Hi all,   I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0. | rest /services/search/jobs/xx__xx_c3BsdW5rLWRhc2hib2FyZC1hcHAtMg__getter_1695998843.535512 splunk_server=local | fields resultCount   Do I need to do something in my app in order to see the resultCount field? The jobs are generated by javascript, very similar script between apps, just change the search. I'm running version 9.0.6, in last version 8.2.8 I always see the resultCount    

Hello I'm trying to count events by field called "UserAgent" If im searching for the events without any calculated field im getting results from different UserAgents But once im using eval, I don't get the expected results For example: I've tried this eval and im getting only "android" also im searching for "ios" only with    "ContextData.UserAgent"=*ios*   as part of my query    | eval UserAgent = if("ContextData.UserAgent"="*ios*","ios","android")    what im doing wrong ?

Hello All! Trying to set up CAC Based Auth for SPLUNK 9.1.1 on Windows Server 2022 for the first time. I have successfully setup LDAP and am able to sign into Splunk using an AD username/password without any issues. When I add in the requiredClientCert, enableCertBasedAuth and certBasedUserAuthMethod stanzas, and attempt to access the Splunk GUI, all users are immediately greeted with an 'Unauthorized' message. I've been fighting this for about a week now, and Splunk support hasn't been able to help me pin this down yet. Any assistance would be greatly appreciated. I've ensured TLS 1.2 registry keys exist in SCHANNEL to Enable TLS 1.2. Corresponding logs from splunkd.log for the logon attempt are:   09-29-2023 09:02:43.191 -0400 INFO AuthenticationProviderLDAP [12404 TcpChannelThread] - Could not find user=" \x84\x07\xd8\xb6\x05" with strategy="123_LDAP" 09-29-2023 09:02:43.192 -0400 ERROR HTTPAuthManager [12404 TcpChannelThread] - SSO failed - User does not exist: \x84\x07\xd8\xb6\x05 09-29-2023 09:02:43.192 -0400 ERROR UiAuth [12404 TcpChannelThread] - user= \x84\x07\xd8\xb6\x05 action=login status=failure reason=sso-failed useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" clientip=<ip> 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - SAN OtherName not found for configured OIDs in client certificate 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - CertBasedUserAuth: error fetching username from client certificate   authentication.conf:   [splunk_auth] minPasswordLength = 8 minPasswordUppercase = 0 minPasswordLowercase = 0 minPasswordSpecial = 0 minPasswordDigit = 0 [authentication] authSettings = 123_LDAP authType = LDAP [123_LDAP] SSLEnabled = 1 anonymous_referrals = 0 bindDN = CN=<Account>,OU=Service Accounts,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL bindDNpassword = <removed> charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=SPLUNK Groups,OU=Groups,DC=<command>,DC=NAVY,DC=MIL groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = DC.<Command>.NAVY.MIL nestedGroups = 1 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = displayName sizelimit = 1000 timelimit = 15 userBaseDN = OU=Users,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL userNameAttribute = userprincipalname [roleMap_LDAP] admin = SPLUNK AUDITOR can_delete = SPLUNK AUDITOR network = SPLUNK NETWORK user = SPLUNK AUDITOR;SPLUNK USERS   web.conf   [settings] enableSplunkWebSSL = true privKeyPath = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_key.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> requireClientCert = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem enableCertBasedUserAuth=true SSOMode=permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod=PIV   server.conf   [sslConfig] enableSplunkdSSL = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> cliVerifyServerName = true sslVersions = tls1.2 sslVerifyServerCert = true [general] serverName = SPKVSPLUNK2 pass4SymmKey = <removed> trustedIP = 127.0.0.1            

Hi,  We upgraded the Splunk DB Connect app to version 3.14.1, and the drivers as well ojdbc11.jar v.21.11 (Innovation Release)along  with orai18n.jar. While trying to add new input we noticed that for some connections we got the error "cannot get schemas". However we are able to add inputs and connections are working. The versions of databases are oracle 19.19 and 12.1.0.2. We downgraded the version of the driver to ojdbc11.jar v.19.20 (Long Term Release) along with respective orai18n.jar but still we "cannot get schemas". All the permissions to the user are given.  In the _internal index we encounter this error message: „Unable to get schemas metadata java.sql.SQLException: Non supported character set (add orai18n.jar in your classpath): EE8ISO8859P2”  but the orai18n.jar is already there. Any kind of help or idea would be appreciated. Thank you in advance !

Hi there, I want to send email who have 4625 over 20 login fail count. I have search there is no problem about search but i couldn't figure out to send emails to specific users who have 4625 login fail events. I know trigger action like send mail but i couldn't figure out how to send specific users. I don't want to send email to a group, i need send email to specific users who have 4625 events.   Any help would be appreciated!