i have added this file in monitoring to ingest data but data is not getting ingesting  log file path is /tmp/mountcheck.txt [monitor:///tmp/mount.txt] disabled = 0 index = Test_index sourcetype =Test_sourcetype initCrcLen = 1024 crcSalt = "unique_salt_value"  

i have below stanza to ingest json data file and added in deployment server as below an in HF added props.conf file  initially  i have uploaded using splunk UI but getting events in one line [monitor:///var/log/Netapp_testobject.json] disabled = false index = Test_index sourcetype = Test_sourcetype [Test_sourcetype] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([{}\,\s]+) NO_BINARY_CHECK=true CHARSET=UTF-8 EVENT_BREAKER=([{}\,\s]+) INDEXED_EXTRACTIONS=json KV_MODE=json TRUNCATE=0 json data looks like below: [ { "Name": "test name", "Description": "", "DNSHostname": "test name", "OperatingSystem": "NetApp Release 9.1", "WhenCreated": "2/13/2018 08:24:22 AM", "distinguishedName": "CN=test name,OU=NAS,OU=AVZ Special Purpose,DC=corp,DC=amvescap,DC=net" }, { "Name": "test name", "Description": "London DR smb FSX vserver", "DNSHostname": "test name", "OperatingSystem": "NetApp Release 9.13.0P4", "WhenCreated": "11/14/2023 08:43:36 AM", "distinguishedName": "CN=test name,OU=NAS,OU=AVZ Special Purpose,DC=corp,DC=amvescap,DC=net" } ]

Hi, We have created an application using splunk add on builder(https://apps.splunk.com/app/2962/). Created a python script for the alert action. while validating the application created(add-on) we are getting two errors rest of the test cases are passed.  Sharing the errors below- First Error: {"validation_id": "v_1703053121_88", "ta_name": "TA-testaddon", "rule_name": "Validate app certification", "category": "app_cert_validation", "ext_data": {"is_visible": true}, "message_id": "7004", "description": "Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all app files outside of the bin/ directory, 644 for scripts within the bin/ directory that are invoked using an interpreter (e.g. python my_script.py or sh my_script.sh), and 755 for scripts within the bin/ directory that are invoked directly (e.g. ./my_script.sh or ./my_script). Since appinspect 1.6.1, check that no files have nt write permissions for all users..", "sub_category": "Source code and binaries standards", "solution": "There are multiple errors for this check. Please check \"messages\" for details.", "messages": "[{\"result\": \"warning\", \"message\": \"Suppressed 813 failure messages\", \"message_filename\": null, \"message_line\": null}, {\"result\": \"failure\", \"message\": \"A posix world-writable file was found. File: bin/ta_testaddon/aob_py3/splunktalib/splunk_cluster.py\", \"message_filename\": null, \"message_line\": null}]", "severity": "Fatal", "status": "Fail", "validation_time": 1703053540}   Second Error: {"validation_id": "v_1703053679_83", "ta_name": "TA-testaddon", "rule_name": "Validate app certification", "category": "app_cert_validation", "ext_data": {"is_visible": true}, "message_id": "7002", "description": "Check that the dashboards in your app have a valid version attribute.", "sub_category": "jQuery vulnerabilities", "solution": "Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/home.xml to `<version=1.1>`. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/home.xml", "severity": "Fatal", "status": "Fail", "validation_time": 1703053994} Kindly help in resolving this

Hello, is there a way to see the full URL of a particular slow Transaction Snapshot? I believe that some of the slow search requests in our system could be caused by a specific user input that is a part of the dynamic URL. But in the Transaction Snapshot dashboard (or in the Transaction Snapshot overview), I only see the aggregated short URL without a user input. Full URL example: https://host/Search/userInput Transaction Snapshot dashboard: Individual transaction overview: Also, I don't think I have access to the Analytics dashboard.

Hi, I have two clustered indexers which are now constantly generating crash logs in /splunk/var/log/splunk every few minutes and is unable to figure out the cause from the crash log or the error in splunkd.log. Would anyone here be able to shed some light on this? Splunkd Error: WARN SearchProcessRunner [19356 PreforkedSearchesManager-0] - preforked process=0/38 status=killed, signum=6, signame="Aborted", coredump=1, uptime_sec=37.282768, stime_sec=19.850199, max_rss_kb=472688, vm_minor=902282, vm_major=37, fs_r_count=608, fs_w_count=50856, sched_vol=3413, sched_invol=10923 Contents of one of the crash.log: [build b6436b649711] 2023-11-02 11:39:40 Received fatal signal 6 (Aborted) on PID 23624. Cause: Signal sent by PID 23624 running under UID 1001. Crashing thread: BucketSummaryActorThread Registers: RIP: [0x00007F0D7E2DA387] gsignal + 55 (libc.so.6 + 0x36387) RDI: [0x0000000000005C48] RSI: [0x00000000000059CC] RBP: [0x0000000000000BE7] RSP: [0x00007F0CF85F2268] RAX: [0x0000000000000000] RBX: [0x0000562A9ADF7598] RCX: [0xFFFFFFFFFFFFFFFF] RDX: [0x0000000000000006] R8: [0x00007F0CF85FF700] R9: [0x00007F0D7E2F12CD] R10: [0x0000000000000008] R11: [0x0000000000000206] R12: [0x0000562A9AC0E070] R13: [0x0000562A9AF9CFB0] R14: [0x00007F0CF85F2420] R15: [0x00007F0CF806F260] EFL: [0x0000000000000206] TRAPNO: [0x0000000000000000] ERR: [0x0000000000000000] CSGSFS: [0x0000000000000033] OLDMASK: [0x0000000000000000] Regards, Zijian

I'm sorry it's hard to read because I don't understand English and I'm using a translation app. Currently, I am not able to "Premise follow-up" reports in Splunk. Subsequent processing is started with a margin of time for the completion time of the prerequisite process. However, with this method, there is a risk that subsequent processing will start before the premise process is completed. You have a lot of reports to process, and you don't want to extend the schedule interval. Does anyone know a solution to this challenge?