@y0u7  Yes, you can use an archived app in Splunk, but no longer updated or officially supported by their developers. When you have an app already installed on your env and if that app is archived , that wont effect the already installed one and there will be no support offered by developer .  ... View more

@y0u7  Please have a look https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Add-on-For-Salesforce/m-p/657128  ... View more

@rksharma2808  Check this https://www.servicenow.com/community/developer-forum/unable-to-create-incidents-via-splunk-add-on-for-servicenow/m-p/2815690  ... View more

@rksharma2808  The 500 Internal Server Error from ServiceNow when trying to create a ticket usually indicates an issue on the ServiceNow side rather than Splunk.  Ensure the endpoint is accessible from Splunk (e.g., test via curl or Postman). A 500 error can occur if the payload sent to ServiceNow is malformed or missing required fields. Cross-check the payload fields with ServiceNow's API documentation for ticket creation. If possible, log the payload being sent by Splunk and manually test it using Postman or curl to identify the exact issue. I would recommend you to setup a call with the ServiceNow team and fix the issue.      ... View more

@rksharma2808  As the error message suggests, try regenerating the access token. This can often resolve the issue if the token has expired. Ensure that the new access token has a sufficient expiry time. Sometimes, tokens are set to expire too quickly, causing frequent issues. If you are hitting API rate limits, ServiceNow might invalidate the token. Verify with your ServiceNow admin if rate limits are being enforced. ... View more

@FAnalyst  Try this  index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections | dedup sourceHost | table sourceHost fwdType ... View more

@FAnalyst  You should be able to get list of whitelist servers using following query. | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname You can put it to in a lookup file or just use the rest query itself and compare it against deployment/server/clients to know which clients that are configured in serverclass.conf but not sending phonehome. Something like this | rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname | eval state="configured" | append [| rest /services/deployment/server/clients | table title | rename title as hostname | eval state="phonehome" ] | stats values(state) as state by hostname | where mvcount(state)=1 AND state="configured"   ... View more

@FAnalyst  Use the below search to get an exportable list of deployment clients. | rest splunk_server=local /services/deployment/server/clients | table hostname utsname | sort utsname Another way to find forwarders is to search the internal index for incoming TCP connections. index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections | dedup sourceHost | table sourceHost fwdType   To see all hosts that send data, not just forwarders, count the hosts found in all indexes. | tstats count where index=* host=* by host   ... View more

@att35If you find the provided solution satisfactory, please proceed with accepting it. ... View more

@shabamichae  Yes, you can run the Deployment Server, License Master, and Monitoring Console on the same Splunk instance using the same port (default port 8089 for management). However, there are a few things to consider: Resource Efficiency: Good for lab environments or small deployments where resources are limited. Simpler Management: easier to manage since all roles are on a single instance. ... View more

@att35 This was an expected behavior with the default configurations. To overcome this you have to modify the configurations referring to the below document: https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/PropagateSHCconfigurationchanges#Choose_a_deployer_push_mode ... View more

@att35  Yes, you need to adjust the deployer_push_mode to one of the other parameters, based on your requirements. In general, there are four modes of deployer_push_mode: - full - merge_to_default - local_only - default_only By default merge_to_default setting is enabled due to you are observing the behavior that you have mentioned. - If set to "full": Bundles all of the app's contents located in default/, local/, users/<app>/, and other app subdirs. It then pushes the bundle to the members. When applying the bundle on a member, the non-local and non-user configurations from the deployer's app folder are copied to the member's app folder, overwriting existing contents. Local and user configurations are merged with the corresponding folders on the member, such that member configuration takes precedence. This option should not be used for built-in apps, as overwriting the member's built-in apps can result in adverse behavior. - If set to "merge_to_default": Merges the local and default folders into the default folder and pushes the merged app to the members. When applying the bundle on a member, the default configuration on the member is overwritten. User configurations are copied and merged with the user folder on the member, such that the existing configuration on the member takes precedence. - * If set to "local_only": This option bundles the app's local directory (and its metadata) and pushes it to the cluster. When applying the bundle to a member, the local configuration from the deployer is merged with the local configuration on the member, such that the member's existing configuration takes precedence. Use this option to push the local configuration of built-in apps, such as search. If used to push an app that relies on non-local content (such as default/ or bin/), these contents must already exist on the member. - If set to "local_only": This option bundles the app's local directory (and its metadata) and pushes it to the cluster. When applying the bundle to a member, the local configuration from the deployer is merged with the local configuration on the member, such that the member's existing configuration takes precedence. Use this option to push the local configuration of built-in apps, such as search. If used to push an app that relies on non-local content (such as default/ or bin/), these contents must already exist on the member. Based on your requirement you can change the deployer_push_mode. It is highly advisable to review the document below to gain a clear understanding of the behavior before implementing any changes. https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/PropagateSHCconfigurationchanges#Choose_a_deployer_push_mode ... View more

