Splunk doesn't have a built-in feature to do that because Bad Things happen even on holidays. You can either modify the alert SPL to not trigger on certain days or disable them on those days.  The Holidays app (https://splunkbase.splunk.com/app/4853) may help with that.

@Roy_9 - This query (index="_internal" log_level=ERROR "test.csv") has nothing to do with lookup. It seems you have Automatic lookup (props.conf) for automatic lookup, which is having similar permission issue, that's what causing it.  

Hi @VatsalJagani  I am getting the results, when i am running it inside the same app now but however when i am running the search index="_internal" log_level=ERROR "test.csv" i am still seeing the error. The lookup table 'test.csv' requires a .csv or KV store lookup definition.   Thanks

Correct, my environment is currently utilizing services. I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right now only utilizes entity_title apparently (I did not set these up) as its Entity Lookup field . I also reviewed our notable event aggregation policies and noticed that the only ones enabled reference the serviceid, but not entity_title. We're currently having alerts/episodes generated by the Splunk App for Infrastructure (for normalization) and a different aggregator. Neither show the Impacted Entities. Im guessing something isnt configured properly in either of them to have that data show; OR my entities are messed up.

Thank you for that heads up. This morning I discovered our ES was lacking the right cert in sslConfig so the splunk-generated cert expired and resulted in https://splunk.my.site.com/customer/s/article/Expired-SSL-certificate-KV-Store-will-not-start-exit-code-14-and-fatal-assertion-28652 The same fix (adding a serverCert to system/local/server.conf for a PEM containing the Server Cert + Encrypted Private Key) also fixed the KV Store on the HF where DB Connect was installed. Looks like I'll be verifying sslConfig everywhere in case of other stealthy dependencies on KV Store.

the apps/addons sometimes makes our lives difficult by doing like this.  please check the internal logs for that servicenow app/addon... it may give you some hints, if you find the issue.. you can update this post, so in future other users can use your learnings.   karma / upvotes are appreciated by all. thanks. 

Dear @phanTom, we already evaluated that way. Customizing the Graph app (which app exactly?) is a way we considered already but we do not like it. Customizing the app means to not be subjected to updates of the app itself or, equivalently, it means that we must customize every new version of the app. This is something that we do not prefer. For what concerns the use of the HTTP app, if you consider that: it supports OAuth; OAuth is the authentication/authorization method accepted also by Azure/Graph (https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http) We can just translate the problem into: why the HTTP app does not work with OAuth if it says that it is supported? What seems to be missing in the app, is the possibility to specify a payload for the POST request that retrieves the authentication token. In the following screenshot (taken from the URL reported above), you can observe a sample payload and a sample answer: For this reason, the question "why the HTTP app does not work with OAuth if it says that it is supported?" becomes "how to specify the payload for the OAuth POST request in the HTTP app?" or, equivalently, "why there is no possibility to specify a payload for the OAUTH POST request?"   Thank you in advance!

Thanks Rick. | eval account=if(account=="verified","verified","unverified") | stats count by account Although data is there for both "verified" and "unverified" but I am getting result only for "unverified" (whatever is in the ELSE). Any reason that you can think of this behavior?  

@drew19 I think with the complexity of Graph I would avoid using the HTTP app. Instead I would advise to update the Graph app itself as all the authentication etc is already built in the app.  You can use the IDE to Clone & Update the app to your needs and this would be a lot more future proof.  https://docs.splunk.com/Documentation/SOARonprem/6.1.1/DevelopApps/Overview 

Hi All absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27  I have enabled the Logging in SSMS and can actually see the Events from the SA login.  My inputs.conf looks as follows [WinEventLog://Application] disabled = false start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml = true index = "my index" The problem is I see none of the corresponding event IDs for the SA User logins in Splunk (18453, 18454 , 18456). Any ideas or tips would be much appreciated? cheers Oli

Hi @STancredi!  Are you using services in ITSI? in that case you should already have the entity_title and serviceid in the itsi_summary index. Just do not remove them in your correlation search. /Seb  

My DS doesn't have an explicit stanza to push SplunkUniversalForwarder app. I know that the file the other app the DS pushed did not exist on all hosts the app got pushed to. Is it possible Splunk automatically decided to create a stanza on one of its input.conf file because it kept finding out that the file did not exist? We now have this file being logged on all hosts so now I have to manually change the input.conf file. I also thought that my other non-default apps took precedence before the default SplunkUniversalForwarder app, but when I ran btool, it told me the file I was looking for was obtaining its configuration from \etc\apps\SplunkUniversalForwarder\local\input.conf instead of anywhere else. What's truely strange is that this behavior is only happening on some hosts and not others.