Hello, I am using dashboard studio on Splunk Cloud - 8.2.2203.2 where I have a base search and 2 chained searches that reference the base search. The base search is using the Global Time Range (global_time) as a time range input when searching. The chain searches should also inherent the same value that the base search is getting from global_time as shown below.   "Time Range Currently using Global Time Range input $global_time.earliest$ - $global_time.latest$"   However, when I am changing the time input, the panel that is using one of the chain search does not load automatically and would only work if I refresh the entire page. In addition, when I click on the magnifying glass (Open in search) for the panel, it takes me to a search page but does not return any results because of the error "Invalid earliest_time". I then manually select "Last 24 hours" for the time range in the search query drop down button and that resolve the error and returned results. This tells me that the search query itself is good but there may have been issue with the time range value not being passed from the base search to the chain search. If my panel is referencing a base search directly, the time range value works perfectly, the dashboard re-search when I change the time, and have no error when I click "Open in Search".   I also noted that in the URL after I click "Open in Search" for the panel that is using a chain search, it had this in the URL: "earliest=%24global_time.earliest%24&latest=%24global_time.latest%24". This tells me that the value that global_time was holding did not get pass onto the chain search. I confirmed this by manually selecting the "Last 24 hours" for the time range in the search query drop down button and noted this in the URL: "earliest=-24h%40h&latest=now", something along this line should have been in the URL when I click "Open in Search" instead of variable name.    Can someone please help to see if this is a bug or is there something special that needs to be configured for a chain search to inherent value from a time range token?   Thank you

I would like to have a report emailed to me a few minutes after an alert goes off.  While the alert can include the results, it is based on something specific and will not have all the information I need.  Let's say the alert is set up to catch too many host communication  errors to a specific endpoint.  Errors>100.  Currently I either go to the alert and alter it to make a time chart to see any trends, or go to a specific dashboard that shows communication errors with other endpoints, network status, response times, etc.  When the problem goes away I take all the Splunk graphs and make an incident report.   I would like to have a report with graphs and other info based on the dashboard emailed to me at the time of the alert and 10 minutes after.   Sometimes I can get to my email, but not to Splunk.   This would also help with the incident report and make them more uniform.  Is this possible?  I have not worked with reports much.  Can a report be triggered by a separate search?  I could not find that answer online so I believe it can't.  I could write a query that looks at the last time an alert went off and have that trigger the associated report if possible.  I would like some type of PDF that I can just attach to the incident report.  More importantly I would like to have much more detail emailed to me after an alert.  I'm not even sure what an emailed report looks like.  I could google that, but If I can't trigger it there is no need for the report.  Although in reading about reports I want to use them more with dashboards.  Thanks         

I have 3 filters for servers like this: (the tokens from these filters are used in the query) Server1 : Bridge_API, Bridge_UAT, Bridge_UAT_API Server2:  PG_API, PG_UAT, PG_UAT_API Server 3:  PA_API, PA_UAT, PA_UAT_API When I select a server type from any of the dropdown for e.g. if I select Bridge_API from Server1 dropdown, the other filters should switch to *_API and query the data. (if I select a server from the Server 2, the corresponding suffix server should be updated) Similarly for Bridge_UAT others should switch to PG_UAT and PA_UAT. How can I achieve this?

Hello, I've recently upgrade from Splunk 7.0 to Splunk 9.0. One of the things that ended up breaking is the Splunk Add-on for Tenable (5.1.4). I knew it was going to stop working due to compatibility issues and that's fine since we really needed to upgrade Splunk. Is there any other way for our Splunk environment to receive Nessus data? We currently have Nessus Professional Version 10 and it does not seem to work with the Tenable Add-on for Splunk.  Thanks, Grant

MS Teams Alert Action add on is just sending first row from the output of Alert in MS teams. I have multiple rows in the output and want entire table to be sent to teams as an Alert. Please suggest how to configure that.  Thanks in advance for your responses. 

For example below is my raw data in sample.log file. This is a |AWS| test log testing.  The source of this file is opt/sample.log but I want to change my source from source= /opt/sample.log to source=AWS which will be extracted from raw data  while indexing in splunk. props.conf [log] TRANSFORMS-sourcechange=replacedefaultsource   Transforms.conf [replacedefaultsource] WRITE_META = true SOURCE_KEY = _raw REGEX = \|(.*)\| DEST_KEY = MetaData:Source FORMAT= source::$1 Thank you in advance please help me.    

Does anyone have any experience using the IP Quality Score add-on in Splunk? I've been given very little information on how to actually run searches in the add-on and so far im not getting any results. For instance I'm trying to use the IP Detection commands on our web traffic logs but I'm not getting any results. I just keep getting an error saying:   Exception at "/opt/splunk/etc/apps/TA-ipqualityscore/bin/ipdetection.py", line 127 : There are no events with ip field.    

I installed the Splunk App for SOAR Export app on Splunk, and I can see two alert options in manage alerts, namely 'Run Playbook in SOAR' and 'Send to SOAR'. However, when I go to add an alert action, these two are missing from there.  These options were available when I first installed the app, and then they were gone from the alert.

