@ariel_esh    ... View more

@nelaturivijay Please have a look. https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/tokens#Using_tokens_in_a_search  ... View more

@JeffV    ... View more

@danielbb  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@danielbb  Create `inputs.conf` and `outputs.conf` on the Heavy Forwarder (HF) if you want to forward data directly from the HF to the indexers. Alternatively, create `inputs.conf` and `outputs.conf` on the Universal Forwarder (UF) to send data to the HF, which will then forward it to the indexers. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@danielbb Hello Daniel, Please follow the below steps. 1. Install Splunk on all the required instances. 2. Enable the receiving port `9997` on the indexer. 3. If you are forwarding data from a Universal Forwarder (UF) to a Heavy Forwarder (HF) and then to the indexer, ensure the receiving port is open on both the Heavy Forwarder and the indexer. 4. Ensure the following ports are open: 9997: UF to HF and HF to Indexer 8089: Management port between Indexers and Search Heads 8000: Web port for HF and Search Head (optional for indexers in production environments) 5. Add your indexer to the Search Head: - Navigate to Settings > Distributed Search > Distributed Search Setup - Enable distributed search, then go to Settings > Distributed Search > Search Peers - Add the indexer details here and restart the Splunk instance. 6. If required, open port `8000` for the web interface on the Heavy Forwarder and Search Head. While optional for indexers, this port is typically not opened on production indexers. Note:Before configuring Splunk, perform a telnet test to verify port connectivity: - From UF to HF: `telnet <HF_IP_Address> 9997` - From HF to Indexer: `telnet <Indexer_IP_Address> 9997` - From Indexers to Search Heads: Ensure the management port `8089` is open. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@finchgdx Hello, Do you have that usage field in your tutorial data or CSV ?  ... View more

@splunklearner  The Config Explorer app itself does not directly support running CLI commands, as it is primarily designed for managing configurations and validating them within Splunk’s web UI.  This is an older link, and there isn’t any official Splunk documentation available for this specific topic. However, you can give it a try: https://community.splunk.com/t5/Deployment-Architecture/What-is-the-curl-command-used-on-the-deployer-to-apply-shcluster/td-p/202735?_gl=1zi5ycp_gcl_auMTQ4OTY1OTQ1MC4xNzM2MTkyNzY0FPAUMTQ4OTY1OTQ1MC4xNzM2MTkyNzY0_gaMTg5NTQwNDUzLjE3MzYxOTI3NjQ._ga_5EPM2P39FVMTczNjcwODUyNC4yLjEuMTczNjcwODY0Mi4wLjAuMTM1MTg2ODI4MA.._fplc*JTJCNEZ3U3B6Q0EycCUyQnd0dlR4ZVI0ekJXZlI3Y0kzQ3dEdDl1b3QyNGFRQ01pUCUyQlhXTmFRO If this reply helps you, Karma would be appreciated. ... View more

@ajayy24 Yes, you can directly schedule the SPLK-3001 exam if you have extensive experience in enterprise security. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@dbray_sd  Alright, did you find anything in the internal logs? Are none of the inputs functioning? Have you taken a backup of the DB Connect add-on before upgrading to the latest version? If you have a backup, please restore it and test again. I haven’t encountered this issue before, but checking the internal logs might provide some insights. If not, it’s best to raise a support ticket. https://docs.splunk.com/Documentation/DBX/3.18.1/DeployDBX/Troubleshooting  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@dbray_sd  Did you perform the health check after upgrading to the latest version of DB Connect? https://docs.splunk.com/Documentation/DBX/latest/DeployDBX/CheckInstallationHealth    ... View more

@Patrick-A  I would suggest that you contact the app developer. ... View more

@MrBLeu  If SSL is being used, ... To do an openssl test like openssl s_client -connect xx.xx.xx.xx:9997 -cert <cert_file> -CAfile <ca_file> You can get <ca_file> from running this: /opt/splunk/bin/splunk cmd btool server list sslConfig | grep sslRootCAPath <cert_file> you can get from running this: /opt/splunk/bin/splunk cmd btool outputs list tcpout You are looking for the clientCert setting. If you have multiple entries for clientCert, such as one under [tcpout] and one under [tcpout:<group>], pick the one on the latter, which would be at the more specific level. You'll be able to see if ssl handshake is completing properly with the settings currently configured. ... View more

@splunkville It could be many things - usually I see this when queues are blocked. Could you please paste the ERROR here.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@MrBLeu   Did you check your resource usage ? What about network connections ? Check the _internal logs on your server I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@MrBLeu  Hey,  The servers configured in outputs.conf are not performing well. there could be many reasons: - From the remote server, make sure you can reach the port on the indexer. Telnet or something - Review the Splunkd logs on the windows server, grepping for the indexer ip - Make sure it's listening on 9997, ss -l | grep 9997 - Check the logs on the Universal forwarder $SPLUNK_HOME/var/log/splunk/splunkd.log - network issue from Universal forwarder to Indexer - Indexers are overwhelmed with events coming in or busy in serving requests from search head. - check all servers (indexers) in outputs.conf of forwarder are healthy (CPU and memory utilization). - Check if you have deployed outputs.conf to indexers by mistake. generally indexers don't have outputs.conf. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. ... View more

@MikeMakai  Hi Mike,I recently integrated an FTD appliance with Splunk. Previously, the customer was using a Cisco ASA, and last week they upgraded to FTD. We didn’t make any changes to the Splunk setup and are still using the Cisco ASA add-on. Interestingly, the logs are being parsed correctly. Have you tried using the Cisco ASA add-on? Additionally, when you run a TCP dump on the destination side (Splunk), how are the logs appearing from the FTD device? Are they coming through as expected? It seems the cisco:ftd:syslog sourcetype isn’t parsing them properly. I’ve attached a screenshot for your reference. I hope this helps. if any reply helps you, you could add your upvote/karma points to that reply.   ... View more

@MikeMakai Please run `tcpdump` to verify if the expected logs are being received. If the expected output is observed, we can proceed to check from the Splunk side. If this reply helps you, Karma would be appreciated. ... View more

@MikeMakai Could you share your `inputs.conf` file? Are you sending data directly from the FMC to Splunk, or is there an intermediate forwarder between your FMC and Splunk? ... View more

@dwangfeng  Apply this props.conf  [<sourcetype>] SEDCMD-splunktestdata = s/(?i)(<password>)[^<]+(<\/password>)/\1xxxxxxxxxxxx\2/g ... View more

@navan1  You should include a space before AS. Please refer to this query as an example. index=test earliest=-365d latest=now | eval Month=strftime(_time, "%Y-%m") | stats dc(eval (action="success")) AS Success_Users dc( eval(action="failure")) AS Failure_Users BY Month | sort Month I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs. ... View more

@dwangfeng Can you try this    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs. ... View more

@navan1 If you want to check from past one year, you can try this.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs. ... View more