I'm passing a bucket path and getting this error now. Replaced some path values to hide internal names and bucket name. bash-4.2$ /opt/splunk/bin/splunk cmd "/opt/splunk/bin/python" "/opt/splunk/etc/peer-apps/archive_app/coldToFrozen.py" "/opt/splunk/var/lib/splunk/indexname/db/db_string" Traceback (most recent call last):    File "/opt/splunk/etc/peer-apps/archive_app/coldToFrozen.py", line 51, in <module>       handleOldBucket(bucket, files) NameError: name 'handleOldBucket' is not defined

Hello @kamal.rath, Since the Community did not jump in, you can reach out to AppD Support. How do I submit a Support ticket? An FAQ  If you decide to do that, can you please share any learnings from that as a reply to this thread. 

Hello Friends, here is my snipped of inputs.conf tog et you an idea or may be mistaked on my end ?? again thank you for your help ------------------ This is my snip of inputs.conf # cat inputs.conf [perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time instances = * interval = 30 mode = single object = Processor _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0 index=uat [perfmon://Memory] counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes interval = 30 mode = single object = Memory _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:Memory disabled = 0 index=uat [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:Application index=uat [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 10 renderXml=true blacklist1 = EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" blacklist3 = EventCode="4624" Message="An account was successfully logged on" blacklist4 = EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." #whitelist = 1101, 1104, 4616, 4657, 4697 sourcetype = WinEventLog:Security index=uat [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 10 renderXml=true sourcetype = WinEventLog:System index=uat [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest renderXml=true sourcetype = WinEventLog:Setup index=uat [monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf dissabled = 0 index = _internal

Hi @Hemnaath, here, you can find the latest version (7.0.0): https://docs.splunk.com/Documentation/AddOns/released/AWS/Releasenotes?_gl=1*x0j3gx*_ga*OTc5MjcyOTc3LjE2ODY5ODEzNDg.*_ga_GS7YF8S63Y*MTY5MzIzNjMxMi4xNjUuMS4xNjkzMjM4MTYwLjAuMC4w*_ga_5EPM2P39FV*MTY5MzIzNjI5MC4yODcuMS4xNjkzMjM4MTYxLjAuMC4w&_ga=2.237100681.821286860.1692543785-979272977.1686981348&_gac=1.57004760.1693210375.Cj0KCQjwi7GnBhDXARIsAFLvH4ll56r7e9by3rn-eGJ4TTl27Zaz5Z020GdxkWHFSFpu81Fzu6Nd8pwaAvpnEALw_wcB but there isn't any previous version. Anyway, it's a Splunk Supported App, so you can open a ticket to Splunk Support. Ciao. Giuseppe

Hi @karthikm, ok for the input phase, but you need an Ad-On for the parsing phase, so you must have an Add-On otherwise, you have to manually create all the parsing rules. Anyway, the approach is the one I described: you have to override the index value. In addition I hint to analyze the Splunk Add-On for Amazon Web Services (AWS) at https://splunkbase.splunk.com/app/1876 because maybe it could help you. Ciao. Giuseppe

Hi @Anu, if you don't have the NAME field the main search will always not have results. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

Hi @yr, as @PickleRick sais, you have only one sourcetype: WinEventLog (or XmlWinEventLog if you're ingesting them as XML), it was chenged: before you have wineventlog:Security. You can distinguish logs based on source. Ciao. Giuseppe

Hi @sekhar463, let me understand: you have to perform a join to extract the status field from the second search using as keys Node=hostname, is it correct? If this is your requirement, appendcols isn't the solution, you could use "join" but I don't like it because there's the limit of 50,000 results in the second search and because it's very slow. You should correlate events using stats, something like this: (index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows) OR (index=ivz_em_solarwinds source="solwarwinds_query://Test_unmanaged_Nodes_Data") | rename hostname=coalesce(hostname,Node) | stats latest(_time) AS _time values(status) AS status BY hostname | eval age=(now()-_time) | eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S") | eval Status=if(age< 3600,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | lookup 0010_Solarwinds_Nodes_Export Caption as hostname OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group, Application_Primary AS CMDB2_Application_Primary, Support_Group AS CMDB2_Support_Group NodeID AS SW2_NodeID Enriched_SW AS Enriched_SW2 Environment AS CMDB2_Environment | eval Assign_To_Support_Group=if(Assign_To_Support_Group_Tag="CMDB_Support_Group", CMDB2_Support_Group, CMDB2_Application_Primary_Support_Group) | table _time, hostname,sourceIp, Status, LastActiveTime, Age, SW2_NodeID,Assign_To_Support_Group, CMDB2_Support_Group,CMDB2_Environment | where Status="DOWN" AND NOT isnull(SW2_NodeID) AND CMDB2_Environment="Production" | sort 0 hostname please see the approach, if some field is missing, add it to the stats command. ciao. Giuseppe

Events from EventLog are ingested with WinEventLog (or XmlWinEventLog if you're ingesting them as XML)  sourcetype. There should be no other sourcetypes. The events are distinguishable by source (not sourcetype).

Hi @Dayalss, I confirm what @richgalloway said: there isn't any tool or Add-On to directly ingest Excel Files, the only way is passing through a csv conversion to perform out of Splunk before ingestistion. You can do this is a script (e.g. in Python) like the ones described in these pages: https://www.google.com/search?q=script+to+convert+an+excel+file+in+csv&rlz=1C1VDKB_itIT1048IT1048&oq=script+to+convert+an+excel+file+in+csv&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQABiiBDIHCAIQABiiBDIHCAMQABiiBNIBCTE1ODA3ajFqN6gCALACAA&sourceid=chrome&ie=UTF-8 Ciao. Giuseppe

I've just come here to post the same issue and verified on a fresh install that this not just an issue with our instance. I have been doing some experimentation and the issue lies in the iframe that the SVG is placed in to. There is a CSS attribute called "color scheme" that has two values: light and dark. Having either of those set forces the background colour of the iframe to be either white, or dark mode. The SVG itself isn't broken, the transparency is just showing the underlying background colour. I removed that attribute in the CSS editor and all is well now:   I would have no idea how to override that for now though.

i have tried with appendcols command but not getting column from sub search  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows | dedup hostname | eval age=(now()-_time) | eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S") | eval Status=if(age< 3600,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | lookup 0010_Solarwinds_Nodes_Export Caption as hostname OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group, Application_Primary AS CMDB2_Application_Primary, Support_Group AS CMDB2_Support_Group NodeID AS SW2_NodeID Enriched_SW AS Enriched_SW2 Environment AS CMDB2_Environment | eval Assign_To_Support_Group=if(Assign_To_Support_Group_Tag="CMDB_Support_Group", CMDB2_Support_Group, CMDB2_Application_Primary_Support_Group) | table _time, hostname,Status, sourceIp, LastActiveTime, Age, SW2_NodeID, Assign_To_Support_Group, CMDB2_Support_Group, CMDB2_Environment | appendcols [search index=ivz_em_solarwinds source=solwarwinds_query://Solarwinds_PROD_unmanaged_Nodes_Data | table Node Account Status From Until | dedup Node]