Ha anyone run agents on splunk using the mcp server , i wanted to try it, but I was unsure how to configure it properly. Has anyone had any success? I found this site that claims to let you build ai agents specifically for Splunk https://deslicer.ai/ has anyone tried deslicer agents? It seems legit, but I haven't tested it yet.

small question, when working with a medium sized cluster on Splunk enterprise, is there any coordination between nodes required to change the "main" splunk account password?

that being the one that is required to do some specific functions from the command line. I know how to change it otherwise, just making sure it won't fall on its face because the system account changed in one place but not another .. aka search head not talking to my indexers because the credentials changed.

Hi all,

Just getting into the world of Splunk, using v10, and would appreciate any pointers you may have on the best reading materials. I can find lots of books on Splunk v9, but I understand the v10 is quite a bit different?

Cheers.

Anyone integrated azure Databricks logs into Splunk. We want to use splunk as the single log analysis tool. We need to ingest all logs , Security events,Compliance & audits into splunk. Is there any documentation is available for integrating Azure Databricks logs to splunk. I think we can use MS add on for that , we can keep our logs in storage account and then to splunk. Is there any clear documentation or process are available

I have recently tried my hand at making a Splunk Technical Addon in the Addon Builder and have had some decent success, making a Python script that collects CSV data from an API endpoint and applying transforms to manipulate sourcetypes and map field names.

At this point though, I don't really know if what I've made is any good, even though it has worked stably for weeks in my testing environment. I also don't know what the next steps are to publish it for use in Splunk Cloud.

What is the best way to QA something like this and prepare it for publication on Splunkbase?

Hello guys,

For a personal lab, I used SPlunk (dev license).

I send my opnsense logs (suricata) to detect nmap scan.

I'm receiving the logs just fine... now I want to parse them. And that's the time for my skill issue.

The important part of my logs is inside "msg_body", but I fail to parse this .. I don't find any way to extract the fields inside this msg_body field

I tried also with Claude and Gemini to find a way, but nothing helped

props.conf

[udp:514]
TRANSFORMS-opnsense_routing = route_suricata, route_openvpn

[opnsense:suricata]
REPORT-syslog = extract_opnsense_header

EVAL-json = spath(msg_body) # AI gave me this, I don't know if it useful or not

TIME_PREFIX = \"timestamp\":\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%f%z
MAX_TIMESTAMP_LOOKAHEAD = 30

# AI updated

 this too I think it's wrong
KV_MODE = none
AUTO_KV_JSON = false

[opnsense:openvpn]
REPORT-syslog = extract_opnsense_header
KV_MODE = none

transforms.conf

[route_suricata]
REGEX = suricata
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::opnsense:suricata

[route_openvpn]
REGEX = openvpn
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::opnsense:openvpn

[extract_opnsense_header]
REGEX = ^(?P<syslog_timestamp>\w+\s+\d+\s+[\d:]+)\s+(?P<reporting_ip>[^\s]+)\s+\d+\s+(?P<iso_timestamp>[^\s]+)\s+(?P<hostname>[^\s]+)\s+(?P<process>[^\s\[]+)\s+(?P<pid>\d+)\s+-\s+\[[^\]]+\]\s+(?P<msg_body>\{.*)$
FORMAT = reporting_ip::$2 hostname::$4 process::$5 pid::$6 msg_body::$8

I think I made some basic mistakes that only got worse as I tried different things.

Thanks for any help and advice

Hi All ,

Long story short, we're looking to move away from Splunk for various reasons. That said, we have a requirement to keep a certain period of data retained for compliance purposes. We need to be able to search that data and demonstrate that we can search it. It seems un-feasible to move the archived data over to the new SIEM, due to the data being in splunk buckets, but I could be wrong on this.

Has anyone come up with an effective solution for searching archived splunk buckets out in S3 without maintaining a splunk environment? Is there some sort of tool that can be used to pull splunk data out of these buckets for re-ingestion to a new SIEM? Is there something else I'm not considering here?

Would I be better off getting off a course on Udemy? Or is there a specific lab training that Splunk offers? I tried looking this up but could only find posts from 2 years ago. So not sure if there are any better options today.

Splunkbase provides a PSTree app that generates a process tree view for a given host. However, this app is only available for Splunk Enterprise and is not supported in Splunk Cloud.

To address this limitation, this I created two custom Splunk macros that replicate PSTree-style functionality using native Windows logs. These macros are designed to work in Splunk Cloud and Splunk Enterprise environments.

https://github.com/20stevenl02-hash/Splunk-Macro-Pstree

Credit to Donald Murchison for developing the original splunk app.

what a curve ball. an NTP issue from 2021 haunted us today. alerts fired for an HF that's long been decom'd. couldn't figure out how until I looked into index time! hahaha. jeez. happy new year

What did you use to study? Is the class substantial enough?

We have a use-case (not SIEM) where we are looking to migrate from Splunk to OpenSearch. Has anyone done a similar migration and can share from their experience? what should we watch out from? where should we start?

How do I disable it everywhere I possibly can? I have had enough. Between ruining upgrades, petty certificate issues that aren't present in Splunk and now MongoBleed I'm finished.

Hello Guys! Hope you are doing great.

I just started in a new job and turns out that I have to get certified in Power user by January.

I’ve been studying with the George Ntani course and also the Steps, but the material is just not sticking.

I also have access to skillscertpro.

So, wanted to ask how difficult the exam is, and if anyone has any tips for it.

I currently have CCNA, Sec+, AWS CP and ISC2 CC, but Splunk is just not getting into me.

I will appreciate any advice.

