All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the contai... See more...
Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the container_update custom function where i've set in the input_json box {"custom_fields": {"open_time": prompt_1:action_result.summary.responses.0}} 2. Created a new variable called prompt_value = container.get("prompt_1:action_result.summary.responses.1", None) input_json = {} input_json = {"container:open_time": prompt_value} parameters.append({ "inpu_json": json.dumps(input_json)}) But i'm receiving the following message  "Valid container entered but no valid container changes provided."   Perhaps someone has a different method to help me resolve this.
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be ... See more...
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be installed, but for Cloud Remote Support application how this can be achieved , is there a Custom TA for REST or a HEC can be used here. Appreciate some assistance here, Thanks! regards, Moh.    
i wonder if there is any client to test the Splunk REST API, something like postman. I can't seem to find the Splunk API collection.
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk... See more...
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk Enterprise license only (lookup table) b. Has Splunk Enterprise and Splunk Enterprise security license
May i know where part should i refer to for the following error? ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_... See more...
May i know where part should i refer to for the following error? ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c1106)
The file ACF2DS_Data.csv comprises columns such as TIMESTAMP, DS_NAME, and JOBNAME. I need to perform a partial match of the LKUP_DSN column from the DSN_LKUP.csv file with the DS_NAME column in the... See more...
The file ACF2DS_Data.csv comprises columns such as TIMESTAMP, DS_NAME, and JOBNAME. I need to perform a partial match of the LKUP_DSN column from the DSN_LKUP.csv file with the DS_NAME column in the ACF2DS_Data.csv file in order to retrieve the relevant events from ACF2DS_Data.csv.
Hi @Cheng2Ready , please, see this my old answer: https://community.splunk.com/t5/Splunk-Search/Bank-holiday-exclusion-from-search-query/m-p/491071 Ciao. Giuseppe
Hi @Dikshi  Please could you check your splunkd.log for any errors relating to Mongo/KVStore and report back. Also - Have you made any changes recently to either Splunk version, permissions, certif... See more...
Hi @Dikshi  Please could you check your splunkd.log for any errors relating to Mongo/KVStore and report back. Also - Have you made any changes recently to either Splunk version, permissions, certificates or operating system? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
How to solve my mongod.log file is empty 
kvstore featurecompatiability shows an error occured during the last operation ( ‘ get parameter’) domain 15 code 13053 no suitable server found serverselection Timeoutms’ expired[ tls handshake fail... See more...
kvstore featurecompatiability shows an error occured during the last operation ( ‘ get parameter’) domain 15 code 13053 no suitable server found serverselection Timeoutms’ expired[ tls handshake failed error:000000lib(0) :func(0):reason[0]     this above error is showing 
@msatish  have you tried this?   
this is not related to splunk base app, but observability-synthetics module itself. thanks for pointing it out, removed the associated app here!
@ganji What is the ERROR code?
@ganji  Check this https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-Failed-to-load-Inputs-Page/m-p/631993 
@ganji  1. Check splunkd.log  index=_internal source=*splunkd.log  VT4Splunk OR /opt/splunk/var/log/splunk/splunkd.log | grep -i "VT4Splunk" 2. Uninstall and reinstall the app
OrgID: <enter-orgid> Realm: <enter-realm> Instance Name: <instance-name> Request: Please securely open our Splunk Cloud Platform instance management port (8089) and add the IP addresses of the above ... See more...
OrgID: <enter-orgid> Realm: <enter-realm> Instance Name: <instance-name> Request: Please securely open our Splunk Cloud Platform instance management port (8089) and add the IP addresses of the above realm to our allow list so that we can enable Log Observer Connect. ref: https://docs.splunk.com/observability/en/logs/scp.html#support-ticket So here when im trying to connect log observer with splunk cloud(im in free trial) its telling me to open the managemnt port 8089 of the splunk cloud and for this we have to raise a case with splunk support IS this setup actually recquired?
@Fara7at08  The "Short ID" button might be missing due to changes in the interface or settings during the upgrade. According to the Upgrade Splunk Enterprise Security - Splunk Documentation  After ... See more...
@Fara7at08  The "Short ID" button might be missing due to changes in the interface or settings during the upgrade. According to the Upgrade Splunk Enterprise Security - Splunk Documentation  After upgrading to version 7.0.0 When you upgrade the Splunk Enterprise Security app to versions 7.0.0 or higher, the short IDs for notables that were created prior to the upgrade are not displayed on the Incident Review page. As a workaround, you can recreate all the short IDs that were available prior to the upgrade.
I'm building front end nodejs docker image, it need to install appd. My nodejs version is: v22 linux/amd64 appd version is: 24.12.0 but after the image built, then i try to start the server, then ... See more...
I'm building front end nodejs docker image, it need to install appd. My nodejs version is: v22 linux/amd64 appd version is: 24.12.0 but after the image built, then i try to start the server, then got below error: Appdynamics agent cannot be initialized due to Error: /appdynamics/node_modules/appdynamics-libagent-napi/appd_libagent.node: cannot open shared object file: No such file or directory Error:/node_modules/appdynamics/node_modules/appdynamics-libagent-napi/appd_libagent.node: cannot open shared object file: No such file or directory at Module._extensions..node (node:internal/modules/cjs/loader:1717:18) at Module.load (node:internal/modules/cjs/loader:1317:32) at Module._load (node:internal/modules/cjs/loader:1127:12) at TracingChannel.traceSync (node:diagnostics_channel:315:14) at wrapModuleLoad (node:internal/modules/cjs/loader:217:24) at Module.require (node:internal/modules/cjs/loader:1339:12) at require (node:internal/modules/helpers:125:16) at Module._compile (node:internal/modules/cjs/loader:1546:14) I checked and confirm the appd_libagent.node already under 
so looks like I was able to solve this issue but mapping "${user:groups}" to the role attribute and creating Splunk SAML groups with the name of the Group ID from the IdP group.
There is no need to test.  Splunk will only parse an event as JSON if the *entire* event is nothing but pure well-formed JSON.  It can't parse part of the event or extract a field and parse that.  Of... See more...
There is no need to test.  Splunk will only parse an event as JSON if the *entire* event is nothing but pure well-formed JSON.  It can't parse part of the event or extract a field and parse that.  Of course, you can do those things yourself in a query, but Splunk won't do it automatically.