Intro The client upgraded their Oracle DB from v12.1.0.2 to v19.15.0.0.0. The client DBAs were experiencing issues with load and caching on their DB and found queries run by the service account the AppD Agent runs, to be a culprit, so they asked for the AppD DB Agent to be upgraded. Initial action Upgraded the prod, on-prem Windows DB agent from v21.2.0.2285 to v22.6.0.2803(latest available at the time). Issue 2 of the Oracle DBs stopped reporting the DB Load metrics consistently. The DB agent logs have no Error or Warning logs related to these 2 DB Collectors that can be troubleshot.  There are several other Oracle DBs on the same version, the same controller, and agents that are not experiencing the issue.  All other DB metrics are reporting in.  Further testing Tested in pre-prod by having the pre-prod DB agent (same new version as prod) and pre-prod controller(SaaS, v22.5.0-662) monitor the 2 problematic prod Oracle DBs. The same issue is present. No Load metrics. (points to an agent version issue) Monitored pre-prod equivalent Oracle DB (Same oracle version, different DB), but it does not experience the issue. (Issue isolated to specific DBs) Tested by monitoring the problematic DBs with a completely different DB agent that matches the older version that was updated away from and the issue is not present. Shows again that it's related to the new agent version.  Conclusion  The client could not carry on with missing Load metrics for DBs in question so the agent was rolled back to the older version that did not have this issue. AppD support has 2 theories on this and is still asking for more queries to be run against the prod DBs as they experience the issue, but this only happening to the prod DBs and we cannot recreate it in pre-prod, so it's not a quick thing to do. (Breaking the prod DB monitoring just to wait for the issue and then run queries) Theory 1: DB agent is not able to query the DB Theory 2: DB agent is not able to send all metrics to SaaS Controller The screenshot below shows the Load metrics not reported consistently for a busy prod Oracle DB.  Shows Load metrics not reporting in I am hoping someone else might have come across this issue as well and has a possible solution, or more evidence pointing to a possible DB agent version bug.  *Second time I created this post because my first one just went missing after I submitted it.

Hi   i have a curious problem. (btw. not my first Powershell input )  I am trying to Input some Active Directory Data into Splunk right now. Below a bit changed output of my Script:        [ { "SpecialUsers_S": false, "SpecialUsers_X": false, "SpecialUsers_U": false, "SpecialUsers_A": false, "SpecialUsers_TBM": false, "SpecialUsers_T": false, "HR_Canceled_Users": false, "HR_Inactive_Users": false, "HR_Temporary-Inactive_Users": false, "FehlerStatus": "0", "PasswordNeverExpires_State": "null", "OU_State": "null", "Account_State": "null", "Manager_State": "null", "Account_Expiration_Date": "null", "EmployeeNumberError": "null", "DescriptionError": "null", "ManagersViaGroup": "null", "Wrong_Name": "null", "Wrong_EMail": "null", "Manager_Description": "null", "Multiple_SpecialGroups": "null", "Multiple_HR_Groups": "null", "SamAccountName": "SamAccount01", "Enabled": true, "EmployeeNumber": "11112", "SN": "Surname01", "Description": "0200000000", "Department": "Department01", "Company": "The Firm", "emailaddress": "Email01@domain.com", "DistinguishedName": "The Distinguished Name 01", "hkDS-EntryDate": "09.09.1991 02:00:00", "LastLogonDate": "18.07.2022 07:22:38", "PasswordLastSet": "02.06.2022 09:22:36" }, { "SpecialUsers_S": false, "SpecialUsers_X": false, "SpecialUsers_U": false, "SpecialUsers_A": false, "SpecialUsers_TBM": false, "SpecialUsers_T": false, "HR_Canceled_Users": false, "HR_Inactive_Users": false, "HR_Temporary-Inactive_Users": false, "FehlerStatus": "0", "PasswordNeverExpires_State": "null", "OU_State": "null", "Account_State": "null", "Manager_State": "null", "Account_Expiration_Date": "null", "EmployeeNumberError": "null", "DescriptionError": "null", "ManagersViaGroup": "null", "Wrong_Name": "null", "Wrong_EMail": "null", "Manager_Description": "null", "Multiple_SpecialGroups": "null", "Multiple_HR_Groups": "null", "SamAccountName": "SamAccount02", "Enabled": true, "EmployeeNumber": "11113", "SN": "Surname02", "Description": "000000000", "Department": "Department02", "Company": "The Firm", "emailaddress": "email02@Domain.com", "DistinguishedName": "The Distinguished Name 01", "hkDS-EntryDate": "10.10.2002 02:00:00", "LastLogonDate": "18.07.2022 08:07:31", "PasswordLastSet": "26.05.2022 17:27:42" } ]        Exported into File and testet with Validators all is fine.  But what i see in Splunk is:        "SpecialUsers_S": false, "SpecialUsers_X": false, "SpecialUsers_U": false, "SpecialUsers_A": false, "SpecialUsers_TBM": false, "SpecialUsers_T": false, "HR_Canceled_Users": false, "HR_Inactive_Users": false, "HR_Temporary-Inactive_Users": false, "FehlerStatus": "0", "PasswordNeverExpires_State": "null", "OU_State": "null", "Account_State": "null", "Manager_State": "null", "Account_Expiration_Date": "null", "EmployeeNumberError": "null", "DescriptionError": "null", "ManagersViaGroup": "null", "Wrong_Name": "null", "Wrong_EMail": "null", "Manager_Description": "null", "Multiple_SpecialGroups": "null", "Multiple_HR_Groups": "null", "SamAccountName": "SamAccount01", "Enabled": true, "EmployeeNumber": "null", "SN": "", "Description": "null", "Department": "null", "Company": "", "emailaddress": null, "DistinguishedName": "The Distinguished Name", "hkDS-EntryDate": "null", "LastLogonDate": "null", "PasswordLastSet": "null" }         As u can see i am missing a lot of information, and i cant figure out why... Some like SamAccountName and DistinguishedName is working but other variables like Company, Department or Description are missing...  Skript is rather long but if needed i can post Parts of it how i do stuff   the inputs.conf for this is:        [powershell://Get_AD_Report] script = . "$SplunkHome\etc\system\bin\Powershell\GetADReport.ps1" schedule=15 * * * * sourcetype=_json index=hk_office365         Maybe someone as some kind of clue whats happening there for me?  Would really help am on this for much to long already and tried so many different ways now...