Hi Splunkers!!, We have recently configured SSO in Splunk using Keycloak, and it's working fine — users are able to log in through the Keycloak identity provider. Now, we have a new requirement where some users should be able to bypass SSO and use the traditional Splunk login (username/password) instead. Current Setup: Splunk SSO is configured via Keycloak (SAML). All users are redirected to Keycloak for authentication. We now want to allow dual login options: Primary: SSO via Keycloak (default for most users). Secondary: Traditional login for selected users (e.g., admins, service accounts). Objective: Allow both SSO and non-SSO (Splunk local authentication) login methods to coexist. Below is our setting for SSO. [authentication] authSettings = saml authType = SAML [roleMap_SAML] commissioning_engineer = integration hlc_support_engineer = integration [saml] caCertFile = D:\Splunk\etc\auth\cacert.pem clientCert = D:\Splunk\etc\auth\server.pem entityId = splunk fqdn = https://splunk.kigen-iht-001.cnaw.k8s.kigen.com idpCertExpirationCheckInterval = 86400s idpCertExpirationWarningDays = 90 idpCertPath = idpCert.pem idpSLOUrl = https://keycloak.walamb-iht-001.cnap.k8s.kigen.com/auth/realms/production/protocol/saml idpSSOUrl = https://keycloak.walamb-iht-001.cnap.k8s.kigen.com/auth/realms/production/protocol/saml inboundDigestMethod = SHA1;SHA256;SHA384;SHA512 inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512 issuerId = https://keycloak.walamb-iht-001.cnap.k8s.kigen.com/auth/realms/production lockRoleToFullDN = true redirectPort = 443 replicateCertificates = true scimEnabled = false signAuthnRequest = true signatureAlgorithm = RSA-SHA1 signedAssertion = true sloBinding = HTTP-POST sslPassword = $7$CCkQUt0tA8sZJMmU+8kigen0zdv/mxXjJsLRbmuBkEnMfhQ== ssoBinding = HTTP-POST [userToRoleMap_SAML] kg-user = commiss_engineer;hlc_support_engineer:::: ... View more

Hello Splunkers!! Issue Description We are experiencing a significant delay in data ingestion (>10 hours) for one index in Project B within our Splunk environment. Interestingly, Project A, which operates with a nearly identical configuration, does not exhibit this issue, and data ingestion occurs as expected. Steps Taken to Diagnose the Issue To identify the root cause of the delayed ingestion in Project B, the following checks were performed: Timezone Consistency: Verified that the timezone settings on the database server (source of the data) and the Splunk server are identical, ruling out timestamp misalignment. Props Configuration: Confirmed that the props.conf settings align with the event patterns, ensuring proper event parsing and processing. System Performance: Monitored CPU performance on the Splunk server and found no resource bottlenecks or excessive load. Note : Configuration Comparison: Conducted a thorough comparison of configurations between Project A and Project B, including inputs, outputs, and indexing settings, and found no apparent differences. Observations The issue is isolated to Project B, despite both projects sharing similar configurations and infrastructure. Project A processes data without delays, indicating that the Splunk environment and database connectivity are generally functional. Screenshot 1 : Screenshot 2 : Event sample : TIMESTAMP="2025-04-17T21:17:05.868000Z",SOURCE="TransportControllerManager_x.onStatusChangedTransferRequest",IDEVENT="1312670",EVENTTYPEKEY="TRFREQ_CANCELLED",INSTANCEID="210002100",OBJECTTYPE="TRANSFERREQUEST",OPERATOR="1",OPERATORID="1",TASKID="10030391534",TSULABEL="309360376000158328" props.conf [wmc_events] CHARSET=AUTO KV_MODE=AUTO SHOULD_LINEMERGE=false description= WMC events received from the Oracle database, formatted as key-value pairs pulldown_type=true TIME_PREFIX = ^TIMESTAMP= TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6NZ TZ = UTC NO_BINARY_CHECK = true TRUNCATE = 10000000 #MAX_EVENTS = 100000 ANNOTATE_PUNCT = false     ... View more

Dear Splunkers!! I am facing an issue with Splunk file monitoring configuration. When I define the complete absolute path in the inputs.conf file, Splunk successfully monitors the files. Below are two examples of working stanza configurations: Working Configurations: [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\0000000002783979-2025-03-27T07-39-33-128Z-SZC.VIT.BaptoEvents.50301.csv] [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\0000000002783446-2025-03-27T05-09-20-566Z-SZC.VIT.BaptoEvents.50296.csv] However, since more than 200 files are generated, specifying absolute paths for each file is not feasible. To automate this, I attempted to use a wildcard pattern in the stanza, as shown below: Non-Working Configuration: [monitor://E:\var\log\Bapto\BaptoEventsLog\SZC\*.csv] Unfortunately, this approach does not ingest any files into Splunk. I would appreciate your guidance on resolving this issue. Looking forward to your insights. ... View more