I have configured Oauth in a custom account in the splunk salesforce Add-On app.  After configuring the account and saving the configuration it reaches out to salesforce.  I login to salesforce and its states grant access.  Once I click submit it comes back with an error   "Error occurred while trying to authenticate. Please try Again" in the app.  I am not sure what the issue is or if this is a need to configure something on the salesforce side. 

We are utilizing the Log Event Trigger Action for an alert and we'd essentially like to duplicate the event that's found into another index. There is some renaming that happens in the alert, so pulling the_raw wouldn't include the renamed fields correct? If _raw is the way to go, what is the token for this? $result._raw$?

I have snmp_ta running 1.8.0 for a few years and have many snmp polls, both with and with out mibs. I am doing a walk, probably the first time.  I get successes but then I get a bunch of these: ERROR Exception resolving MIBs for table: 'MibTable' object has no attribute 'getIndicesFromInstId' stanza:snmp and then I get two of these ERROR Exception resolving MIBs for table: list modified during sort stanza:snmp and no more polling of this config. There are several IPs in this config.  All works well for a 2-4 polling cycles, then it stops. I can do snmpwalk -v 2c -c $PUBLIC -m $MIB and I get good results. I did recently install a new MIB for this device.  The old mib has the same issue and the other configs works fine regardless. I am thinking it is related to snmpwalk, but I am having little success in solutions. -- Frank  

Is there a way to detect subsearch limits being exceeded in scheduled searches I notice that you can get this info from REST: | rest splunk_server=local /servicesNS/$user$/$app$/search/jobs/$search_id$ | where isnotnull('messages.error') | fields id savedsearch_name, app, user, executed_at, search, messages.* And you can kinda join this to the _audit query: index=_audit action=search (has_error_warn=true OR fully_completed_search=false OR info="bad_request") | eval savedsearch_name = if(savedsearch_name="", "Ad-hoc", savedsearch_name) | eval search_id = trim(search_id, "'") | eval search = mvindex(search, 0) | map search="| rest splunk_server=local /servicesNS/$user$/$app$/search/jobs/$search_id$ | where isnotnull('messages.error') | fields id savedsearch_name, app, user, executed_at, search, messages.*" But it doesn't really work - I get lots of rest failures reported and the output is bad. You also need to run it when the search artifacts are present. Although my plan was to run this frequently and push the result to a summary index. Has anyone had better success with this? One thought would be to ingest the data that is returned by the rest call (I presume var/run/dispatch). Or might debug level logging help?