Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About MaverickT
MaverickT
Communicator
Member since:
05-16-2013
04-17-2025
Community Statistics
| Posts | 77 |
| Solutions | 7 |
| Karma Given | 26 |
| Karma Received | 38 |
| Member Since | 05-16-2013 |
Activity Feed
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 2 weeks ago
- Posted Re: Upgrade to ES8 - Investigations are not shown in MissionControl on Splunk Enterprise Security. 04-17-2025 03:08 AM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 04-01-2025 06:38 AM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 03-18-2025 10:16 AM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 03-03-2025 01:11 PM
- Got Karma for Re: KVStore does not start when running Splunk 9.4. 01-09-2025 01:13 PM
- Posted Re: KVstore unable to start after upgrade to Splunk Enterprise 9.4 on Splunk Enterprise. 01-08-2025 01:55 PM
- Posted Re: KVStore does not start when running Splunk 9.4 on Deployment Architecture. 01-08-2025 01:54 PM
- Posted KVStore does not start when running Splunk 9.4 on Deployment Architecture. 01-08-2025 01:43 PM
- Got Karma for Re: Sysmon events not getting indexed. 11-08-2024 09:33 AM
- Got Karma for Re: How to migrate data in an indexer cluster to a new indexer cluster environment?. 10-23-2024 01:08 PM
- Got Karma for Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?. 10-22-2024 12:38 AM
- Posted Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment? on Splunk Enterprise Security. 10-22-2024 12:12 AM
- Got Karma for Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?. 09-12-2024 01:15 AM
- Got Karma for Re: Sysmon events not getting indexed. 09-02-2024 04:29 AM
- Karma ForwardedEvents ingestion broken after update to 9.1 for PickleRick. 07-22-2024 10:24 AM
- Karma Re: Sysmon events not getting indexed for DanielAmlung. 05-27-2024 04:48 AM
- Got Karma for Re: Sysmon events not getting indexed. 05-27-2024 03:59 AM
- Posted Re: Sysmon events not getting indexed on Getting Data In. 04-11-2024 10:16 PM
- Got Karma for Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?. 09-20-2023 11:10 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
04-17-2025
03:08 AM
Hi, did you create new indexes, required by ES 8.0? Eg. mc_investigations, mc_artifacts, mc_aux_incidents, mc_events, mc_incidents_backup, cms_main...? That could be your issue.
... View more
01-08-2025
01:55 PM
Maybe this can be solution to your challenge: https://community.splunk.com/t5/Deployment-Architecture/KVStore-does-not-start-when-running-Splunk-9-4/m-p/708304/thread-id/29016/highlight/false#M29017
... View more
01-08-2025
01:54 PM
5 Karma
I did some reading of the documentation and realized that underlying Mongo DB was upgraded to 7. I figured out that Mongo DB 5+ requires AVX instruction set. So time to check if CPU supports AVX instruction set - in my case the CPU model did support this instructions. But running the lscpu command didnt show AVX flags. It turned out that AVX instructions were not available, because the VM had Processor compatibility mode enabled. In hyper-v we had to remove "Allow migration to a virtual machine host with a different processor version" checkbox. After VM was restarted, AVX appeared in CPU flags and Splunk KV Store was operational. Lession learned: before upgrading to 9.4 (or making fresh install), check if AVX flag is available. If it isn't, it is about time to upgrade your hardware 😁 and in stick to Splunk 9.3.
... View more
01-08-2025
01:43 PM
I am posting this to maybe save you from few hours of troubleshooting like I did. I did clean install of Splunk 9.4 in small customer environment with virtualized AIO instance. After the installation there was an error notifying that KV Store can not start and that mongo log should be checked. The following error was logged: ERROR KVStoreConfigurationProvider [4755 KVStoreConfigurationThread] - Could not start mongo instance. Initialization failed. Mongod.log was completely empty. So there was no clues in the log files about what is wrong and what can I do to make KVStore operational. Time to start Googling. Solution will be posted in the next post.
... View more
10-22-2024
12:12 AM
1 Karma
Status is unchanged. Splunk ES is still long way from having multi tenancy supported as it is. Request for multi-tenancy is marked as "Future prospect" at Splunk Ideas portal: Add native multi-tenancy capability to Enterprise Security | Ideas.
... View more
04-11-2024
10:16 PM
3 Karma
If you want to run SplunkForwarder with virtual account (which is recommended if you want to follow princpile of the least privileges) there is also a way to enable reading of sysmon logs. NT SERVICE/SplunkFowarder needs to be added to Event Log Readers group. One of the ways is to add it to the Group policy and deploy it accross your environment where your Forwarders are installed.
... View more
07-04-2023
10:55 PM
I think the catch is not the lookup. It is the data structure. While testing your search I got the results if I put IP address to my domainslist lookup table. The thing is that "DNS.answer" should be the IP address of the queried domain. Or am I wrong? If you want to search answers then your lookup should also include IP addresses. Note that in my experience if it is a big lookup file, this method will not work. It returns error and seach does not complete. In that case you have to return everything with tstats and then use lookup + search (or search + inputlookup).
