All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

There is no option "Alert" when I try to "Save As" for current search. There is also no "Access Controls" in "Settings". My final plan is to send alerts to Slack channels, but all the instructions I... See more...
There is no option "Alert" when I try to "Save As" for current search. There is also no "Access Controls" in "Settings". My final plan is to send alerts to Slack channels, but all the instructions I was able to find are for different versions of Splunk (Enterprise etc). Could someone point me in a right direction? Thank you!
Appreciate the quick response. THANK YOU!
If  config.spa = {"spa2": true}; config.isZonePromise = true; doesn't help try below as it might be conflicting with a library using Promise: config.noConflictPromiseMode = true
Hello @y0u7 Yes, Splunk App for Salesforce seems to be deprecated as its long time not updated by anyone, regarding its replacement i am afraid if we have any Splunk supported problems.
@y0u7  Yes, you can use an archived app in Splunk, but no longer updated or officially supported by their developers. When you have an app already installed on your env and if that app is archived ... See more...
@y0u7  Yes, you can use an archived app in Splunk, but no longer updated or officially supported by their developers. When you have an app already installed on your env and if that app is archived , that wont effect the already installed one and there will be no support offered by developer . 
@y0u7  Please have a look https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Add-on-For-Salesforce/m-p/657128 
I've been testing both "Splunk App for Salesforce" and "Splunk Add-on for Salesforce" since last year. I just checked to ensure I'm on the most recent version and I see the App is archived. Has it be... See more...
I've been testing both "Splunk App for Salesforce" and "Splunk Add-on for Salesforce" since last year. I just checked to ensure I'm on the most recent version and I see the App is archived. Has it been deprecated? Is there a replacement option? THANKS
Hi @gitingua , sorry if I wasn't clear: you have to choose one solution: TCP input in Splunk or rsyslog, not both of them! If you choose the first (and you did it!) you have syslogs in Splunk. If ... See more...
Hi @gitingua , sorry if I wasn't clear: you have to choose one solution: TCP input in Splunk or rsyslog, not both of them! If you choose the first (and you did it!) you have syslogs in Splunk. If you want rsyslog, delete the other configuration and create a new one in /etc/rsyslog.d/To cofigure rsyslog, you can follow the documentation at the above link. A sample of rsyslog configuration is: ruleset(name="your_ruleset"){ action(type="omfile" file="/data/syslog/your_technology/%fromhost-ip%/%$YEAR%/%$MONTH%/%$DAY%/your_technology.log" fileOwner="splunk" fileGroup="splunk" dirOwner="splunk" dirGroup="splunk") } module(load="imudp") input(type="imtcp" port="765" ruleset="your_ruleset")  But read the documentation. Ciao. Giuseppe
@rksharma2808  Check this https://www.servicenow.com/community/developer-forum/unable-to-create-incidents-via-splunk-add-on-for-servicenow/m-p/2815690 
Hi @rksharma2808  Are you able to change the log level to DEBUG to see if this presents some different logs? Also - do you get an error when setting up the account in the Service Now app, or wh... See more...
Hi @rksharma2808  Are you able to change the log level to DEBUG to see if this presents some different logs? Also - do you get an error when setting up the account in the Service Now app, or when an input runs? Do you have any logs created with a name like "splunk_ta_snow_main.log" with any useful information? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will   
See my answer to a similar question https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-CSS-Width-setup-doesn-t-work-anymore-with-9-x-version/m-p/712713/highlight/true#M58300
@rksharma2808  The 500 Internal Server Error from ServiceNow when trying to create a ticket usually indicates an issue on the ServiceNow side rather than Splunk.  Ensure the endpoint is accessible ... See more...
@rksharma2808  The 500 Internal Server Error from ServiceNow when trying to create a ticket usually indicates an issue on the ServiceNow side rather than Splunk.  Ensure the endpoint is accessible from Splunk (e.g., test via curl or Postman). A 500 error can occur if the payload sent to ServiceNow is malformed or missing required fields. Cross-check the payload fields with ServiceNow's API documentation for ticket creation. If possible, log the payload being sent by Splunk and manually test it using Postman or curl to identify the exact issue. I would recommend you to setup a call with the ServiceNow team and fix the issue.     
Try something like this (depending on where your hidden/style panel is in the row) <row id="MasterRow"> <panel depends="$alwaysHideCSS$"> <title>Single value</title> <html> <style> #MasterRow div:nt... See more...