@Lavanya1612  Changing the Task Server port to 1025 should not be an issue in itself, as it is above the privileged port range (<1024) and is less likely to face permission issues. Ensure that port 1025 is not being used by another service and that firewall rules allow communication on this port. Since this worked in the lower environment, there is a good chance it could work in production. However, production environments often have different security policies, firewall rules, and resource loads, which could affect stability. Incompatibility with OpenJDK might lead to failures in JDBC connections, scheduler issues, or unstable behavior of the DB Connect app. If DB Connect fails, any dashboards, alerts, or scheduled searches that rely on database inputs might be impacted. If cost is the main concern, consider using OpenJDK but be prepared with a rollback plan ... View more

@harishsplunk7  query for 90 days. | tstats latest(_time) as lastTime where index=* by index, sourcetype | eval age=now()-lastTime | where age > 7776000 | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | table index, sourcetype, lastTime   ... View more

@harishsplunk7  Try this, you can change the age value to 7776000 (90days)     ... View more

@Karthikeya  Your configurations need to be applied either by a Heavy Forwarder before indexing, or by the Indexers during indexing. Since you don't have a HF, focus on correctly configuring index-time extraction on your indexers. Simply having the files on the DS isn't enough, they must be deployed to the indexers, and the indexers must be configured to use them. So you can use Cluster master to push the configurations to the indexers. ... View more

@Karthikeya  Additionally, I have tested this in my lab, and it's working fine. Please take a look.   Sample events:- rsaid="/alpha-A-01/ALPHA-CK-GSPE/v-alpha.linux.com-101" rsaid="/beta-B-02/BETA-CK-GSPE/v-beta.linux.com-102" rsaid="/gamma-G-03/GAMMA-CK-GSPE/v-gamma.linux.com-103" rsaid="/delta-D-04/DELTA-CK-GSPE/v-delta.linux.com-104" rsaid="/epsilon-E-05/EPSILON-CK-GSPE/v-epsilon.linux.com-105" rsaid="/zeta-Z-06/ZETA-CK-GSPE/v-zeta.linux.com-106" rsaid="/eta-H-07/ETA-CK-GSPE/v-eta.linux.com-107" rsaid="/theta-T-08/THETA-CK-GSPE/v-theta.linux.com-108" rsaid="/iota-I-09/IOTA-CK-GSPE/v-iota.linux.com-109" rsaid="/kappa-K-10/KAPPA-CK-GSPE/v-kappa.linux.com-110" rsaid="/lambda-L-11/LAMBDA-CK-GSPE/v-lambda.linux.com-111" rsaid="/mu-M-12/MU-CK-GSPE/v-mu.linux.com-112" rsaid="/nu-N-13/NU-CK-GSPE/v-nu.linux.com-113" rsaid="/xi-X-14/XI-CK-GSPE/v-xi.linux.com-114" rsaid="/omicron-O-15/OMICRON-CK-GSPE/v-omicron.linux.com-115" rsaid="/pi-P-16/PI-CK-GSPE/v-pi.linux.com-116" rsaid="/rho-R-17/RHO-CK-GSPE/v-rho.linux.com-117" rsaid="/sigma-S-18/SIGMA-CK-GSPE/v-sigma.linux.com-118" rsaid="/tau-T-19/TAU-CK-GSPE/v-tau.linux.com-119" rsaid="/upsilon-U-20/UPSILON-CK-GSPE/v-upsilon.linux.com-120" rsaid="/phi-F-21/PHI-CK-GSPE/v-phi.linux.com-121" rsaid="/chi-C-22/CHI-CK-GSPE/v-chi.linux.com-122" rsaid="/psi-PS-23/PSI-CK-GSPE/v-psi.linux.com-123" rsaid="/omega-W-24/OMEGA-CK-GSPE/v-omega.linux.com-124"   ... View more

