@laura It looks like this app isn’t restricted by region, organization type, or license level but rather by explicit download permissions set by the developer itself. The developer of the app has decided to make the app restricted, so only approved users can download it.
... View more
@phamanh1652 Have you created the index called "trellix"? and also check the splunk internal logs on your Splunk Cloud Search head. You can use this add-on to integrate your Trellix MVISION. It supports both Splunk Cloud and Splunk Enterprise. https://splunkbase.splunk.com/app/7022
... View more
@palyogit Check this documentation and try to send an sample events to HEC. https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-data-with-http-event-collector/http-event-collector-examples https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-data-with-http-event-collector/use-curl-to-manage-http-event-collector-tokens-events-and-services
... View more
@palyogit Ensure that your HEC input includes valid index= . Missing or mis-typed values cause Splunk to drop data. HttpInputDataHandler - handled token name=embedded … events_processed=1 … Truncating line because limit of 10000 bytes … it means Splunk HEC received the event, parsed it, but truncated the line at ~10 kB, which likely leads to it being dropped before indexing
... View more
@bradnoris26 Please look into the below. https://community.splunk.com/t5/Training-Certification/Looking-for-Reliable-Practice-Tests-for-Splunk-Cloud-Certified/m-p/747671
... View more
@unluakin Refer this ERROR: IP address 127.0.0.1 not in server certificate. Please see server.conf/[sslConfig]/cliVerifyServerName for details. | Splunk Configure TLS certificate host name validation for secured connections between Splunk software components | Splunk Docs
... View more
@peterow The error typically occurs when you're trying to add a Developer/Test license to a Splunk instance that is currently using a Production license stack. Splunk enforces license stack segregation, meaning you can't mix Dev/Test licenses with Production ones. If you're moving to a Dev/Test license (e.g., for a non-production environment), you need to remove the existing Production license first. NOTE:- Only do this if you're sure the system should be running under a Dev/Test license. Removing a Production license from a live production system could cause compliance or functionality issues.
... View more
@DufferDave Please have a look https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Installing_and_upgrading_to_Splunk_Enterprise_Security_8x https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/analytics/risk-analysis
... View more
@ReiGjuzi Finding a legacy Splunk Universal Forwarder MSI for Windows 7 SP1 (x64) is tricky since Microsoft and Splunk no longer support Windows 7, and official download pages prioritize newer versions for supported OSes like Windows 10 and 11. If you can’t find the MSI on Splunk’s official site, avoid unofficial mirrors due to security risks.
... View more
@simonsa If the DNSlog files are large, they might exceed the upload limits or cause the browser to time out. Try uploading a smaller portion of the log file to see if it succeeds.
... View more
@ramiiitnzv To obtain a license for the Splunk Enterprise Security (ES) app, you need to purchase it from Splunk. https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/introduction/licensing-for-splunk-enterprise-security
... View more
@RAVISHANKAR Yes, a Splunk Enterprise Search Head running version 9.4.2 can communicate with Indexers running version 9.2.1. But It's recommended to upgrade all components to the same version to ensure full feature compatibility and support. Yes, UF 8.0.5 can still forward data to Splunk Indexers running 9.2.1 or 9.4.2. However, Splunk no longer provides full support for UF 8.0.x. Splunk Software Support Policy | Splunk About upgrading to 8.0 READ THIS FIRST - Splunk Documentation
... View more
@meg renderXml = false This setting is typically used in Universal Forwarder or inputs.conf for Windows Event Logs. If you're forwarding Linux logs, this setting might not be relevant unless you're using it in a specific context. Have you installed the below add-on to parse the data? Can you share your inputs.conf file here. https://splunkbase.splunk.com/app/6652 https://docs.splunk.com/Documentation/AddOns/released/NixSysmon/Sourcetypes
... View more
@tanjil I recommend raising a Splunk Support ticket to request the 0 MB license file. Please ensure that the support case is submitted under your valid entitlement. Recently, one of our customers submitted a similar request, and Splunk provided the 0 MB license file for their heavy forwarder..
... View more
@sverdhan | tstats latest(_time) as lastTime where index=* by host | eval age=now()-lastTime | where age > 2592000 | convert ctime(lastTime) | rename host as "Forwarder Host", lastTime as "Last Data Received Time", age as "Age (in seconds)" | sort - "Age (in seconds)"
... View more
@Namo Please can you confirm if you followed the Splunk 9.4 upgrade pre-steps that are documented here? https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/AboutupgradingREADTHISFIRST There is a section on upgrading the kv-store before running the Splunk 9.4 upgrade. Reference: https://splunk.my.site.com/customer/s/article/KV-store-status-failed-after-upgrade-to-9-4?
... View more
@Namo Could you please confirm the upgrade path — specifically, from which version to which version Splunk was upgraded? Please note that you must first upgrade to the KV Store server version 4.2.x before proceeding with an upgrade to Splunk Enterprise 9.4.x or higher. For detailed instructions on updating to KV Store version 4.2.x (applicable to Splunk Enterprise versions 9.0.x through 9.3.x), refer to the official documentation: Migrate the KV store storage engine in the https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.3/administer-the-app-key-value-store/migrate-the-kv-store-storage-engine We strongly recommend reviewing this guide to ensure a successful upgrade path and avoid issues like the one you're encountering. https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/MigrateKVstore
... View more
@parthbhawsar We have recently configured the Cisco FMC and successfully integrated it with Splunk. Could you please check the error you are encountering in Splunk so that I can assist you further? If you continue to face any issues, I would recommend reaching out to the Cisco TAC team for additional support.
... View more
@MyFairLady If you don’t receive a response within 5-7 business days, consider following up with another email. FYI: Check your spam or junk folder for the reply, as emails from certification@splunk.com might be filtered there.
... View more
@L_Petch Check this https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-connect-to-license-master-since-certification/m-p/488156 https://community.splunk.com/t5/Security/Getting-an-issue-where-Splunk-hosts-can-t-reach-the-License/m-p/455396
... View more