Hello, I am currently using Splunk version 9.1.0.2, which includes several newly reported CVEs. Therefore, I need to upgrade it to the latest version. In the following link, it is mentioned that "Splunk recommends that customers use version 9.2.0.1 instead of version 9.2.0." Release Notes However, in the download link (Splunk Enterprise Download Page), the latest version available is 9.2.0. Could you please inform us when Splunk Enterprise 9.2.0.1 will be released? ... View more

Hello, I'm encountering an issue with Splunk Forwarder on a Windows Server OS. When it runs under the "SplunkForwarder" user, it fails to send Sysmon logs. Surprisingly, the forwarding works correctly when the forwarder is configured to run as the "SYSTEM" user. While this resolves the immediate problem, I'm hesitant to continue using the "SYSTEM" user due to its extensive access to system resources. I'm seeking a better solution that allows the Splunk Forwarder to send Sysmon logs without compromising security. Any guidance on this matter would be greatly appreciated. Thank you. ... View more

Hello, I noticed that in versions upper 9.1, the user and group were changed to "splunkfwd" I have updated the universal forwarder to the newer version (9.1), but the user and group did not change to "splunkfwd." Subsequently, we encountered several problems related to permissions, such as the Universal Forwarder lacking permission to read auditd logs. Therefore, it is necessary to modify the "log_group" parameter in the auditd.conf file. Should I manually change it, or is there an alternative solution to resolve all permission problems? ... View more

Hi, I have installed Splunk Universal Forwarder on several Windows servers, and they send their Windows logs to the indexers. All Windows logs are saved in the 'windows-index.' However, sometimes, some of the Universal Forwarders are disconnected, and I have no logs from them in a period of time. How can I find which Universal Forwarders are disconnected? I must mention that the number of UFs is more than 400. ... View more

Hi, we have the following error in one of the splunk instances: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK. and the following warning exist in the licensing section for the " auto_generated_pool_download-trial " pool: This pool has exceeded its configured poolsize=524288000 bytes. A warning has been recorded for all members whereas the mentioned splunk is not trial version, It's an Enterprise version.   ... View more

Hi, I have deployed a search head cluster with 3 members and one deployer. based on splunk document, is recommends that run a third-party hardware or software load balancer in front of the clustered search heads. does splunk recommend any special load balancer that is most compatible ... View more

Hi, we have deployed a search head cluster with two search head and one deployer. when we run : /opt/splunk/bin/splunk apply shcluster-bundle -target  https://sh1.example.com:8089 we get the following message: Error when issuing rolling restart on the master: Internal Server Error{"messages":[{"type":"ERROR","text":"Rolling restart cannot be initiated without service_ready_flag = 1, check status through \"splunk show shcluster-status\". Reason :Waiting for 3 peers to register. (Number registered so far: 2)"}]} and when we run the following command: splunk show shcluster-status the initialized_flag equal 0.   Captain: dynamic_captain : 1 elected_captain : Wed Nov 8 13:05:58 2023 id : 84F622C1-C493-4A7C-B12B-D7EDBBCCD3A8 initialized_flag : 0 kvstore_maintenance_status : disabled label : sh2 mgmt_uri : https://sh2.example.com:8089 min_peers_joined_flag : 0 rolling_restart_flag : 0 service_ready_flag : 0 Members: sh2 label : sh2 mgmt_uri : https://sh2.example.com:8089 mgmt_uri_alias : https://sh2.example.com:8089 status : Up sh1-server label : sh1-server last_conf_replication : Pending mgmt_uri : https://sh1.example.com:8089 mgmt_uri_alias : https://sh1.example.com:8089 status : Up ... View more

Hi, Is it possible to add a deployer  server to existing search head cluster? Existing search heads are fresh and we have no problem about loss any configuration. By the way the mentioned search head cluster is connected to a multisite indexer cluster and each search head's site attribute set to "site0". ... View more

Hello, we have a data center with several type of equipment such as servers, switches, routers, EDR, some IOT Sensors, virtualization and etc. Based on EPS, we need about 10 indexer based on splunk recommendation. Now I want to  separate indexer to 4 cluster. one for servers, one for network device, one for services and last one for security such as Firewall and EDR.  each cluster has several indexer and each forwarder send data to the related cluster. data only replicate in the origin cluster not other clusters But I need each search head could search between 4 cluster. for example search for login failure in the all cluster (servers, network device and etc) could I have several cluster with one cluster master?   Best Regards ... View more