All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you. Maybe I am not being clear enough. I apologize. index=windowsevent sourcetype="Script:InstalledApps" NOT DisplayName="Carbon Black Cloud Sensor 64-bit" | dedup host | table host   ... See more...
Thank you. Maybe I am not being clear enough. I apologize. index=windowsevent sourcetype="Script:InstalledApps" NOT DisplayName="Carbon Black Cloud Sensor 64-bit" | dedup host | table host   When I ran this, it returns all the host I have in splunk and many of those host have the Carbon Black Cloud installed.
Hello @ITWhisperer & @bowesmana  & @yuanliu ,   Thanks One more question , How Can I put logic to find missing number in this sequence of dynamically changing numbers: It has no logic except it i... See more...
Hello @ITWhisperer & @bowesmana  & @yuanliu ,   Thanks One more question , How Can I put logic to find missing number in this sequence of dynamically changing numbers: It has no logic except it increase one by one. Is there any way to build logic for this increase by one number and Need to trigger an alert if it not increase by one- which indicates number missed. 00000000000000875115,00000000000000875116,00000000000000875118 In this case 00000000000000875117 is missing 00000000000000875117 00000000000000875117 
Thanks One more question , How Can I put logic to find missing number in this sequence of dynamically changing numbers: It has no logic except it increase one by one.Is there any way to build logic... See more...
Thanks One more question , How Can I put logic to find missing number in this sequence of dynamically changing numbers: It has no logic except it increase one by one.Is there any way to build logic for this increase by one number and Need to trigger an alert if it not increase by one- which indicates number missed. 00000000000000875115,00000000000000875116,00000000000000875118 In this case 00000000000000875117 is missing 00000000000000875117 00000000000000875117 
The pattern may be:   Sequence Numbers:00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514 I need to extract only numbers without comma and d... See more...
The pattern may be:   Sequence Numbers:00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514 I need to extract only numbers without comma and display them in table like: 00000000000000872510 00000000000000872511 00000000000000872512 00000000000000872513 00000000000000872514
Hello, I tested by following the instruction, it only worked with the sample IP provided by Splunk, but it didn't work when I tried  compare IPv6 with IPv6.  (See below) It looks like CIDR match on... See more...
Hello, I tested by following the instruction, it only worked with the sample IP provided by Splunk, but it didn't work when I tried  compare IPv6 with IPv6.  (See below) It looks like CIDR match only work only if a IP is part of subnet. In my environment, I tried to compare IPv6 (compressed) with IPv6 (expanded) Thanks for your help IP from Splunk, expected = TRUE | makeresults | eval ip="2001:0db8:ffff:ffff:ffff:ffff:ffff:ff99" | lookup ipv6test ip OUTPUT expected _time expected ip 2023-09-07 09:08:54 TRUE 2001:0db8:ffff:ffff:ffff:ffff:ffff:ff99   IP from our test, expected = empty | makeresults | eval ip="2001:db8:3333:4444:5555:6666::2101" | lookup ipv6test ip OUTPUT expected _time expected ip 2023-09-07 09:10:54   2001:db8:3333:4444:5555:6666::2101   CSV Table ip expected 2001:0db8:ffff:ffff:ffff:ffff:ffff:ff00/120 true 2001:db8:3333:4444:5555:6666::2101/64 test mask 2001:db8:3333:4444:5555:6666::2101 test with mask
Noting your input on the SH being not the best option for the input collector of HEC. Anyway, your tip was the correct one and allowed to filter the data. You made my day, thanks !
Hi @vijreddy30, check the sharing options: maybe you have different roles for some users. Did you checked tha the alias aren't private? Ciao. Giuseppe
import requests url = "https://splunkbase.splunk.com/api/v1/app/" limit = 1 url2= "https://splunkbase.splunk.com/api/v1/app/" with open(r"C:\Users\denis.zarfin\PycharmProjects\pythonProject2\main.... See more...
import requests url = "https://splunkbase.splunk.com/api/v1/app/" limit = 1 url2= "https://splunkbase.splunk.com/api/v1/app/" with open(r"C:\Users\denis.zarfin\PycharmProjects\pythonProject2\main.txt", 'w') as f: f.write("name" + ", " + "uid" + ", " + "title" + ", " +'\n') offset = -1 all_numbers = [] try : while True: offset += 1 try: response = requests.get(url, params={"limit": limit, "offset": offset}) data = response.json() for i in data["results"]: url2 = str(url2) + str(i["uid"]) + "/release/" response2 = requests.get(url2) data2 = response2.json() data2 = data2[0:1] for j in data2: a = str(j["name"]) b = str(i["uid"]) c = str(i["title"]) with open(r"C:\Users\denis.zarfin\PycharmProjects\pythonProject2\main.txt", 'a') as f: f.write(a + ", " + b + ", " + c + ", " +'\n') url2 = "https://splunkbase.splunk.com/api/v1/app/" except: pass print(offset, a, b, c) if offset > 2700: break except: pass print("ok") That one exports the results to CSV... but it's not that good. In the end I want to get 2 JSONs I was able to do it "manually" with: import json import requests result = [] for app_id in range(0, 1, 1): url = f'https://splunkbase.splunk.com/api/v1/app/?offset={app_id}&limit=1' data = requests.get(url).json() print(f'Name: {data["results"]['uid']}')  
Ugh. Using SH as an input collector is... kinda unusual. And not a very beautiful architecture. Anyway, remember that your events are parsed and processed _only_ on the first "heavy" (based on the S... See more...
