Is your SH running on port 8080 or default 8000? You should look if there is anything on your splunk server logs. Check also other than splunkd.log! You have also latest version of TA for vscode on your splunk server? ... View more

I have the latest(?) Splunk VSCode extension on my splunk instance. That instance is on my laptop too. If you are trying to use remote instance you must use correct node name and port on settings.json instead of localhost. I'm not sure if I have run this against another splunk instances or only towards my on dev/test at the same node than running viscode. ... View more

Hi it seems that when you are using output_mode=json those f=xyz didn't work. Instead of those you must use jq as @deepakc already propose. curl -ksu $UP 'https://localhost:8089/servicesNS/-/-/admin/macros?count=4&output_mode=json' | jq '.entry[].name' "3cx_supply_chain_attack_network_indicators_filter" "7zip_commandline_to_smb_share_path_filter" "abnormally_high_aws_instances_launched_by_user___mltk_filter" "abnormally_high_aws_instances_launched_by_user_filter" You could/should leave comment on doc page where output_mode has defined and add information that if you are using json mode then f=xyz doesn't work. Doc team is really helpful to update that kind of notes into real documentation. r. Ismo  ... View more

Hi it seems that this feature has documented on Splunk Enterprise REST API User Manual only. I cannot find that manual for splunk cloud. I suppose that feature is now available for anyone else than users which have admin role? In SCP that role is restricted for Splunk Cloud Ops team only, not for any customers. If need you can create a support ticket and ask is this a valid assumption?  r. Ismo ... View more

Hi this is quite common question and you could found lot of answers to it by google/bing or what ever you want to use. Here is some links to you SlackbotSlackbot There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warningsSome helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe https://www.duanewaddle.com/proving-a-negative/ r. Ismo ... View more

Hi have you read this https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/AboutHECIDXAck? And have you implemented ack response handling on your HEC client? Are you using separate channel values on every HEC client instances? How many HEC receiver you have and are those behind load balancer? r. Ismo ... View more

Hi Splunk has designed to archive data from buckets, not from collection phase. If you are running on AWS then you could try to archive data before it’s indexed by ingest action, but I think that you are running it in on premise?  The best option is use archive script in indexes.conf for archiving buckets. If this is not an option to you, then you have two option. setup some props + transforms.conf files to duplicate that data e.g. to syslog server and use it to store and archive it. But as splunk use UDP to send syslog feed, you will lose some events time by time. Use some other tool to collect and archive those events and send those also to splunk by that tool r. Ismo ... View more

Hi you could try like LINE_BREAKER = ([\n\r]+)\d{8} \d\d:\d\d: TIME_FORMAT = %Y%m%d %H:%M%:%S.%3Q TIME_PREFIX = ^  r. Ismo ... View more

That’s correct. ... View more

When you have edited those files on disk, splunk needs restarted or at least refreshed before those change as are in use. You should look /debug/refresh url for refresh. When you are using lookup editor app, no need to do those as this app manage those actions internally. Just create a new lookup and after you have saved it, it’s ready for use. ... View more

Hi If you want only total count then just drop "by ..."  away from your 1st example. If needed add  | where isnotnull(content.scheduleDetails.lastRunTime) before stats. r. Ismo ... View more

Hi there should be more information on _internal log. Just query from it like index=_internal LM* OR expired That should show you more information about y our issue. r. Ismo ... View more

This works on my laptop (macOS + Splunk 9.2.1) See details from here https://marketplace.visualstudio.com/items?itemName=Splunk.splunk I have set next values on settings.json Splunk Rest Url -- https://localhost:8089 Token auth has enabled and I have generate own token for this Then just create file e.g. Splunk-SPL-test.splnb index=_internal | stats count by component Run it and you see events and can select also visualisation etc.  ... View more

Hi This depends on what you have already in your Splunk. If you want to create KV based lookup with GUI then minimum requirement is that you have at least one collection defined on your instance. And this can do only with conf file. If you haven't any collection then you cannot create kv based lookup with GUI. Of course if you have lookup editor app then you can. But even if you have collection defined it's not so simple than just create a new lookup based on it. Usually there is collection per lookup as collection defines used fields in lookup. I think that your best options are: Ask your Splunk Admin install Splunk Lookup Editor and use it Ask your Splunk Admin / KO admin create that collection + lookup for you Create app which contains those and ask from your Splunk Admin that they install it with needed permission for your use case r. Ismo ... View more

