@DufferDave  Please have a look  https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Installing_and_upgrading_to_Splunk_Enterprise_Security_8x  https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/analytics/risk-analysis  ... View more

@ReiGjuzi  Finding a legacy Splunk Universal Forwarder MSI for Windows 7 SP1 (x64) is tricky since Microsoft and Splunk no longer support Windows 7, and official download pages prioritize newer versions for supported OSes like Windows 10 and 11.   If you can’t find the MSI on Splunk’s official site, avoid unofficial mirrors due to security risks.   ... View more

@simonsa I see that you're uploading a .gz file. Please extract it and upload the original, uncompressed file. ... View more

@simonsa  If the DNSlog files are large, they might exceed the upload limits or cause the browser to time out. Try uploading a smaller portion of the log file to see if it succeeds. ... View more

@ramiiitnzv  To obtain a license for the Splunk Enterprise Security (ES) app, you need to purchase it from Splunk. https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/introduction/licensing-for-splunk-enterprise-security  ... View more

@RAVISHANKAR  Yes, a Splunk Enterprise Search Head running version 9.4.2 can communicate with Indexers running version 9.2.1. But It's recommended to upgrade all components to the same version to ensure full feature compatibility and support. Yes, UF 8.0.5 can still forward data to Splunk Indexers running 9.2.1 or 9.4.2. However, Splunk no longer provides full support for UF 8.0.x. Splunk Software Support Policy | Splunk  About upgrading to 8.0 READ THIS FIRST - Splunk Documentation ... View more

@meg Please verify your sourcetype, The Splunk Add-on for Sysmon for Linux supports the following source types: sysmon:linux  ... View more

@meg  renderXml = false This setting is typically used in Universal Forwarder or inputs.conf for Windows Event Logs. If you're forwarding Linux logs, this setting might not be relevant unless you're using it in a specific context. Have you installed the below add-on to parse the data? Can you share your inputs.conf file here.  https://splunkbase.splunk.com/app/6652  https://docs.splunk.com/Documentation/AddOns/released/NixSysmon/Sourcetypes    ... View more

@tanjil  I recommend raising a Splunk Support ticket to request the 0 MB license file. Please ensure that the support case is submitted under your valid entitlement. Recently, one of our customers submitted a similar request, and Splunk provided the 0 MB license file for their heavy forwarder.. ... View more

@sverdhan  | metadata type=hosts index=* earliest=-30d@d | eval age = now() - lastTime | eval last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S") | where age > 30*24*60*60 | eval age_days = round(age/(24*60*60), 2) | table host, last_seen, age_days | rename host as "Forwarder", last_seen as "Last Data Received", age_days as "Days Since Last Data"   ... View more

@sverdhan  | tstats latest(_time) as lastTime where index=* by host | eval age=now()-lastTime | where age > 2592000 | convert ctime(lastTime) | rename host as "Forwarder Host", lastTime as "Last Data Received Time", age as "Age (in seconds)" | sort - "Age (in seconds)" ... View more

@Namo  Please can you confirm if you followed the Splunk 9.4 upgrade pre-steps that are documented here? https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/AboutupgradingREADTHISFIRST  There is a section on upgrading the kv-store before running the Splunk 9.4 upgrade. Reference: https://splunk.my.site.com/customer/s/article/KV-store-status-failed-after-upgrade-to-9-4?  ... View more

@Namo  Could you please confirm the upgrade path — specifically, from which version to which version Splunk was upgraded? Please note that you must first upgrade to the KV Store server version 4.2.x before proceeding with an upgrade to Splunk Enterprise 9.4.x or higher. For detailed instructions on updating to KV Store version 4.2.x (applicable to Splunk Enterprise versions 9.0.x through 9.3.x), refer to the official documentation: Migrate the KV store storage engine in the https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.3/administer-the-app-key-value-store/migrate-the-kv-store-storage-engine  We strongly recommend reviewing this guide to ensure a successful upgrade path and avoid issues like the one you're encountering.  https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/MigrateKVstore ... View more

@parthbhawsar  We have recently configured the Cisco FMC and successfully integrated it with Splunk. Could you please check the error you are encountering in Splunk so that I can assist you further? If you continue to face any issues, I would recommend reaching out to the Cisco TAC team for additional support. ... View more

