Hello, Is it possible to delete user created sourcetypes on splunk cloud, i checked under all configurations and sourcetypes options but didn't found anything. Anyone has an idea? I guess we need to open a case to splunk support for deletion?     Thanks

  I have two columns per event I am trying to use. Well call these col1 and UknownRandomColumnName (urcn for short) . The key of urcn changes from event to event, but the value of col1 will always be the key of urcn. How can I use the value of col1 as a key for the data id like to output from urcn in a search. Example data for my events may look like: ======================= |    col       |    urcn1    |    urcn2    | ====================== |    urcn1 |    Value    |                     | --------------------------------------- |    urcn2 |                    |     Value    | --------------------------------------

I am trying to add data into Splunk in Json format. All the events have the same format. Lets say we have some format like this: [      field1 : value1      field2 : value2 ]   Is is possible for me to update value1 to some value3, given field1? I am looking to first achieve this from website and if this possible, I am looking for REST APIs to achieve the same. 

I followed the setup instructions, but it seems I am missing something. I have made sure I have all the required apps installed, but for some reason I am getting 2 sections that are showing red. I would think that since most sources are "CIM compliant data" that the two red sections should be as well. Any issues or additional information I may be missing? I did accelerate all required sources listed as well.  

I have the Cisco Cloud Security app installed. Add-on is configured with data input and confirmed data is synced and contained within the configured index.   When setting up the Cisco Cloud Security App, under Umbrella Settings on the Application Settings page, I cannot select an index from any of the dropdown boxes.

When using RapidDiag I either get bumped to a "Something went wrong! Click here to return to Splunk homepage. TypeError: Cannot read properties of undefined (reading 'proxy_to') "  error after trying to run a report. Other times it runs a report and I navigate to the Task Manager tab and when I click to go to the next page on the Task Manager tab, I get the same error. Can someone please point me in the right direction to resolve this?  This is a single server install of splunk enterprise running v9.0.0    

Hello! I am looking for a way to override the built-in Trigger Condition for Notable Response Actions, "For each result". I'd like Notable Response Actions to only be triggered "Once" so results/events are more consolidated to work with my other tools more efficiently. See the screenshot image. It notes that "Notable response actions and risk response actions are always triggered for each result" despite the Trigger being set to "Once": Is there anyway to override this for Notable Response Actions to be triggered once as configured? Thanks for your help! (This setting is found under the Configure -> Content -> Content Management settings after selecting a specific security alert to edit).  

Hello folks, I'm trying to write a drill-down search for a correlation search in Enterprise Security, and I'm having trouble extracting/accessing a field in my event. Each event has a collection of conditional access policies stored in an array, with each value in the array being a collection of key-value pairs. With syntax highlighted, it looks like this (with some policies not expanded):  Here's what it looks like in the raw text:        "appliedConditionalAccessPolicies": [{"id": "xxx", "displayName": "xxx", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "notEnabled"}, {"id": "xxx", "displayName": "xxx", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": ["CloudAppSecurity"], "result": "notApplied"}, {"id": "xxx", "displayName": "xxx", "enforcedGrantControls": ["RequireApprovedApp"], "enforcedSessionControls": [], "result": "notApplied"}, ...]         We've extracted the fields: appliedConditionalAccessPolicies{}.displayName appliedConditionalAccessPolicies{}.enforcedGrantControls appliedConditionalAccessPolicies{}.enforcedSessionControls appliedConditionalAccessPolicies{}.id appliedConditionalAccessPolicies{}.result However, because we have 13 different policies in the appliedConditionalAccessPolicies array, every event contains every possible value of each of these fields. We don't have a way to associate values from the same index of the array together. Many of these policies are tests, which I don't care about. I really only care about two of them, and I would like to find a way to access at least the displayName and result of only those two policies. It would also be nice to access the enforcedGrantControls and enforcedSessionControls of the policies, but those are less critical to my search. Is there a way I can index into this array in my search to pull two specific displayName and result values out and use them, for example with a stats command? Thanks in advance for your help!  

I have a result of Vulneraries Scan of Quater1, Quater2 , Quarter3 and the remediate scan result of each Quarter ... all are add to Splunk by upload as csv file.  After added I got these:  host="SPL-SH-DC"  sourcetype="****"  source="*****.CSV" and  field  IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin I want a  reports with these three status " New Active Vulnerabilities", "Fixed" and  "Active Vulnerabilities" base on joining  with these 7 fields: IP_Address, Plugin, Plugin_Name, Severity, Protocol, Port, Exploit I will be apricated for your contribution. Ritheka kan

Hi,  I have Json data for github repos in below format      { data: { [-] clone_count: 0 clone_uniques: 0 view_count: 7 view_uniques: 4 } date: 2022-06-28 repository: projectA }     this data will be pushed every day for 2 repos , now i want to create a dashboard  which has month on x-axis that shows data of sum(clone_count) sum(view_count) for both 2 repos monthly as shown below  my query is looking like this      index=test source="data" | where repository in ("binary","manifest") | eval data_date = split(date,"-") | eval data_year=mvindex(data_date,0) | eval data_month=mvindex(data_date,1) | eval current_year=strftime(now(),"%Y")|eval current_month=strftime(now(),"%m")| spath output=clonecount path=data.clone_count |spath output=viewcount path=data.view_count | stats sum(clonecount) as Totalclonecount ,sum(viewcount) AS Totalviewcount by repository,data_month        

After upgrading to Splunk 9.0 on a single instance, we occasionally get KV Store errors.    CLI status shows: This member: backupRestoreStatus : Ready disabled : 0 featureCompatibilityVersion : An error occurred during the last operation ('getParameter', domain: '15', code: '13053'): No suitable servers found: `serverSelectionTimeoutMS` expired: [connection closed calling ismaster on '127.0.0.1:8191'] guid : E8254C08-B854-426C-B66D-7072D625D0F6 port : 8191 standalone : 1 status : failed storageEngine : mmapv1   I've looked on Splunk.com and googled but haven't found anything on single instances beyond reinstalling 9.0 which I've done twice.

Hi, Security alert: Splunk Universal Forwarder. Is this a customer installable upgrade (to version 9), or do I need to get my Splunk Partner to install it for me? Is there a procedure document anywhere?   Mant thanks