stream_utils.py 2. Fix IPy.py cp /opt/splunk/lib/python3.13/site-packages/IPy.py \
/opt/splunk/lib/python3.13/site-packages/IPy.py.bak
sed -i 's/collections\.MutableSet/collections.abc.MutableSet/g' \
/opt/splunk/lib/python3.13/site-packages/IPy.py Then restart Splunk web: /opt/splunk/bin/splunk restart splunkweb These are patches to Splunk-bundled files, so they could get overwritten on the next upgrade. Make a note to re-check after any Splunk or Stream app update. Hopefully Splunk ships a proper fix soon. Hope this saves someone a few hours of head-scratching!
... View more
Labels
- Labels:
-
troubleshooting
02-10-2026
03:05 PM
Many thanks @livehybrid, you pointed me at the right direction, the MCP server returns the following: 2026-02-10T22:43:24.467Z [splunk-mcp-server] [info] Message from server: {"jsonrpc":"2.0","id":6,"result":{"content":[{"type":"text","text":"Tool executed successfully (1 result)."}],"structuredContent":{"results":[{"src":"USERS-MAC","count":"5"}],"truncated":false,"total_rows":1}}} { metadata: undefined } As it turns out, Claude ignores what is returned as structuredContent. It only sees what is in the "content". This is Claude's bug, MCP works like it should.
... View more
02-05-2026
11:24 PM
Hi everyone, I've been testing the official Splunk MCP Server app from Splunkbase with Claude Desktop and noticed a concerning issue — the MCP server intermittently returns completely fabricated data instead of actual query results. Environment: Splunk Enterprise 10.2.0 on Linux Official Splunk MCP Server from Splunkbase, version 1.0.0 Claude Desktop as MCP client What I'm seeing: When running tstats queries against datamodels (Authentication, Endpoint.Processes), the results returned via MCP sometimes contain plausible-looking but completely fake data — usernames that don't exist, wrong countries, incorrect counts. Examples: Query for failed auth by user returned "james.smith", "j.smith", etc. — users that don't exist in my environment Query for failed auth by country returned Russia and China — actual data shows Nigeria and Albania Same query run multiple times returns different fabricated data, then sometimes the correct data Pattern observed: Simple/fast queries (index lists, basic stats) → Usually correct Zero-result queries → Correct (returns empty) Complex datamodel queries → Intermittent fabrication Re-running the same query → Sometimes fixes it, sometimes returns different fake data My suspicion: The MCP server documentation mentions guardrails including a 1-minute timeout. When queries timeout, instead of returning an error, something appears to be generating fake "plausible" responses. This could be an LLM component filling in the blanks. Questions: Has anyone else experienced this behavior? Is there an LLM/AI component in the MCP server that generates responses on timeout/failure? Is there a way to disable any fallback response generation and just return errors? Are there logs I can check to see what's happening when this occurs? This is a critical issue - we can't have a tool silently returning fake data that looks real. I'd rather get an error than incorrect results. Thanks for any insights!
... View more
- Tags:
- AI
- integration
- LLM
- MCP
Labels
- Labels:
-
search
-
troubleshooting
10-06-2025
07:18 AM
Does anyone has any information when will be Splunk ES 8.2.x again available for download on splunkbase? I could download ES 8.2.2 in the first half of previous week, but currently It is possible just to download ES 8.1.1.
... View more
Labels
- Labels:
-
installation
04-17-2025
03:08 AM
Hi, did you create new indexes, required by ES 8.0? Eg. mc_investigations, mc_artifacts, mc_aux_incidents, mc_events, mc_incidents_backup, cms_main...? That could be your issue.
... View more
01-08-2025
01:55 PM
Maybe this can be solution to your challenge: https://community.splunk.com/t5/Deployment-Architecture/KVStore-does-not-start-when-running-Splunk-9-4/m-p/708304/thread-id/29016/highlight/false#M29017
... View more
01-08-2025
01:54 PM
6 Karma
I did some reading of the documentation and realized that underlying Mongo DB was upgraded to 7. I figured out that Mongo DB 5+ requires AVX instruction set. So time to check if CPU supports AVX instruction set - in my case the CPU model did support this instructions. But running the lscpu command didnt show AVX flags. It turned out that AVX instructions were not available, because the VM had Processor compatibility mode enabled. In hyper-v we had to remove "Allow migration to a virtual machine host with a different processor version" checkbox. After VM was restarted, AVX appeared in CPU flags and Splunk KV Store was operational. Lession learned: before upgrading to 9.4 (or making fresh install), check if AVX flag is available. If it isn't, it is about time to upgrade your hardware 😁 and in stick to Splunk 9.3.
... View more
01-08-2025
01:43 PM
I am posting this to maybe save you from few hours of troubleshooting like I did. I did clean install of Splunk 9.4 in small customer environment with virtualized AIO instance. After the installation there was an error notifying that KV Store can not start and that mongo log should be checked. The following error was logged: ERROR KVStoreConfigurationProvider [4755 KVStoreConfigurationThread] - Could not start mongo instance. Initialization failed. Mongod.log was completely empty. So there was no clues in the log files about what is wrong and what can I do to make KVStore operational. Time to start Googling. Solution will be posted in the next post.