@Splunkers2 Check this https://www.reddit.com/r/Splunk/comments/17msvh2/misp_integration_error/  ... View more

@L_Petch  Check this https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-connect-to-license-master-since-certification/m-p/488156    https://community.splunk.com/t5/Security/Getting-an-issue-where-Splunk-hosts-can-t-reach-the-License/m-p/455396  ... View more

@Leonardo1998  In addition to other recommendations: You can configure a dedicated VM and install either syslog-ng or rsyslog, making it act as a syslog forwarder. Network Devices (such as firewalls, routers, and switches) can then be configured to send logs over a custom port to this syslog forwarder. On the syslog forwarder, update the syslog-ng.conf or rsyslog.conf to capture these logs and store them in a specific directory. From here, you have two options: Install the Splunk Universal Forwarder (UF) on the server and configure it to forward the logs to the Splunk indexers. Or, install the full Splunk Enterprise package on the server and use it as a Heavy Forwarder (HF). If the server is used as a Heavy Forwarder, you can also install the relevant Technology Add-ons (TAs) for parsing. For example, if you're onboarding Fortinet firewall logs, you can install the Fortinet Add-on on this HF for proper parsing before forwarding the logs to the indexers. https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html?locale=en_us  ... View more

@super_edition  | makeresults | eval data="/ae/english/experience/dining/onboard-menu/=1;/ae/english/experience/woyf/=2;/uk/english/experience/dining/onboard-menu/=1;/us/english/experience/dining/onboard-menu/=1;/ae/arabic/experience/dining/onboard-menu/=1;/english/experience/dining/onboard-menu/=1" | makemv delim=";" data | mvexpand data | rex field=data "(?<uri>[^=]+)=(?<count>\d+)" | eval count=tonumber(count) | eval normalized_uri = replace(uri, "^/[^/]+/[^/]+", "") | stats sum(count) as hits by normalized_uri   ... View more

@Priya70  If the search returns a large dataset or the panel uses a complex visualization rendering might silently fail or else Memory or CPU limitations in the browser can cause rendering to hang, especially with multiple panels loading simultaneously. If multiple panels use similar base searches, consider using a base search with postProcess to reduce load. Can you please paste your dashboard XML to identify the issue? I’ll take a look.. ... View more

@Amira Have you verified this?  https://splunkbase.splunk.com/app/6657  ... View more

