Hi team I need to apply a different condition in one panel of my dashboard depending on a selected column in other panel I am trying to assign a token value in my first panel depending on the column I just select, and then use this token value in order to apply a specific condition in my second panel.   My first question is: What should be the token value that I have to set to my token in order to identify the clicked column? I mean, what token value I can select: $click.name$ $click.name2$   My second question is: How can I configure my query in the second panel in order to take in account the token value, and apply the specific condition based on the token value   Thanks in advance

Recently deployed this add-on, but it doesn't seem to bring back Traffic or URL logs like we did when using the TA-meraki & syslog. Are these not supported with the API-based mechanism, or is there something I'm missing - like a setting on the Meraki end to include these logs? Thanks, Gord T.

I've setup Kinesis Firehose to push to Splunk HEC which is ingesting fine, however, I would like to add the logstream field from Cloudwatch to Splunk.   The code used in the Lambda can be found here: https://github.com/ptdavies17/CloudwatchFH2HEC        sourcetype = os.environ['SPLUNK_SOURCETYPE'] return_message = '{"time": ' + str(log_event['timestamp']) + ',"host": "' + \ arn + '","source": "' + filterName + ':' + loggrp + '"' return_message = return_message + ',"sourcetype":"' + sourcetype + '"' return_message = return_message + ',"event": ' + \ json.dumps(log_event['message']) + '}\n' return return_message + '\n'         The code block above works and it returns the formatted message:       { "time": 1234567891011, "host": "arn", "source": "some_source", "sourcetype": "some_source_type", "event": "event_data" }        When I add the logstream to the code block as such:       sourcetype = os.environ['SPLUNK_SOURCETYPE'] return_message = '{"time": ' + str(log_event['timestamp']) + ',"host": "' + \ arn + '","source": "' + filterName + ':' + loggrp + '"' return_message = return_message + ',"logstream":"' + logstrm + '"' return_message = return_message + ',"sourcetype":"' + sourcetype + '"' return_message = return_message + ',"event": ' + \ json.dumps(log_event['message']) + '}\n' return return_message + '\n'       The changes get processed by the transformation Lambda correctly( it is a valid json and the logs in Cloudwatch confirm that):       { "time": 1234567891011, "host": "some_host", "source": "some_source", "logstream": "logstream_in_amazon", "sourcetype": "some_source_type", "event": "some_event_data" }       But the Kinesis Delivery Stream to Splunk errors out with:       The data is not formatted correctly. To see how to properly format data for Raw or Event HEC endpoints, see Splunk Event Data (http://dev.splunk.com/view/event-collector/SP-CAAAE6P#data). HecServerErrorResponseException{serverRespObject=HecErrorResponseValueObject{text=Invalid data format, code=6, invalidEventNumber=0}, httpBodyAndStatus=HttpBodyAndStatus{statusCode=400, body={"text":"Invalid data format","code":6,"invalid-event-number":0}...       Is there something I'm missing? I've tried tons of changes to the Lambda code, but all of them return this error. Maybe I cannot add a field from CW to Splunk this way? I am new to Splunk, so I might not be asking the right question or might be missing something, but any help would be much appreciated.

I would like to search from 600 seconds before to 600 seconds after the time specified in the time picker on the dashboard. Is there a good idea? The time picker is also used in another panel, so it is in response to the request that I didn't want to place multiple time pickers. === This SPL did not pass. === index = _internal earliest = $ field1.earliest $ --600 latest = $ field1.earliest $ + 600

Hi All, We are observing high number of parsing issues on sourcetype= symantec:email:cloud:atp. We haven't done any changes in Add-on. Please suggest how to resolve this issue. how to identify exact which events are facing this issue and how to resolve it. Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Jun 29 10:52:21 2022). Context: source=/opt/splunk/etc/apps/TA-symantec_email/bin/symantec_collect_atp.py|host=s|symantec:email:cloud:atp| 06-29-2022 10:53:30.862 +0000 WARN DateParserVerbose [27921 merging] - The TIME_FORMAT specified is matching timestamps (INVALID_TIME (1656499945449)) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=/opt/splunk/etc/apps/TA-symantec_email/bin/symantec_collect_atp.py|host=|symantec:email:cloud:atp| Please find the props.config file setting for symantec:email:cloud:atp    

Hey guys , I need last 30 days stats for the use-cases that did not fire up on the ES console. Below is the query that i designed  `notable` | search NOT `suppression` | timechart usenull=f span=30d count by rule_name | where _time >= relative_time(now(),"-1mon") But not getting the desired results as they are only populating one specific date into it. Can someone please refine the above query as i need the trend analysis for the usecases ?  

I'm confused a bit. I use CIM datamodels. The "tag" field is both a filter for choosing events applicable to a particular datamodel and is an attribute within the datasets. My datamodel is accelerated. When I do a simple | from datamodel:Authentication.Failed_Authentication I get events with some fields selected (in fast mode) - I assume that those are fields correspoding to the dataset-defined fields. What's most important for me here is that the "tag" field is populated as with any normal search. But when I do  | tstats summariesonly=t dc(Authentication.tag) as tag where nodename=Authentication.Failed_Authentication by Authentication.app Authentication.src   I get zero count for dc(Authentication.tag). It would suggest that the tags are not indexed . All other fields that I tried (like src, dest, user and so on) seem to be indexed OK and I'm able to tstats for them but the tag field is not. Is it treated somehow differently? Or is it because tag is multivalued?

This is a tip, not a question.  When you have a large solution, you can see on the log data: what the UF name that data comes from, what Index server data are stored on.  What you do not see are what Heavy Forwarders data are passing trough.  Here is an app that do just that.  Adding an extra field does not use extra license, since only _raw length are calculated. Make an app that you sends to all HF servere: app name: set_name_gateway_hf props.conf (will apply to all data)     [source::...] TRANSFORMS_set_hf_server_name = set_hf_server_name     transforms.conf     [set_hf_server_name] INGEST_EVAL = splunk_hf_name := splunk_server     This will use the Splunk HF server name from etc/system/local/server.conf

I have a dump.json file that collects events in JSON format: {"key":"value","key":"value","key":"value","key":"value"....} I have no problem processing it however each line has 400 Keys and I only need 30 of them in splunk. How can I tell the Universal forwarder to only send those 30 fields to my Indexers? Ingesting all the 400 fields consumes a lot of resources and license.