Ugh. Using SH as an input collector is... kinda unusual. And not a very beautiful architecture. Anyway, remember that your events are parsed and processed _only_ on the first "heavy" (based on the Splunk Enterprise install package; not UF) component in event's path (except ingest actions; those can happen on indexers even on parsed data). So if you're ingesting HEC on SH, you need those props/transforms on SH. And in order to filter on the source field you need MetaData:Source  : The source associated with the event. The value must be prefixed by "source::"
Hi Team,   props ,conf  write the field alias , Fields alias are showing the Interesting fields  in Dev and QA environment, same configuration updated in Prod environment , but prod not showing fie... See more...
Hi Team,   props ,conf  write the field alias , Fields alias are showing the Interesting fields  in Dev and QA environment, same configuration updated in Prod environment , but prod not showing field alias in Interesting fields,   Please help me.   Regards, Vijay ,K
I'm receiving the HEC directly on the search head and have the props/transforms setup on both the SH and the indexers. The sourcetype is "jenkins_log" and the log I want to avoid has "DBCompilation"... See more...
I'm receiving the HEC directly on the search head and have the props/transforms setup on both the SH and the indexers. The sourcetype is "jenkins_log" and the log I want to avoid has "DBCompilation" in the source field This is what I'm trying to achieve. in props.conf:     [jenkins_log] TRANSFORMS-override = ignore_jenkins_logs   in transforms.conf   [ignore_jenkins_logs] SOURCE_KEY = fields:source REGEX = DBCompilation DEST_KEY = queue FORMAT = nullQueue  
Hi @jip31 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
In my case, yes. Check your props.conf, and try with [httpevent]  and see if that helps. I had to do a mixture of both to get it to work.
The first question is - are your props/transforms on the same host as you're receiving data with your HEC input(s)? Or are you trying to receive HEC on HF and filter with props/transforms on indexers?
Traceback Part-2 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserve... See more...
Traceback Part-2 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: rv = PersistentServerConnectionApplicationServer._load_file(filename) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 57, in _load_file 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: m = imp.load_module(munged_name, filehandle, filename, data) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/imp.py", line 234, in load_module 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: return load_source(name, filename, file) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/imp.py", line 171, in load_source 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: module = _load(spec) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 696, in _load 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 677, in _load_unlocked 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap_external>", line 728, in exec_module 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/etc/apps/CustomApp/bin/umbrella_dashboard_api_client.py", line 13, in <module> 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: from logger import Logger 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: ModuleNotFoundError: No module named 'logger' 08-02-2023 16:15:01.806 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py:2: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses 08-02-2023 16:15:01.806 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: import imp 08-02-2023 16:15:01.808 +0530 ERROR HttpListener [77650 TcpChannelThread] - Exception while processing request from 127.0.0.1:37198 for /en-US/splunkd/__raw/servicesNS/nobody/CustomApp/umbrella?type=dns&from=1690929026000&to=1690972226000&_=1690972792547: Error starting: No module named 'logger' 08-02-2023 16:15:02.059 +0530 WARN PersistentScript [77745 PersistentScriptIo] - Process {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: PID 78587 exited with code 1 08-02-2023 16:15:02.059 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: Traceback (most recent call last): 08-02-2023 16:15:02.059 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 114, in <module> 08-02-2023 16:15:02.059 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: h.run() 08-02-2023 16:15:02.059 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/packet.py", line 191, in run 08-02-2023 16:15:02.059 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: self.handle_packet(in_packet) 08-02-2023 16:15:02.059 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/handle_loop.py", line 36, in handle_packet 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: self._current_handler = self.load(in_packet.command, in_packet.command_arg, in_packet.allow_stream()) 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 22, in load 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: class_and_meths = self._get_class_and_methods(command[0], stream_allowed) 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 31, in _get_class_and_methods 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: meths = self._cached_load_file(filename) 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 42, in _cached_load_file 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: rv = PersistentServerConnectionApplicationServer._load_file(filename) 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 57, in _load_file 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: m = imp.load_module(munged_name, filehandle, filename, data) 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/imp.py", line 234, in load_module 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: return load_source(name, filename, file) 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/imp.py", line 171, in load_source 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: module = _load(spec) 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 696, in _load 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 677, in _load_unlocked 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap_external>", line 728, in exec_module 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/etc/apps/CustomApp/bin/umbrella_dashboard_api_client.py", line 13, in <module> 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: from logger import Logger 08-02-2023 16:15:02.060 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: ModuleNotFoundError: No module named 'logger'
Traceback Part-1 08-02-2023 16:15:01.256 +0530 ERROR HttpListener [77650 TcpChannelThread] - Exception while processing request from 127.0.0.1:43332 for /en-US/splunkd/__raw/servicesNS/nobody/Custom... See more...
