I downloaded and installed these apps from Splunkbase. https://splunkbase.splunk.com/app/4232 https://splunkbase.splunk.com/app/2642 As per the instructions, I added the sourcetype=linux_audit to the local "auditd_events" eventtype in TA and linux_audit to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv but the dashboard data is not showing up. My existing auditd events belong to the different sourcetype names and eventtype names.  For example,  I got the auditd events. index="linux_fw" sourcetype="syslog" eventtype="mycustom_audit_events" Therefore,  Do I need to add the sourcetype="syslog" to the local "auditd_events" eventtype in TA and add the syslog to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv ??

I updated etc/apps/custom_app/local/data/ui/nav/default.xml with a new sub-menu choice that should display saved searches based on the name pattern: <collection label="Menu Choice">     <saved source="unclassified" match="Pattern" /> </collection> where "Pattern" is some specific pattern which is in the name of 17 saved searches -- reports and alerts. The alerts are scheduled and reports are not. All the alerts and reports are shared in App, not Private. This newly added menu choice doesn't appear in the menu. The menu has many other working menu choices displaying dashboards or other saved searches. What could be the reason? I tried reloading the app and changing the ownership of one of the alerts and reports but it didn't help. I am logged in as admin. Thank you.

Hi, I am writing a query in Splunk dashboard and the query return in base search it has multiple joint query. still the page is loading very slow. need to improve performance of dashboard query. This my the query. index="Test" applicationName="sapi" timestamp log.map.correlationId level message ("Ondemand Started*" OR "Process star | rex field-message max_match=0 "\"Ondemand Started for. filename: (?<OnDemandFileName> [^\n]\w+\S+)" | rex field-message max_match=0 "Process started for (?<FileName>[^\n]+)" Ieval OnDemandFileName=rtrim(OnDemandFileName, "Job") Ieval "FileName/JobName"= coalesce (OnDemandFileName, FileName) | rename timestamp as Timestamp log.map.correlationId as CorrelationId level as Level message as Message eval JobType=case (like( 'Message', "%Ondemand Started%"), "OnDemand", like('Message", "Process started%"), "Scheduled", true (), "Unknown") eval Message=trim(Message, "\"") table Timestamp CorrelationId Level JobType "FileName/JobName" Message join CorrelationId type=left [search index="Test" applicationName="sapi" level=ERROR | rename log.map.correlationId as CorrelationId level as Level message as Messagel I dedup CorrelationId | table CorrelationId Level Message1] | table Timestamp CorrelationId Level JobType "FileName/JobName" Messagel I join CorrelationId type=left 20 [ search index="Test" applicationName="sapi" message="*file archived successfully *" | rex field-message max_match=0 "\"Concur file archived successfully for file name: (?<Archived FileName>[^\n]\w+\S+)" Ieval Archived FileName=rtrim(Archived FileName,"\"") I rename log.map.correlationId as CorrelationId | table CorrelationId ArchivedFileName] 1 table Timestamp CorrelationId Level JobType "FileName/JobName" ArchivedFileName Message1 join CorrelationId type=left [ search index="Test" applicationName="sapi" (log.map.processor Path=ExpenseExtractProcessingtoOraclex AND (" Import*" OR "APL Import*")) | rename timestamp as Timestamp1 log.map.correlationId as CorrelationId level as Level message as Message | eval Status-case (like('Message", "%GL Import flow%"), "SUCCESS", like('Message", "%APL Import flow%"), "SUCCESS", like('Level', "%Exception%"), "ERROR") | rename Message as Response | table Timestamp1 CorrelationId Status Response] Ieval Status=if (Level="ERROR", "ERROR", Status) Ieval StartTime=round(strptime(Timestamp, "%Y-%m-%dT%H:%M: %S.%QZ")) | eval EndTime=round(strptime (Timestamp1, "%Y-%m-%dT%H:%M: %S.%QZ")) Ieval Elapsed TimeInSecs-EndTime-StartTime | eval. "Total Elapsed Time"=strftime (Elapsed TimeInSecs, "%H:%M:%S") eval Response= coalesce (Response, Message1)|table Status CorrelationId ArchivedFileName] 1 table Timestamp CorrelationId Level JobType "FileName/JobName" ArchivedFileName |search Status=*|stats count by JobType

Hey there! I've set up Splunk Enterprise using AWS AMI. Now, I'm attempting to install the Splunk Essentials app, but I'm running into some issues. First, when I tried to upload the .tgz zip file, it got blocked. Then, I attempted to install it through the marketplace, but my correct username and password from splunk.com aren't working. I'm not sure how to fix this. Any help would be appreciated. Thanks!