I wonder if anyone else has experienced this and can advise? we upgraded from 9.0.3 to 9.1.1 also upgraded ES to 7.2.0 and CIM to 5.2.0 However when we go onto the CIM setup from the enterprise security menu now, the Tags Allow list is empty.  on the underlying datamodels.conf the tags_whitelist is still populated under the relevant data model stanzas but not displaying on the gui?    

Hi at all, I have to extract raw data from an Elastic Search infrastructure ingesting them in Splunk Enterprise 9.1.1. I saw that there are two apps in Splunkbase: "ElasticSPL Add-on for Splunk" and "Elasticsearch Data Integrator - Modular Input". The first seems to be not certified on Splunk Enterprise but only for Splunk Cloud. Does anyone used them? are they different, which one should be prefereable? Thank you for your advice. Ciao. Giuseppe

We have recently upgraded our Splunk Enterprise to the version 9.0.4. We observed that some of the behaviour in the system are different. For example, when we run a search with timechart/stats command and without mentioning the index field, the results are same but under the Events part, it shows empty events for the respective timestamp. Below is the sample query and respective results. host=abc sourcetype=xyz |timechart count This was not occurring earlier. Though we don't mention the index field, the results use to populate with the respective event logs. Not sure whether this is the expected behavior or it's a bug. Is this something which we can fix from the end user side? Please anyone help me on this. I would also like to know the limitations or restrictions which are introduced with this Splunk version.

Hello, I have below code for a dropdown menu and the problem is the moment i select any of the value from drop down dependent panels load without waiting for Submit button. How can this be fixed. Submit Button code: <fieldset submitButton="true" autoRun="false"> <input token="field1" type="time" searchWhenChanged="false"> <label>Time Picker</label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> Dropdown and Token <input type="dropdown" token="subsummary" depends="$loadsummary$" searchWhenChanged="false"> <label>Summary Selection</label> <choice value="FUNC">Function Summary</choice> <choice value="MQ">MQ Summary</choice> <change> <condition value="FUNC"> <set token="funcsummary">true</set> <unset token="funcsummaryMQ"></unset> </condition> <condition value="MQ"> <set token="funcsummaryMQ">true</set> <unset token="funcsummary"></unset> </condition> </change>   Sample Panel: <row depends="$funcsummaryMQ$"> <panel depends="$funcsummaryMQ$"> <title>ABC</title> <table> <search > <query>index="SAMPLE" </query> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> </row>

Hi, I have 2 saved searches that fetch data from datamodel (pivot table) and the result of these savedsearch is storing to a summary index. But 2 days before I found that my saved search query got partially deleted from UI , but it is present in the backend. Is there anyone can help to understand how it is happening. What is the rootcause for this

How to add below logs in Splunk , as while entering to SH were able to find the app(env_d),inside that there are "bin, default, metadata" splunk/en-US/app/env_d/search App: Env_d AppServers: ap8sd010 thru ap8sd019 Logs folders: /app/docker/en1/logs /app/docker/en2/logs /app/docker/en3/logs /app/docker/en4/logs /app/docker/en5/logs