Hi How you have defined that input on your HF (DB Connect) node? Are you sure that those events are really twice here instead of you have e.g. set both INDEX EXTRACTIONS on HF side and KV_MODE=JSON on SH side? r. Ismo ... View more

Hi one old post for same kind of situation. https://community.splunk.com/t5/Splunk-Enterprise/How-to-dynamically-lookup-filename/m-p/645855 r. Ismo ... View more

Hi Have you done this on all SHC members? Configure each search head cluster member as a search head on the indexer cluster. Use the CLI splunk edit cluster-config command. For example: https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/SHCandindexercluster One correction for those default ports. There is no default ports (or alt least earlier haven't been) for IDX replication or SHC replication. There are some commonly used ports, those are not default, you must always define those manually in CLI, conf files or in GUI! r. Ismo  ... View more

I have used it in some cases. I need to check how I have configured it when back on my laptop. ... View more

Hi if I understand right, you are trying to configure HEC receiver on this node? Splunk UF doesn’t support HEC! When you want to use HEC, the instance must be full splunk enterprise like heavy forwarder. r. Ismo ... View more

You could try next by your own responsibility! Anyhow your SHC is not fulfilling Splunk’s requirements! Have you try to stop all nodes on SHC? Backup kvstore. Then remove that app from this one node by rm -fr …./etc/apps/<your app nam>. Then start the all nodes one by one on the SHC and check what is your situation after that? Also check kvstore and shcluster statuses. That may help you, or it could lead the situation which force you to install whole SHC from scratch! So test this with your own risk. ... View more

Hi I'm afraid that in this case there is SHC which is managed by deployer as it should. BUT then someone has installed one app into one member locally from cli or just unpack that file into correct app folder? @aasserhifni is this assumption correct? If it it then you are in deep s...t. I have one found this kind of situation and only way how I get rid of it was just disable that app locally. It's not help even install it first by SHC Deployer and then remove it by SHC Deployer. It just sit there. I haven't had time to figure out is there any way to get rid of it from cli or other method. It seems that there is some unknown (at least for me) mechanism how SHC manage this kind of situations. Probably something with kvstore and something on filesystems and something on captain. Maybe you could try to stop whole SHC and then remove that app on member and check if it's still there after start all nodes or not. I cannot test that as that environment was quite busy production with main alerts etc. If that is not helping you, you should ask help from Splunk Support, if they have some way to figure it out? r. Ismo ... View more

I have it this way (thanks splunk/ansible-splunk) - name: Set admin access via seed when: splunk_first_run | bool block: - name: "Hash the password" command: "{{ splunk.exec }} hash-passwd {{ splunk.password }}" register: hashed_pwd changed_when: hashed_pwd.rc == 0 become: yes become_user: "{{ splunk.user }}" no_log: "{{ hide_password }}" - name: "Generate user-seed.conf (Linux)" ini_file: owner: "{{ splunk.user }}" group: "{{ splunk.group }}" dest: "{{ splunk.home }}/etc/system/local/user-seed.conf" section: user_info option: "{{ item.opt }}" value: "{{ item.val }}" mode: 0644 with_items: - {opt: 'USERNAME', val: '{{ splunk.admin_user }}'} - {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd.stdout }}'} loop_control: label: "{{ item.opt }}" when: ansible_system is match("Linux") become: yes become_user: "{{ splunk.user }}" no_log: "{{ hide_password }}"  Then those user + pass information is in config file which are per environment etc. on git. All those secrets are saved by ansible-vault, so there is no passwords as plain text on your repository/inventory. You could have as many config files as you are needing. Usually one or more per environment and customer. ... View more

Hi you could read more, how to use btool check from https://dev.splunk.com/enterprise/tutorials/module_validate/validateapp/ r. Ismo ... View more

Hi This is quite often asked and answered question. You could found many answers via google with search phrase “ site:community.splunk.com index retention time” r. Ismo ... View more