Try something like this (depending on where your hidden/style panel is in the row) <row id="MasterRow"> <panel depends="$alwaysHideCSS$"> <title>Single value</title> <html> <style> #MasterRow div:nth-child(2).dashboard-cell {width:15% !important;} #MasterRow div:nth-child(3).dashboard-cell {width:85% !important;} </style> </html> </panel> <panel id="Panel1">....</panel> <panel id="Panel2">....</panel> </row>
hello Kiran, Thank you  we tried generating new token    log_level=ERROR pid=403773 tid=Thread-1 file=snow_ticket.py:_handle_response:572 | [invocation_id=d1d96adc92a7437e907573c9d8226bcb] Failed... See more...
hello Kiran, Thank you  we tried generating new token    log_level=ERROR pid=403773 tid=Thread-1 file=snow_ticket.py:_handle_response:572 | [invocation_id=d1d96adc92a7437e907573c9d8226bcb] Failed to create ticket. Return code is 500 (Internal Server Error).
@rksharma2808  As the error message suggests, try regenerating the access token. This can often resolve the issue if the token has expired. Ensure that the new access token has a sufficient expiry t... See more...
@rksharma2808  As the error message suggests, try regenerating the access token. This can often resolve the issue if the token has expired. Ensure that the new access token has a sufficient expiry time. Sometimes, tokens are set to expire too quickly, causing frequent issues. If you are hitting API rate limits, ServiceNow might invalidate the token. Verify with your ServiceNow admin if rate limits are being enforced.
@gcusello Thanks
I have integrated splunk wtih servicenow , am getting below error log_level=ERROR pid=531305 tid=MainThread file=snow_data_loader.py:_do_collect:538 | Failure potentially caused by expired access tok... See more...
I have integrated splunk wtih servicenow , am getting below error log_level=ERROR pid=531305 tid=MainThread file=snow_data_loader.py:_do_collect:538 | Failure potentially caused by expired access token. Regenerating access token
@gcusello  Sorry, I might have confused you. Let me try to illustrate this clearly. I have server.host — this is where the test_log.json log is being collected. There is also splunk.test.host — I ... See more...
@gcusello  Sorry, I might have confused you. Let me try to illustrate this clearly. I have server.host — this is where the test_log.json log is being collected. There is also splunk.test.host — I configured a Data Input, opened port 765 TCP, assigned it the index test_index, and set the sourcetype to _json. The setup on the splunk.test.host side is complete, and all network access is in place. Now, on the server.host side: In /etc/rsyslog.d/, I created a file called send_splunk.conf. In this config file, I specify the address splunk.test.host, port 765, and the TCP protocol. However, I’m having trouble correctly configuring /etc/rsyslog.d/send_splunk.conf so that rsyslog reads the test_log.json file and sends each new line to Splunk as it appears in the file.
Hi @gitingua , you did a little confusion: do you want to ingest syslogs using rsyslog or TCP Input? They are two different ways to ingest syslogs: using rsyslog, you use rsyslog to ingest logs an... See more...
Hi @gitingua , you did a little confusion: do you want to ingest syslogs using rsyslog or TCP Input? They are two different ways to ingest syslogs: using rsyslog, you use rsyslog to ingest logs and write them in a text file that you have to read using a File input. Using TCP Input, you configure the input in Splunk without using rsyslog and you directly forward them to Splunk. The second solution is easier to implement but has the problem that can run only when Splunk is up, e.g. during restart you loose syslogs. For this reason the solution using rsyslog is prefeable even if you have to configure: at first the rsyslog (for more infos see at https://www.rsyslog.com/doc/index.html ) and then the Splunk file input (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/Monitorfilesanddirectorieswithinputs.conf ) At least, having a json format, remember to add INDEXED_EXTRACTIONS= JSON to your props.conf, in this way you automatically extract all the fields. Ciao. Giuseppe
Hi @JIreland  This will entirely depend on the sourcetypes that you are feeding in to Splunk. What is the source of your Audit data? There may be some pre-build dashboards for some of these in apps... See more...
Hi @JIreland  This will entirely depend on the sourcetypes that you are feeding in to Splunk. What is the source of your Audit data? There may be some pre-build dashboards for some of these in apps specific to the type of data you are bringing in. Otherwise it might be a case of working through the data to put together each of these. When you are putting together the dashboards, bear in mind that sometimes things within dashboards can be missed or overlooked if crowded, and that things like alerts may be more suitable for rare events that you need to know about. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will