Traceback Part-1 08-02-2023 16:15:01.256 +0530 ERROR HttpListener [77650 TcpChannelThread] - Exception while processing request from 127.0.0.1:43332 for /en-US/splunkd/__raw/servicesNS/nobody/CustomApp/umbrella?type=dns&from=1690929026000&to=1690972226000&_=1690972792543: Error starting: No module named 'logger' 08-02-2023 16:15:01.493 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py:2: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses 08-02-2023 16:15:01.493 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: import imp 08-02-2023 16:15:01.493 +0530 WARN PersistentScript [77745 PersistentScriptIo] - Process {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: PID 78576 exited with code 1 08-02-2023 16:15:01.493 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: Traceback (most recent call last): 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 114, in <module> 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: h.run() 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/packet.py", line 191, in run 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: self.handle_packet(in_packet) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/handle_loop.py", line 36, in handle_packet 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: self._current_handler = self.load(in_packet.command, in_packet.command_arg, in_packet.allow_stream()) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 22, in load 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: class_and_meths = self._get_class_and_methods(command[0], stream_allowed) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 31, in _get_class_and_methods 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: meths = self._cached_load_file(filename) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 42, in _cached_load_file 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: rv = PersistentServerConnectionApplicationServer._load_file(filename) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 57, in _load_file 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: m = imp.load_module(munged_name, filehandle, filename, data) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/imp.py", line 234, in load_module 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: return load_source(name, filename, file) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/imp.py", line 171, in load_source 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: module = _load(spec) 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 696, in _load 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 677, in _load_unlocked 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap_external>", line 728, in exec_module 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/etc/apps/CustomApp/bin/umbrella_dashboard_api_client.py", line 13, in <module> 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: from logger import Logger 08-02-2023 16:15:01.494 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: ModuleNotFoundError: No module named 'logger' 08-02-2023 16:15:01.494 +0530 ERROR HttpListener [77650 TcpChannelThread] - Exception while processing request from 127.0.0.1:37186 for /en-US/splunkd/__raw/servicesNS/nobody/CustomApp/umbrella?type=dns&from=1690929026000&to=1690972226000&_=1690972792546: Error starting: No module named 'logger' 08-02-2023 16:15:01.641 +0530 WARN PersistentScript [77745 PersistentScriptIo] - Process {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: PID 78582 exited with code 1 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: Traceback (most recent call last): 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 114, in <module> 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: h.run() 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/packet.py", line 191, in run 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: self.handle_packet(in_packet) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/handle_loop.py", line 36, in handle_packet 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: self._current_handler = self.load(in_packet.command, in_packet.command_arg, in_packet.allow_stream()) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 22, in load 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: class_and_meths = self._get_class_and_methods(command[0], stream_allowed) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 31, in _get_class_and_methods 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: meths = self._cached_load_file(filename) 08-02-2023 16:15:01.641 +0530 ERROR PersistentScript [77745 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py", line 42, in _cached_load_file  
@VatsalJagani  yes we are getting a full trace back, Its from our 3rd party app.        
The product_brand token already holds the chosen values. You can use the prefix, suffix, valuePrefix, valueSuffix and delimiter options to determine how the token is formatted. Simple XML Reference... See more...
The product_brand token already holds the chosen values. You can use the prefix, suffix, valuePrefix, valueSuffix and delimiter options to determine how the token is formatted. Simple XML Reference - Splunk Documentation
@danielbb - What do you mean by a couple of environments? You need to check in the environment/SearchHead which is generating this error for you. And there has to be automatic lookup. If you don't s... See more...
@danielbb - What do you mean by a couple of environments? You need to check in the environment/SearchHead which is generating this error for you. And there has to be automatic lookup. If you don't see it try to find it inside props.conf from the backend.  
Adding to @yuanliu 's remark - one more thing about the matching logic. Remember that "key!=value" condition is not the same as "NOT key=value" condition. The "key!=value" condition will match only ... See more...
Adding to @yuanliu 's remark - one more thing about the matching logic. Remember that "key!=value" condition is not the same as "NOT key=value" condition. The "key!=value" condition will match only events having the key called "key" which have values not matching "value". But the "NOT key=value" will do that but also match all events where the key called "key" is not present at all.