Have you checked that this file exists and your splunk user have read access to it? ... View more

Hi If you want collect introspection data from UF there are some instructions for it. https://docs.splunk.com/Documentation/Splunk/9.4.0/Troubleshooting/ConfigurePIF https://community.splunk.com/t5/Getting-Data-In/How-to-collect-introspection-logs-from-forwarders-in-a/m-p/129601 Depending on what you are really needing it maybe better to use e.g Windows or Unix/Linux TA to collect that information. And remember that you cannot collect all same data from UFs than splunk collect from full enterprise instance. There is at least one app for this task https://splunkbase.splunk.com/app/3805 r. Ismo ... View more

Hi here is excellent presentation kept in Helsinki UG. https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf There is shown how to debug your tokens etc. Probably you should use $form.$ tokens instead of use just $tokens$? r. Ismo ... View more

Here is an excellent conf presentation, how to find the reason for this lag https://conf.splunk.com/files/2019/slides/FN1570.pdf ... View more

Just guessing, but this sounds like issue with your authentication part. At least earlier splunk has used user nobody as local user which are not existing or at least it haven't any roles. There is at least one old post which explains user nobody https://community.splunk.com/t5/All-Apps-and-Add-ons/Disambiguation-of-the-meaning-of-quot-nobody-quot-as-an-owner-of/m-p/400573 Here is another post which explains how to find those scheduled searches https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-skipped-scheduled-accelerated-report/m-p/700427 Was there any issues with your upgrade? If I understand correctly you have update it from 9.1.x to 9.2.4? In which platform and is this distributed environment? What are behind your LDAP authentication and authorization directory? Do you know if there are or have been defined user nobody? r. Ismo ... View more

Here is interesting conf presentation which may help you to understand difference between metrics and event indexes. https://conf.splunk.com/files/2022/recordings/OBS1157B_1080.mp4 I think that it's still quite accurate, but if I recall right there have happened some changes how ingestion amount is calculated with metrics? Basically this should be better for end users. Here is also basic information about Metrics https://docs.splunk.com/Documentation/Splunk/latest/Metrics/GetStarted r. Ismo ... View more

Can you paste your inputs.conf here between editor's script block </> ? When you are saying "cheduled runs are sometimes missed, or scripts execute at unexpected times." is the only fix for this to restart splunkd service on UF? Are those UFs in domain or just individual nodes which manages time sync with ntpd instead of Windows domain service? ... View more

Other have already give you some hints to use and check for this issue. If you have lot of logs (probably you have)? Then one option is use SC4S. There is more about it e.g. - https://splunkbase.splunk.com/app/4740 - https://lantern.splunk.com/Data_Descriptors/Syslog/Installing_Splunk_Connect_For_Syslog_(SC4S)_on_a_Windows_network - https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-syslog-gdi.html?locale=en_us (several parts) If I recall right there is also some .conf presentation (2019-21? or something) and some UG presentations too. - https://conf.splunk.com/files/2020/slides/PLA1454C.pdf ... View more

Hi old discussion about getting Zabbix audit logs into Splunk. https://community.splunk.com/t5/Getting-Data-In/How-do-I-integrate-Zabbix-with-Splunk/m-p/432733 Maybe this helps you? r. Ismo ... View more

This has changed on 9.2 see https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers If you have distributed environment where DS is not your only indexer you must follow above instructions. Do you have look from internal logs (_internal and those _ds*) if there are any hints why those are not seen on DS's screens? ... View more

You should add \s* in both side of = to found also “index =*” etc definition. Also there could be a macro or eventtypes where this definition is. Even role’s default index or search filters could contains this definition. As you see it’s not as easy than look “index=*” from saved searches or even from _audit. There are lot of similar questions and answers in community where you could see more information about this subject. ... View more

Fix for this will be SPL-266957. ... View more

Can you give some sample data which helps us to understand this better and found suitable solution? Please anonymous that data if/when needed! ... View more

You can/should always give some notice for those people who have onboarding that data for fixing the real issue! As said with wrong timestamps this data is not as useful than it should. ... View more

Have you look this answer https://community.splunk.com/t5/Alerting/Throttle-alerts-based-on-field-value/m-p/172536 if it fulfills your needs? ... View more

If you want results by URI then don’t put anything else after by. But then the results is not same as you have with your current query. .... | stats values(status) as status .... by URI just replace …. before by with those other fields what you want to see. But probably this is not what you are looking for? Can you told what you need to know, not how you try to do it? ... View more

Did you copy all those files and directories which are mentioned on item 2.4 in referenced post? I’m not sure how it works and are there some additional stuff to do as you have changed the name/url for the new master? I prefer to use FQDN as all instance names (CNAME or A records) to avoid additional issues which can arise when there are too many changes at same time. Is your old master still available to test with it? Are there any reasonable error messages on CM’s or indexers’ logs to get more information what is the issue? ... View more

Only thing what comes my mind is that you should try to find some matches from other logs including sh side, which process or query has initiated this query on indexer side and found more information over there. Another option is create a support case to splunk. ... View more

I think so. I haven’t try by myself those ARM based Linux UFs if those are working also in KALI. ... View more

Here is link to docs https://docs.splunk.com/Documentation/Splunk/9.4.0/Indexer/Setupmultipleindexes Remember if you are editing conf files then you must do restart or in some cases reload is enough. If you want to avoid that, then you should use GUI or CLI commands to modify those values. ... View more

If you have individual indexers then it is correct place. After change do reload for it. If you have indexer cluster then you must do this change on CM. Edit correct indexes.conf file somewhere under master-apps or manager-apps. After that apply cluster-bundle, when it has distributed into search peers. ... View more

Better to contact 1st to partner - https://www.splunk.com/en_us/partners.html - Find a Partner button - https://www.splunk.com/en_us/about-splunk/contact-us.html ... View more

Can you describe your question little bit more for us? I'm not sure what you are asking? Splunk can ingest more than PB per day. It just depends on how environment has build and what are it's capacity. Data are stored into buckets on local disks or on S3 bucket e.g. in AWS or equivalent versions on GCP, Azure or onprem. All those are described on docs.splunk.com. If needed you can contact to your local Splunk Partner or directly to Splunk and they can present it to you. There are lots of videos, conf presentations etc. to tell more about Splunk. ... View more

This is excellent app for finding old presentations and video sessions https://splunkbase.splunk.com/app/3330 ... View more

https://community.splunk.com/t5/Getting-Data-In/Route-event-data-to-different-target-groups-issue/td-p/366461 ... View more