Replying to ancient thread. Has anyone had success getting this plugin to talk to regular ldap like FreeIPA? It seems like feeding it a distinguishedName attribute would maybe work. ... View more

This is what I found and it worked! First of all the message, "Can not communicate with task server......" is vague and does not give a clear idea so it can be so many reasons, few of them are 1. Updating the java_home path 2. checking the jre version 3. Checking if the HF has approved license or is connected to the License Manager (its no longer the license master) 4. Change the task server port to 9995 or 1025, instead of 9998 What I Did was this: in the SPLUNK_HOME/var/log/splunk/splunkd.log  is showed some error for dbx-migration.conf so i added these lines by creating dbx-migration.conf in /etc/apps/splunk_app_db_connect/local [encryption] disabled = 0 upgrade = DONE   Then a restart of splunkd. Works super smooth ... View more

Doesn't work on 7.3 .    Big problem managing  ipv6 networks  .  Year 2024  https://docs.splunk.com/Documentation/ES/7.3.0/Admin/Configurenewassetoridentitylist ... View more

FYI and perhaps this will be helpful to others. I was getting all the same errors and finding little of use in the log files. In my case the problem was that something had deleted these files: C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\dbxquery.exe C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\server.exe Files of the same name still existed under: ...\windows_x86\bin ...\linux_x86\bin ...\linux_x86_64\bin So we suspect some antivirus or similar must have deleted them for some reason. As soon as I put them back DB Connect was fine. ... View more

I know this is an old thread, but wanted to provide some details as I ran into the same issue. The Splunk docs provides separate iRules for DNS request logging and DNS response logging. DNS request logging is configured in DNS > GSLB > iRules. They incorrectly state that you can apply this rule to your Listeners. You can only apply a GSLB iRule to wide IPs.  DNS response logging is configured in DNS > Delivery > iRules. I believe some older versions might list them in Local Traffic > iRules. They incorrectly state you can apply the rule to wide IPs. You can only apply a LTM/Delivery iRule to Listeners. While the logging does work assuming you apply the rules to the correct objects, the problem I had is ensuring that the request logging rule gets applied to all wide IPs. I want to do logging on the Listeners so I can set it and forget it. Rules configured within DNS > Delivery > iRules support both DNS_REQUEST and DNS_RESPONSE events, but they don't support the whereami, whoami, whereis, and wideip name commands. I simply remove the references to those commands and joined both the request and response rules into a single rule and applied it to my Listeners. I copied an example below. when DNS_REQUEST {     set client_addr [IP::client_addr]     set dns_server_addr [IP::local_addr]     set question_name [DNS::question name]     set question_class [DNS::question class]     set question_type [DNS::question type]     set dns_len [DNS::len]     set hsl [HSL::open -proto UDP -pool Pool-syslog]     HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,question_class=$question_class,question_type=$question_type,dns_len=$dns_len" } when DNS_RESPONSE {     set client_addr [IP::client_addr]     set dns_server_addr [IP::local_addr]     set question_name [DNS::question name]     set is_wideip [DNS::is_wideip [DNS::question name]]     set answer [join [DNS::answer] ;]     set hsl [HSL::open -proto UDP -pool Pool-syslog]     HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer\"" } ... View more

I found a solution to edit connections and identities and put it here.    I hope it will be useful to you. ... View more

We are now in 2023 and we still hit the same issue as in 2016. Is there a new xsl file for this plugin? ... View more

I cant find them ... View more

Hi, I've been using this: https://docs.forescout.com/bundle/app-for-splunk-3-0-htg/page/app-for-splunk-3-0-htg.Appendix-D-Compatibility-with-CIM-Data-Models.html ... View more

I am facing similar issue with Splunk Add-on for ServiceNow version 6.4.1. Is there any fix available. ?   ... View more

You could use the Use Case Library to see which data sources and source types map to certain types of use cases, based on what you want to do:  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Usecasecontentlibrary#Determine_which_Analytic_Stories_to_configure ... View more

Hi, It is 2021 and I still could not find any definition for `dest_host`, `dest_ip` or `dest_name` in the documentation. Specifically, I'm looking at https://docs.splunk.com/Documentation/CIM/4.18.0/User/Vulnerabilities Any chance these could be documented, please? Thanks, Misha ... View more

Unfortunately I've since moved employers and don't have the logs handy anymore ... View more

Thanks for posting this - this worked perfectly for me. ... View more

thanks for the help Tyler! ... View more

Hi, I'm migrating DB Connect v1 to v3 and I have the exact same problem. After defining the output in DB Connect, how are the previous type, database, table and streaming converted? Regards, Tiago ... View more

Perhaps you need to use rising column mode instead of batch mode in the input? ... View more

I could not get the drivers to show they were installed when going to the Drivers tab of the DB Connect Settings page when following this instructions here - http://docs.splunk.com/Documentation/DBX/3.0.1/DeployDBX/Installdatabasedrivers#Supported_databases It stated - From inside the TeraJDBC_... directory, copy or move the two .JAR files (terajdbc4.jar to the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers and tdgssconfig.jar to the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers/terajdbc4-libs) directory. I was able to get the drivers to show up as installed and it listed the driver version when I put the files in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/lib folder instead. When I tried to connect to a Teradata instance I received an error - "Could not initialize class com.teradata.tdgss.jtdgss.TdgssManager". Restarting Splunk made the error go away and allowed me to connect to and pull data from Teradata ... View more

Hi, There is known bug in DB connect. props can't be overridden. Reference: DB connect release notes: link text Here is the solution which I have come up with. you can use if you like this. My McAfee logs in UTC & My Splunk server is running in UTC+4. I have added below line to query it self. SELECT dateadd (hour , 4 , [EPOEvents].[ReceivedUTC]) AS [timestamp] from xyz you can look for sql functions as per your database & I found this is best solution as of now. ... View more

I downvoted this post because this statement of non compatibility of time is inaccurate. ... View more

@lucasbarbosa - Were you able to test out jcoates solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks! ... View more

I fixed the problem as follows: I upgraded from jre7 to jre8 (you're probably already correctly on jre8), got the same error message in the original question here except with sqlserver, tried reloading drivers, still got the same message. Then I looked in /home/splunk/etc/apps/splunk_app_db_connect/bin/lib and the only driver was rpcserver-all.jar. I downloaded sqljdbc42.jar from Microsoft (https://www.microsoft.com/en-us/download/details.aspx?id=11774, again, this was for my case using sqlserver), and then reloaded drivers, and restarted the RPC server again, and that fixed the error! (I'm getting a separate error now, but fixed the error message that this question refers to) ... View more

Once upon a time I worked for a company that reengineered its policy engine to sit on SQLite... and that happened. I think the query_timeout value in inputs.conf might do it for you? http://docs.splunk.com/Documentation/DBX/2.3.0/DeployDBX/inputsspec Another idea might be to change your searches to dbxquery statements that | collect into indexes, though doing that 30 times sounds tedious. ... View more