Hello there, To keep it simple, I am trying to figure out how to make an alert depend on other alert. Imagine triggering an alert because there is "fail" in some event, but if in the same day there is "success" in the same source, the first alert would be closed and the "success" will be alerted instead. Am I making any sense? can anyone help? If it matters I am using Alert manager add-on Cheers,  ... View more

Hello there! I am working on a test environment where I only have one Splunk instance. I have succeeded to have a secure Splunk web with ssl.  I have the following problem:   Here are my config files: web.conf [settings] enableSplunkWebSSL = true privKeyPath = <path to key> serverCert = <path to certificate>   Server.conf [sslConfig] sslPassword = password sslVerifyServerCert = True sslVerifyServerName = True serverCert = <path to certificate> cliVerifyServerName = true sslRootCAPath = <path to CA certificate> [kvstore] serverCert = <path to certificate> sslPassword = password sslVerifyServerCert = True sslVerifyServerName = True [pythonSslClientConfig] sslVerifyServerCert = true sslVerifyServerName = true   splunk-launch.conf PYTHONHTTPSVERIFY = 1 SPLUNK_FIPS=1   I know that the configuration for securing the environment with TLS has changed since the 9.0 version of Splunk enterprise. My CLI doesn't display any warning or error. I have followed everything suggested in these links:  Security updates - Splunk Documentation Configure TLS certificate host name validation - Splunk Documentation Configure Splunk Web to use TLS certificates - Splunk Documentation   Any help would be appreciated ! Regards ... View more

Hello There, I have been trying to secure my Splunk web using TLS certificates. I followed this link: Configure Splunk Web to use TLS certificates - Splunk Documentation. Things to know: I sent a signing request to a CA. My server certificate file contains only the server certificate and the CA certificate (in this order) My web.conf is the following: [settings] enableSplunkWebSSL = true privKeyPath = ..\mycerts\myServerPrivateKey.key serverCert = ..\mycerts\splunk-web.pem sslPassword = startwebserver = true As a result I can not connect to 127.0.0.1:8000 "This page isn't working right now" and when i restart splunk I get the message "web interface does not seem to be available", plus it takes like 50 min for Splunk to restart. I suspect the fact that I am not including a CA or .csr file, but I am not sure since it's not indicated in the documentation, plus I tried adding the private key and the .csr file but still had the same error. Can you help me to know what I am doing wrong please? any help would be appreciated 🙂 have a great day! ... View more

Hello there, I have been trying to use splunk check-integrity  to check the integrity of some indexes. I have the error: Integrity check error for bucket with path=..\Splunk\var\lib\splunk\defaultdb\db\b_1668784284_1668613842_9, Reason=Journal has no hashes. I do know that the events indexed before adding  enableDataIntegrityControl=true to indexes.conf are not treated, but I thought the buckets created after the use of enableDataIntegrityControl=true would have a hash. bur it is not the case. Am I missing somthing?    Thank you. ... View more

Hello everyone! I am working on test environment where I only have one Splunk instance. I edited on the journal.zst file in one of my buckets (I have a buckup) just to test the data integrity, so now it's corrupted. my question is, is there a way to not lose all the events in this bucket ? I tried fsck and rebuild but the bucket is still corrupted with data integrity check being unsuccessful which is normal. I'm not sure if it's possible in the real world to face such an issue, but m curious to know what would the best strategy be. any help would be appreciated 🙂  ... View more

Hello there, The deal is that I have 2 forwarders that have exactly the same logs (I'm using 2 forwarders not to have a SPOF) and I want to find a solution to not have duplicated logs. I thought of using a load balancer but I just want to know first if there is some config on Splunk that allows to do that please. Best regards,  Abir ... View more

Hello there,  For context, I got some remote logs from different sources on my universal forwarder, and I'm trying to index logs from the same source with the same index, but the thing is, I don't know how to that 😕 I tried to follow this Create custom indexes - Splunk Documentation, but even trying to index everything that comes from my universal forwarder using this [tcp://<ip_addr_forwarder] index=<name_of_index] can someone help please ? Best regards, ... View more

Hello there, I am working on VMware, I have two linux machines that I'm using as universal forwarders (ubuntu desktop and a linux server that are configured in the exact same way as forwarders). I have another linux machine that I'm using as an indexer. The thing is that one of my forwarders (linux server) is forwarding correctly to the indexer, and i can see all the information i need in the index main. BUT the second forwarder logs are nowhere to be found. Although I can see the 2nd universal forwarder when I type index=_internal in the search bar but this index doesn't show any logs. Can someone help me please so I can see the logs of the second forwarders logs? Have a great day everyone! Abir ... View more

Hello there, I am new to Splunk. I had configured my universal forwarder in order to send data to the indexer. The universal forwarder is a Linux server and running the command netstat -an | grep 9997 I can see that tcp packages are being sent to the indexer, but the status is 'TIME_WAIT'. While my indexer is a windows 10 desktop, I have added permission to accept tcp and ICMP packages, but still, I can't find the data I want on the splunk instance installed on the indexer (or any other data concerning the forwarder).  My question is then, what can I do in order to receive the packages on the indexer please? PS: I have another indexer which is a Linux desktop, and it works just fine, I can find the forwarder data. PS': Here is the link for the tutorial I've been following in order to configure the splunk instences I'm using Using the Universal Forwarder to gather data | Splunk Operational Intelligence Cookbook (packtpub.com) Any help would be appreciated ! Regards, ... View more