... View more
08-28-2022
04:10 AM
4 Karma
Since Splunk 9.x, Universal Forwarder supports Apple Unified Logging. But Splunk didn't release corresponding TA. So I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/ Any improvement requests are welcome.
... View more
08-28-2022
04:07 AM
1 Karma
Since Splunk 9.x supports Apple Unified Logging but Splunk didn't release corresponding TA I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security: https://splunkbase.splunk.com/app/6561/ I also published an app to visualize key security-relevant events from MacOS datasource: https://splunkbase.splunk.com/app/6562/
... View more
08-26-2022
01:15 AM
I had a same issue. It turned out that we needed to add Exchange Administrator role to the Enterprise Application associated with OAuth token. A bit of overkill of privileges, but it is what it takes to make thing working. Permission cheat-sheet: https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
... View more
06-21-2022
12:32 AM
1 Karma
The easiest option is to add new indexers/nodes to existing cluster, sync existing data to this nodes and after that slowly retire old indexers using "splunk offline --enforce-counts" command.
... View more
07-29-2021
12:08 AM
Yes, thats exactly the behaviour. To be more precise - tstats does not fail, it just doesnt return any results. To make things even more challenging - same tstats command works on other indexes.
... View more
07-28-2021
12:51 PM
Thanks for your reply. I guess I wasn't clear enough. I run search on search head, the search log is taken from search head, but also includes log from indexer. It is taken from here: $SPLUNK_HOME/var/run/splunk/dispatch/$SEARCH_JOB_ID/remote_logs/$INDEXER.search.log I am sure all logs from search heads, heavy and universal forwarders are forwarded to indexer tier, since normal search (eg. index=_internal | stats count by host) produces results.
... View more
07-28-2021
07:52 AM
I am trying to run the following tstats search on indexer cluster, recently updated to splunk 8.2.1:
| tstats count where index=_internal by host
The search returns no results, I suspect that the reason is this message in search log of the indexer:
Mixed mode is disabled, skipping search for bucket with no TSIDX data: \opt\splunkhot\_internaldb\db\hot_v1_4334
When I check the specified bucket folder, I can see the tsidx files inside.
Interesting fact is, that this issue occurs only with _internal index, same command works fine with other indexes. I have datamodel "Splunk's Internal Server Logs" enabled and accelerated.
Any suggestions where to start troubleshooting this issue?
... View more
Labels
04-29-2021
11:11 PM
2 Karma
The easyest way is to upgrade your Enterprise Security to 6.4, which has the option to add multiple risk analysis to the same result.
... View more
04-29-2021
11:08 PM
We made a clean installation of on-prem Splunk Enterprise 8.0.9 and Enterprise Security 6.4.0. When correlation search returns results, we would like to append these results to an email via adaptive response action "Send Email". We had selected the option to include an inline-table, but regardless of this setting, the table with results is still not added to the email. There are two additional findings we discovered: If we try to append results of standard alert search (non-correlation search) to an email it works. If we set sendresults = 1 in $SPLUNK_HOME/etc/system/local/alert_actions.conf it also works but not for all correlation searches... Has anybody encountered such problems and how did you solve it?
... View more
Labels
- Labels:
-
notable event
-
troubleshooting
01-22-2021
07:51 AM
Which "CloudStrike cloud environment" do you have selected? In my case it didn't work until "EU Cloud" was selected. After switching to "US Commercial" it started working. Currently using EU Cloud is not beneficiary, since all requests are (at least currently) redirected to US commercial anyway.
... View more
11-22-2020
11:46 PM
1 Karma
My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase. I've managed to install and configure those add-ons in less than an hour. https://splunkbase.splunk.com/app/4336/ https://splunkbase.splunk.com/app/4337/
... View more
11-09-2020
12:58 AM
1 Karma
Since October 2020 there is add-on available for this matter: Microsoft Cloud App Security Add-on for Splunk
... View more
08-14-2020
07:20 AM
It is probably not a direct answer to your question. But by looking at your printsceen you have selected Continous scheduling, but in the "Latest Time" is formed in real-time format (rt+5m@m).
... View more
08-14-2020
07:16 AM
There is an option to code your own adaptive response action, which can be used to forward the data to other systems. But you will need to do a little bit of python coding... https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/
... View more
08-14-2020
02:05 AM
There is no way of doing Splunk database backup via GUI. Even the CLI might get a little bit complicated, because you have to roll the buckets before making backup. You can learn more about making backup here: https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Backupindexeddata https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/BackupKVstore Maybe you should consider moving the cold buckets to the QNAP NAS?
... View more
08-14-2020
01:34 AM
Can you check if you maybe have "Remote event log collections" enabled for this host on one of your Splunk instances? This is one of the reasons why there can be duplicate data..
... View more
- Tags:
- Can
07-09-2020
11:07 AM
Oh, sorry, fast reading. I am trying to download splunk 7.3.1.1 to help you, but somehow the download link for previous releases of splunk doesn't work :/.
... View more
07-09-2020
10:43 AM
Just one addon to your arhitecture. Search head cluster should have at least 3 members. Otherwise it won't be able to elect the search head captain.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-17-2025
03:06 AM
|
Karma from
Karma given to
