All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi _olivier_, Yes, off course when on your server go to the monitoring console, there under the menu setting, select "general setup" and there you can set the server roles.    Kind regards. 
Hello @Satyams14, If you plan to stream WAF logs to Eventhubs and wish to use Splunk Supported Add-on, you can also consider using Splunk Add-on for Microsoft Cloudservices (#3110 - https://splunkba... See more...
Hello @Satyams14, If you plan to stream WAF logs to Eventhubs and wish to use Splunk Supported Add-on, you can also consider using Splunk Add-on for Microsoft Cloudservices (#3110 - https://splunkbase.splunk.com/app/3110). It is a supported add-on and can fetch logs directly from the eventhub. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! 
Hi @_olivier_ , don't attach a new question on an old one, even if on the same topic: open a new request, so you will be more sure to receive an answer. Ciao. Giuseppe
Hi @Satyams14  This app is created by Splunk (but not a Splunk supported app) - not created by Microsoft, having said that I believe that it IS the "go-to" app for Azure feeds/onboarding. For a goo... See more...
Hi @Satyams14  This app is created by Splunk (but not a Splunk supported app) - not created by Microsoft, having said that I believe that it IS the "go-to" app for Azure feeds/onboarding. For a good overview on getting-data-in (GDI) for Azure check out https://docs.splunk.com/Documentation/SVA/current/Architectures/AzureGDI (which lists this app).  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Satyams14 , as you can read at https://splunkbase.splunk.com/app/3757, this isn't an official app by Splunk or Microsoft: It was created by "Splunk Works", It isn't supported, even if it has... See more...
Hi @Satyams14 , as you can read at https://splunkbase.splunk.com/app/3757, this isn't an official app by Splunk or Microsoft: It was created by "Splunk Works", It isn't supported, even if it has 64,900 downloads, and you can find it on GitHub. Ciao. Giuseppe
Hi, @hendriks ,  this is an old post, but can you remember the actions to add the indexserver role ?    Thanks.
Hello, Can someone confirm if this is official app by microsoft or a third party created app? I want to integrate azure waf logs into my splunk indexer.   Thanks and Regards, satyam
Hi @tanjil  As you are a Splunk Cloud customer you are entitled to a "0-byte" license which allows you to use non-indexing components without restriction (e.g. auth/kvstore/forwarding/accessing prev... See more...
Hi @tanjil  As you are a Splunk Cloud customer you are entitled to a "0-byte" license which allows you to use non-indexing components without restriction (e.g. auth/kvstore/forwarding/accessing previously indexed data etc etc) - Check out https://splunk.my.site.com/customer/s/article/0-byte-license-for-Deployment-Server-or-Heavy-Forwarder for more information.  Basically this is a perpetual 0-byte license so you can perform your usual HF/DS work. Just open a case via https://www.splunk.com/support and they should issue it pretty quickly.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
well... if im removing the table i see the entire event with the real structure, but i want to see only the testlogs.log part how can i do it ? using |fields does not help
1. Ok. You're searching by full json paths which probably means that you're using indexed extractions. This is generally Not Good (tm). 2. You're using the table command at the end. It creates a sum... See more...
1. Ok. You're searching by full json paths which probably means that you're using indexed extractions. This is generally Not Good (tm). 2. You're using the table command at the end. It creates a summary table which does not do any additional formating. You might try to do | fields logs | fields - _raw _time | rename logs as _raw instead of the table command and use event list widget instead of table but I'm not sure it will look good.
"AdditionalData":{"time":"2025-06-19T11:52:37","testName":"CheckLiveRatesTest","testClass":"Automation.TestsFolder","fullName":"Automation.TestsFolder","repoUrl":"***","pipelineName":"***","buildId":... See more...