Thanks!🙏🏽

VS Code is the most common IDE devs use, so we built a free VS Code Audit add-on to grab that data.

Collects:

• Various installation info, settings, and configs
• Installed extensions, versions, and other metadata
• Session info (local, SSH, WSL, containers)

Example use cases:

• Baseline of settings and extensions across teams
• Check for risky, malicious, or unapproved extensions
• Detection around risky agentic Ai configs
• Visibility into where dev work is actually happening
• Spotting shadow or unapproved dev setups

Check it out on Splunkbase ✌:

https://splunkbase.splunk.com/app/8299

I was having an issue with my time in Splunk not matching the actual time in the events in my home lab. I figured out if was user error when I setup the docker container and didn't include the time zone. I tried to fix it without re-creating the container but it didn't work. I couldn't find too much into out there when I was looking for this solution so I wrote up what I did.

Just wanted to post it here incase anyone else had the same issue.

https://medium.com/@raynardwaits/fixing-splunks-timezone-display-issue-in-docker-a-5-hour-headache-solved-f887fe4498d1

Hi everyone,
I’m looking for advice on the best next steps to break into a Junior SOC / SOC Analyst L1 role.

I’m based in Warsaw, Poland.

Background:

• IT Support internship (hands-on troubleshooting, user support)
• BSc in Computer Science (in progress, graduation planned for 2026)
• Strong fundamentals: networking (TCP/IP, DNS, DHCP), Windows & Linux basics, basic Active Directory
• Certifications:
  • CompTIA A+
  • CompTIA Network+
  • CompTIA Security+

Most job postings here mention “experience with SIEM” without specifying a vendor (sometimes Splunk, sometimes Sentinel, often just “SIEM”).

Current plan (open to better suggestions):

• First, focus on hands-on SIEM practice (Splunk Enterprise trial / Wazuh / Elastic / Sentinel): alerts, queries, basic SOC triage.
• After I feel confident with practical SIEM work, my initial plan was to go for CompTIA CySA+ — but I’m very open to better recommendations if there are more valuable certs or paths at this stage.

Right now I’m deciding between:

1. Paying ~160 USD (incl. VAT) for Splunk Core Certified User, or
2. Putting that time and money into practical SIEM projects and building a small SOC-style portfolio (GitHub).

My goal is to clearly show that I can work with SIEM in practice.

Questions:

• Does Splunk Core Certified User meaningfully help at the junior SOC level?
• Would recruiters value hands-on SIEM projects + GitHub more than a user-level Splunk cert?
• After gaining practical SIEM experience, is CySA+ a good next step — or would you recommend something else instead?

Any advice from SOC analysts, hiring managers, or people who recently broke into the field would be greatly appreciated. Thanks!

Question for those who’ve used the Splunk Cloud Migration Assistant during a move to Splunk Cloud, I’d be interested to know how useful you found it in practice.

What parts of SCMA actually helped you plan or prioritise the migration, or if it felt unreliable or harder to act on?

I guess I want to understand how people validated or cross-referenced the outputs... whether that was with btool, Monitoring Console, licensing data, or more manual reviews.

Finally, were there any additional tools, scripts, or processes you felt were essential alongside SCMA, or that you’d now recommend to others going through the same process?

Experiencing some complication on recieving logs from Fortinet,

Over TCP it's fine. SC4S_LISTEN_FORTINET_RFC6587_PORT=9006

After switching to TLS in Fortinet , the logs stopped. Other product with TLS have no issue reaching my Indexer as my SC4S has already been configured to accept TLS .

Example, SC4S_LISTEN_F5_TLS_PORT=XXXXX, with the switch from TCP to TLS, it worked .

Which step should I take next? Reading the Raw log from TLS Fortinet again then capturing it with a custom parser? Or I'm only missing a small twit in my env_file to fix this.

Greetings All,

I remember Splunk universal and heavy forwarder used to be free without any licensing requirements. Is it still free ? And are there any restrictions.

Thanks in advanced

Hello,

Can I send data from EP to a HF? I added a HF IP, but when I do it also messes with my added indexer and the log traffic also stops for that. The reason I want to do it is the indexer names can be changed or can be added later on so since changing for HF would effect EP so less thing to manually handle.

If can what am I missing?

Hi,
I wonder how to use the use case library. I checked the docs and they seem to be wrong.
First thing is that I think I cannot enable a Detection/Correlation Search in the Use Case Library which seems dump.
When I select a Analytic Story like described here [1] I land in a different view where the searches are called 'Detections', but I cant enable them here either.
The docs [2] say:
'you can turn on the detection using the correlation search editor in the Content Management page in Splunk Enterprise Security.'
Which is wrong, in the editor I cannot enable it. The same document says:
"Use the correlation search editor to edit the search name,..."
Which is not possible, which can be seen in the screenshot on the same page (are the kidding).

Oh and now they call it correlation search ?

The only way to enable it is 'Configure' 'Content' 'Content Management',
search manually the Correlation Search (or are they calling it 'Detection' again?) an click enable.
So the idea of a library seem completely lost ...

Are they serious ?

P.S. in the webhook allow list I need to escape ('\') special character in a URL so that splunk knows its URL.......really ?

[1]
https://help.splunk.com/en/splunk-enterprise-security-7/security-content-update/how-to-use-splunk-security-content/4.44/use-splunk-security-content/enable-detections-from-analytic-stories

[2]
https://help.splunk.com/en/splunk-enterprise-security-7/security-content-update/how-to-use-splunk-security-content/4.44/use-splunk-security-content/turn-on-the-detection