Hi! I have a saved historical data of some metric, from even before the agent got installed, is there any way to load it into the controller? So I can see this metric even for the time that I didn't have an agent installed? I don't see any API for that...   Thanks! -Dimitri )

  Subject: Issue with Splunk server not starting after configuring TLS Description: I'm encountering an issue with my Splunk server after configuring TLS. Here's a summary of the steps I've taken: Placed the certificate files (cert.pem, cacert.pem, key.pem) in the directory: /opt/splunk/etc/auth/mycerts/. Modified the /opt/splunk/etc/system/local/server.conf file with the following configurations: ⁠[sslConfig] enableSplunkdSSL = true sslVersions = tls1.2,tls1.3 serverCert = /opt/splunk/etc/auth/mycerts/cert.pem sslRootCAPath = /opt/splunk/etc/auth/mycerts/cacert.pem sslKeysfile = /opt/splunk/etc/auth/mycerts/key.pem   After restarting the Splunk server using the command ./splunk restart, the following messages were displayed: ⁠Starting splunk server daemon (splunkd)... Done  Waiting for web server at http://127.0.0.1:8000 to be available.... WARNING: web interface does not seem to be available!   Additionally, when checking the status with ./splunk status, the result is: splunkd is not running. Could someone assist me in troubleshooting this issue? I'm unsure why the Splunk server is not starting properly after enabling TLS. Thank you for your help!          

Hello Team, as we delve into Splunk Attack Range 3.0, we're interested in understanding the MITRE ATT&CK tactics and techniques that can be simulated within this environment. If you have information on this, kindly share it with us. Thank you!

I have this query which is working as expected. There are two different body axs_event_txn_visa_req_parsedbody and axs_event_txn_visa_rsp_formatting and common between two is F62_2 (eventtype =axs_event_txn_visa_req_parsedbody "++EXT-ID[C0] FLD[Authentication Program..] FRMT[TLV] LL[1] LEN[2] DATA[01]") OR eventtype=axs_event_txn_visa_rsp_formatting | rex field=_raw "(?s)(.*?FLD\[Acquiring Institution.*?DATA\[(?<F19>[^\]]*).*)" | rex field=_raw "(?s)(.*?FLD\[Authentication Program.*?DATA\[(?<FCO>[^\]]*).*)" | rex field=_raw "(?s)(.*?FLD\[62-2 Transaction Ident.*?DATA\[(?<F62_2>[^\]]*).*)" | rex field=_raw "(?s)(.*?FLD\[Response Code.*?DATA\[(?<VRC>[^\]]*).*)" | stats values(txn_uid) as txn_uid, values(txn_timestamp) as txn_timestamp, values(F19) as F19, values(FCO) as FCO, values(VRC) as VRC by F62_2 | where F19!=036 AND FCO=01 now lets say i want to rewrite this query using appendcol/substring. something like this. TID from axs_event_txn_visa_req_parsedbody the resulted output should be passing to another query so i can corresponding log For example Table -1  Name Emp-id Jayesh 12345 Table Designation Emp-id Engineer 12345 use Emp-id from table-1 and get the destination from table-2, similarly TID is the common field between two index, i want to fetch VRC using TID from Table-1 index=au_axs_common_log source=*Visa* "++EXT-ID[C0] FLD[Authentication Program..] FRMT[TLV] LL[1] LEN[2] DATA[01]" | rex field=_raw "(?s)(.*?FLD\[62-2 Transaction Ident.*?DATA\[(?<TID>[^\]]*).*)" |appendcols search [ index=au_axs_common_log source=*Visa* "FORMATTING:" | rex field=_raw "(?s)(.*?FLD\[62-2 Transaction Ident.*?DATA\[(?<TID>[^\]]*).*)" |rex field=_raw "(?s)(.*?FLD\[Response Code.*?DATA\[(?<VRC>[^\]]*).*)" | stats values(VRC) as VRC by TID ]

Hello, I have a dashboard where the drop down list is working for me as i have splunk admin access where as the same drop down list is not populating for a user with splunk user level access. How do i need to troubleshoot this issue? Thanks

Hi, I am creating a Dashboard and using the Dashboard Studio template, and previously I developed a Splunk Visualization. How can I define a Splunk Visualization on Dashboard Studio? Because by default, I can only choose from the available Splunk Visualizations that Splunk has provided.