... View more
10-22-2024
12:12 AM
1 Karma
Status is unchanged. Splunk ES is still long way from having multi tenancy supported as it is. Request for multi-tenancy is marked as "Future prospect" at Splunk Ideas portal: Add native multi-tenancy capability to Enterprise Security | Ideas.
... View more
04-11-2024
10:16 PM
3 Karma
If you want to run SplunkForwarder with virtual account (which is recommended if you want to follow princpile of the least privileges) there is also a way to enable reading of sysmon logs. NT SERVICE/SplunkFowarder needs to be added to Event Log Readers group. One of the ways is to add it to the Group policy and deploy it accross your environment where your Forwarders are installed.
... View more
07-04-2023
10:55 PM
I think the catch is not the lookup. It is the data structure. While testing your search I got the results if I put IP address to my domainslist lookup table. The thing is that "DNS.answer" should be the IP address of the queried domain. Or am I wrong? If you want to search answers then your lookup should also include IP addresses. Note that in my experience if it is a big lookup file, this method will not work. It returns error and seach does not complete. In that case you have to return everything with tstats and then use lookup + search (or search + inputlookup).
... View more
08-28-2022
04:10 AM
4 Karma
Since Splunk 9.x, Universal Forwarder supports Apple Unified Logging. But Splunk didn't release corresponding TA. So I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/ Any improvement requests are welcome.
... View more
08-28-2022
04:07 AM
1 Karma
Since Splunk 9.x supports Apple Unified Logging but Splunk didn't release corresponding TA I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/
... View more
08-26-2022
01:15 AM
I had a same issue. It turned out that we needed to add Exchange Administrator role to the Enterprise Application associated with OAuth token. A bit of overkill of privileges, but it is what it takes to make thing working. Permission cheat-sheet: https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
... View more
06-21-2022
12:32 AM
1 Karma
The easiest option is to add new indexers/nodes to existing cluster, sync existing data to this nodes and after that slowly retire old indexers using "splunk offline --enforce-counts" command.
... View more
07-29-2021
12:08 AM
Yes, thats exactly the behaviour. To be more precise - tstats does not fail, it just doesnt return any results. To make things even more challenging - same tstats command works on other indexes.
... View more
07-28-2021
12:51 PM
Thanks for your reply. I guess I wasn't clear enough. I run search on search head, the search log is taken from search head, but also includes log from indexer. It is taken from here: $SPLUNK_HOME/var/run/splunk/dispatch/$SEARCH_JOB_ID/remote_logs/$INDEXER.search.log I am sure all logs from search heads, heavy and universal forwarders are forwarded to indexer tier, since normal search (eg. index=_internal | stats count by host) produces results.
... View more
07-28-2021
07:52 AM
I am trying to run the following tstats search on indexer cluster, recently updated to splunk 8.2.1:
| tstats count where index=_internal by host
The search returns no results, I suspect that the reason is this message in search log of the indexer:
Mixed mode is disabled, skipping search for bucket with no TSIDX data: \opt\splunkhot\_internaldb\db\hot_v1_4334
When I check the specified bucket folder, I can see the tsidx files inside.
Interesting fact is, that this issue occurs only with _internal index, same command works fine with other indexes. I have datamodel "Splunk's Internal Server Logs" enabled and accelerated.
Any suggestions where to start troubleshooting this issue?
... View more
Labels
04-29-2021
11:11 PM
2 Karma
The easyest way is to upgrade your Enterprise Security to 6.4, which has the option to add multiple risk analysis to the same result.
... View more
04-29-2021
11:08 PM
We made a clean installation of on-prem Splunk Enterprise 8.0.9 and Enterprise Security 6.4.0. When correlation search returns results, we would like to append these results to an email via adaptive response action "Send Email". We had selected the option to include an inline-table, but regardless of this setting, the table with results is still not added to the email. There are two additional findings we discovered: If we try to append results of standard alert search (non-correlation search) to an email it works. If we set sendresults = 1 in $SPLUNK_HOME/etc/system/local/alert_actions.conf it also works but not for all correlation searches... Has anybody encountered such problems and how did you solve it?
... View more
Labels
- Labels:
-
notable event
-
troubleshooting
01-22-2021
07:51 AM
Which "CloudStrike cloud environment" do you have selected? In my case it didn't work until "EU Cloud" was selected. After switching to "US Commercial" it started working. Currently using EU Cloud is not beneficiary, since all requests are (at least currently) redirected to US commercial anyway.
... View more
11-22-2020
11:46 PM
1 Karma
My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase. I've managed to install and configure those add-ons in less than an hour. https://splunkbase.splunk.com/app/4336/ https://splunkbase.splunk.com/app/4337/
... View more
11-09-2020
12:58 AM
1 Karma
Since October 2020 there is add-on available for this matter: Microsoft Cloud App Security Add-on for Splunk
... View more
08-14-2020
07:20 AM
It is probably not a direct answer to your question. But by looking at your printsceen you have selected Continous scheduling, but in the "Latest Time" is formed in real-time format (rt+5m@m).
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-04-2026
01:42 PM
|
Karma from
Karma given to