"AdditionalData":{"time":"2025-06-19T11:52:37","testName":"CheckLiveRatesTest","testClass":"Automation.TestsFolder","fullName":"Automation.TestsFolder","repoUrl":"***","pipelineName":"***","buildId":"291","platform":"Backend","buildUrl":"https://github.com/","domain":"***","team":"***","env":"PreProd","status":"Failed","testDuration":"00:00:51.763","retry":1,"maxRetries":1,"isFinalResult":true,"errorMessage":" Verify live rates color\nAssert.That(market.VerifyLiveRatesColor(), is equal to 'true')\n Expected: True\n But was: False\n","stackTrace":" ***","triggeredManually":true,"hidden":false,"testLog":{"artifacts":{"Snapshot below: ":"http://www.dummyurl.com"},"logs":["[06/19/2025 11:51:45] Initializing BaseTestUI",["EndTime: 06/19/2025 11:51:47","Duration: 00:00:01.7646422","[06/19/2025 11:51:45] Driver configurations:\r\nIs local run: False\r\n
Please provide the raw event (not the formatted version e.g. {"AdditionalData": { "buildId":291,
AdditionalData: { [-] buildId: 291 buildUrl: https://github.com domain: *** env: PreProd errorMessage: Verify live rates color Assert.That(market.VerifyLiveRatesColor(), i... See more...
AdditionalData: { [-] buildId: 291 buildUrl: https://github.com domain: *** env: PreProd errorMessage: Verify live rates color Assert.That(market.VerifyLiveRatesColor(), is equal to 'true') Expected: True But was: False fullName: Automation.TestsFolder hidden: false isFinalResult: true maxRetries: 1 pipelineName: *** platform: Backend repoUrl: *** retry: 1 stackTrace: at *** status: Failed team: *** testCategories: [ [+] ] testClass: Automation.TestsFolder testDuration: 00:00:51.763 testLog: { [-] artifacts: { [+] } logs: [ [-] [06/19/2025 11:51:45] Initializing BaseTestUI [ [+] ] [06/19/2025 11:51:47] Initializing EtoroWorkFlows [ [+] ]   So if im using the query in my post, i don't see the [+] inside logs : .. i see it flat as one event
Please provide some anonymised sample events which demonstrate the issue you are facing. Ideally, place these in a code block (using the </> formatting option).
Thank you very much @PrewinThomas , with what you commented along with @bowesmana  I was able to specify what I needed
Applying this suggestion worked for me... I've tested it with more data, and so far there have been no inconsistencies. I really appreciate the input!
Hello I have a table in dashboard studio and i want to show a part of the json field which contains sub objects when running this  query : index="stg_observability_s" AdditionalData.testName=* so... See more...
Hello I have a table in dashboard studio and i want to show a part of the json field which contains sub objects when running this  query : index="stg_observability_s" AdditionalData.testName=* sourcetype=SplunkQuality AdditionalData.domain="*" AdditionalData.pipelineName="*" AdditionalData.buildId="15757128291" AdditionalData.team="*" testCategories="*" AdditionalData.status="*" AdditionalData.isFinalResult="*" AdditionalData.fullName="***" | search AdditionalData.testLog.logs{}=* | spath path="AdditionalData.testLog.logs{}" output=logs | table logs the json looks flatten , i dont see the sub objects inside is there a way to fix it ?  thanks 
@tanjil  I recommend raising a Splunk Support ticket to request the 0 MB license file. Please ensure that the support case is submitted under your valid entitlement. Recently, one of our customers s... See more...
@tanjil  I recommend raising a Splunk Support ticket to request the 0 MB license file. Please ensure that the support case is submitted under your valid entitlement. Recently, one of our customers submitted a similar request, and Splunk provided the 0 MB license file for their heavy forwarder..
First thing to do would be to call out to your local friendly Splunk Partner or any other sales channel you might have used before. If you are a current Cloud customer you should be entitled to a 0 b... See more...
First thing to do would be to call out to your local friendly Splunk Partner or any other sales channel you might have used before. If you are a current Cloud customer you should be entitled to a 0 bytes license. It's typically used for a forwarder, but might also be used for accessing previously indexed data.
Hi everyone, We already have a Splunk Cloud environment, and on-premises we have a Splunk deployment server. However, the on-prem deployment server currently has no license — it's only used to manag... See more...
Hi everyone, We already have a Splunk Cloud environment, and on-premises we have a Splunk deployment server. However, the on-prem deployment server currently has no license — it's only used to manage forwarders and isn’t indexing any data. We now have some legacy logs stored locally that we’d like to search through without ingesting new data. For this, we’re looking to get a Splunk 0 MB license (search-only) on the deployment server. Is there any way to request or generate a 0 MB license for this use case? Thanks in advance for your help!