@Sudhagar  Are you looking something like this? Attached image. I created using some dummy data with static values.  {     "title": "Static CPU Usage Charts per Host",     "visualizations": {         "viz_host123": {             "dataSources": {                 "primary": "ds_host123"             },             "options": {                 "legendPlacement": "right",                 "xAxisTitle": "Time",                 "yAxisTitle": "CPU Usage (%)"             },             "title": "host123 - CPU Usage %",             "type": "splunk.line"         },         "viz_host456": {             "dataSources": {                 "primary": "ds_host456"             },             "options": {                 "legendPlacement": "right",                 "xAxisTitle": "Time",                 "yAxisTitle": "CPU Usage (%)"             },             "title": "host456 - CPU Usage %",             "type": "splunk.line"         },         "viz_host789": {             "dataSources": {                 "primary": "ds_host789"             },             "options": {                 "legendPlacement": "right",                 "xAxisTitle": "Time",                 "yAxisTitle": "CPU Usage (%)"             },             "title": "host789 - CPU Usage %",             "type": "splunk.line"         }     },     "dataSources": {         "ds_host123": {             "options": {                 "query": "| makeresults count=10\n| streamstats count as row\n| eval _time = relative_time(now(), \"-\" . (10 - row) . \"m\")\n| eval host=\"host123\"\n| eval state_list=split(\"user,system,idle\", \",\")\n| mvexpand state_list\n| eval state=state_list\n| eval percent=case(state==\"user\",20+random()%10,state==\"system\",10+random()%5,state==\"idle\",70+random()%10)\n| eval host_state=host.\"_\".state\n| timechart span=1m avg(percent) by host_state",                 "queryParameters": {                     "earliest": "-30m",                     "latest": "now"                 }             },             "type": "ds.search"         },         "ds_host456": {             "options": {                 "query": "| makeresults count=10\n| streamstats count as row\n| eval _time = relative_time(now(), \"-\" . (10 - row) . \"m\")\n| eval host=\"host456\"\n| eval state_list=split(\"user,system,idle\", \",\")\n| mvexpand state_list\n| eval state=state_list\n| eval percent=case(state==\"user\",20+random()%10,state==\"system\",10+random()%5,state==\"idle\",70+random()%10)\n| eval host_state=host.\"_\".state\n| timechart span=1m avg(percent) by host_state",                 "queryParameters": {                     "earliest": "-30m",                     "latest": "now"                 }             },             "type": "ds.search"         },         "ds_host789": {             "options": {                 "query": "| makeresults count=10\n| streamstats count as row\n| eval _time = relative_time(now(), \"-\" . (10 - row) . \"m\")\n| eval host=\"host789\"\n| eval state_list=split(\"user,system,idle\", \",\")\n| mvexpand state_list\n| eval state=state_list\n| eval percent=case(state==\"user\",20+random()%10,state==\"system\",10+random()%5,state==\"idle\",70+random()%10)\n| eval host_state=host.\"_\".state\n| timechart span=1m avg(percent) by host_state",                 "queryParameters": {                     "earliest": "-30m",                     "latest": "now"                 }             },             "type": "ds.search"         }     },     "layout": {         "layoutDefinitions": {             "layout_1": {                 "options": {                     "backgroundColor": "transparent"                 },                 "structure": [                     {                         "item": "viz_host123",                         "position": {                             "h": 400,                             "w": 1200,                             "x": 0,                             "y": 0                         },                         "type": "block"                     },                     {                         "item": "viz_host456",                         "position": {                             "h": 400,                             "w": 1200,                             "x": 0,                             "y": 400                         },                         "type": "block"                     },                     {                         "item": "viz_host789",                         "position": {                             "h": 400,                             "w": 1200,                             "x": 0,                             "y": 800                         },                         "type": "block"                     }                 ],                 "type": "grid"             }         },         "tabs": {             "items": [                 {                     "label": "New tab",                     "layoutId": "layout_1"                 }             ]         }     } }   ... View more

@hrawat  Further Insights on the Suggestion Shared by @gcusello  It is recommended that indexers are provisioned with 12 to 48 CPU cores, each running at 2 GHz or higher, to ensure optimal performance. The disk subsystem should support at least 800 IOPS, ideally using SSDs for hot and warm buckets to handle the indexing workload efficiently. https://docs.splunk.com/Documentation/Splunk/latest/Capacity/Referencehardware  For environments still using traditional hard drives, prioritize models with higher rotational speeds, and lower average latency and seek times to maximize IOPS. For further insights, refer to this guide on Analyzing I/O Performance in Linux. Note that insufficient disk I/O is one of the most common performance bottlenecks in Splunk deployments. It is crucial to thoroughly review disk subsystem requirements during hardware planning. If the indexer's CPU resources exceed those of the standard reference architecture, it may be beneficial to tune parallelization settings to further enhance performance for specific workloads. ... View more

@rahulkumar  Since the client is pushing Sentinel logs to your Splunk HEC endpoint, you can filter out unwanted events within Splunk to reduce the indexed data volume, using a null queue to discard events before they’re indexed.  Configure Splunk’s props.conf and transforms.conf on your heavy forwarder to route unwanted events to a null queue, preventing them from consuming your Splunk license.   https://docs.splunk.com/Documentation/Splunk/9.4.2/Forwarding/Routeandfilterdatad  https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues  ... View more

@rahulkumar  If the client is willing to set up the Azure AD application and provide you with the necessary credentials (Client ID, Client Secret, Tenant ID, Workspace ID, etc.), you can configure the Splunk Add-on to pull logs from the Log Analytics workspace, Event Hub, or Blob Storage without needing direct Azure access. ... View more

@rahulkumar  Instead of HEC, the Azure team can configure Sentinel to stream logs to an Azure Event Hub, which Splunk can then pull using the Splunk Add-on for Microsoft Cloud Services or a custom Azure Function.   https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data  https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html  https://splunkbase.splunk.com/app/3110  ... View more