@uagraw01  This "Bad Allocation" error often indicates that the server is running out of memory while processing the request. It can occur during large searches or when the server's memory resources are insufficient. This error "HTTP Status 400 (Bad Request)" typically means that the request sent to the server was malformed or incorrect in some way. You might want to check the request syntax and ensure all required parameters are correctly formatted. Check the below resources :  https://community.splunk.com/t5/Reporting/Searches-fail-with-quot-bad-allocation-quot-error/m-p/197630  https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Noop  https://docs.splunk.com/Documentation/Splunk/9.4.0/Search/Comments  I would recommend you raise a support ticket.  ... View more

@SN1  ES does require that the "admin" account exist. By default, saved searches use "dispatchAs" setting of "owner". The owner of the searches is set to "admin" via default.meta. Thus, removing the admin user will cause searches to fail. If the admin user to removed, then the following error will be observed when searches are executed that attempt to run under the admin user: 'DispatchManager': The user 'admin' does not have sufficient search privileges. To fix this issue, restore the admin user. The searches should begin working immediately (no restart required). ... View more

@Nemmadisusmitha  you need to fill out the form using following URL for Splunk ID, and then you will get an email from Splunk with in 2 to 3 business days with SplunkID that can be used to create Pearson account. https://www.splunk.com/en_us/training/pearson-vue-registration-form.html  if you didnt get an email in 2 to 3 business days , please send an email to certification@splunk.com  for SplunkID. FYI Exam Registration Tutorial: https://www.splunk.com/pdfs/training/Exam-Registration-Tutorial.pdf  ... View more

@ayomotukoya As @richgalloway  said, lastchanceindex is a Pre-defined in Splunk Cloud. Accepts events sent to a non-existing index. So please create index first before onboarding data to Splunk Cloud.  lastchanceindex:- [Input Y] index = $%^&*   ... View more

@Alan_Chan  If field aliases are not sufficient or if the fields are not being extracted properly, you can create Calculated Fields on the SH. Navigate to Settings > Fields > Calculated Fields. Use a simple eval expression to create a new field that maps to both the English and Chinese field names: eval src=coalesce(src, "來源網路位址") eval src_port=coalesce(src_port, "來源連接埠") https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/CreatecalculatedfieldswithSplunkWeb  https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/definecalcfields  ... View more

@sureshkumaar  When the thruput limit is reached, monitoring pauses and the following events are recorded in splunkd.log Run this command:- /opt/splunkforwarder/bin/splunk btool inputs list --debug INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying... To verify how often the forwarder is hitting this limit, check the forwarder's metrics.log. (Look for this on the forwarder because metrics.log is not forwarded by default on universal and light forwarders.) cd /opt/splunkforwarder/var/log/splunk grep "name=thruput" metrics.log Example: The instantaneous_kbps and average_kbps are always under 256KBps. 11-19-2013 07:36:01.398 -0600 INFO Metrics - group=thruput, name=thruput, instantaneous_kbps=251.790673, instantaneous_eps=3.934229, average_kbps=110.691774, total_k_processed=101429722, kb=7808.000000, ev=122 Solution Create a custom limits.conf with a higher limit or no limit. The configuration can be in system/local or in an app that will have precedence on the existing limit. Example: Configure in a dedicated app, in /opt/splunkforwarder/etc/apps/Gofaster/local/limits.conf Double the thruput limit, from 256 to 512 KBps: [thruput] maxKBps = 512 Or for unlimited thruput: [thruput] maxKBps = 0 Unlimited speed can cause higher resource usage on the forwarder. Keep a limit if you need to control the monitoring and network usage. Restart to apply. Verify the result of the configuration with btool. Later, verify in metrics.log that the forwarder is not reaching the new limit constantly. ... View more

@Space_Crawler  Review the following attributes in props.conf for the configured sourcetypes. TIME_PREFIX TIME_FORMAT ... View more