Hello Team, I am trying to create TCP and UDP ports from Splunk cloud REST api's, but i am getting below permission error. Please suggest me what permissions i need to change. <msg type="ERROR">You (user=*****) do not have permission to perform this operation (requires capability: edit_tcp).</msg> How can i give edit_tcp role to my account. Thanks, venkata.

My published addon was build using addon builder 3.0.1. I updated the addon app by exporting it from Addon builder version 4.1.0 recently. I am facing issue when we install the addon in fresh system. When I open the input page it gives 500 error and shows page like one attached with this message. Following are the exception from the splunkd.log:   ------------------------------------------------------- 06-26-2022 13:36:02.878 +0000 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunktaucclib/rest_handler/handler.py", line 124, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunktaucclib/rest_handler/handler.py", line 179, in all\n **query\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunklib/binding.py", line 290, in wrapper\n return request_fun(self, *args, **kwargs)\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunklib/binding.py", line 71, in new_f\n val = f(*args, **kwargs)\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunklib/binding.py", line 686, in get\n response = self.http.get(path, all_headers, **query)\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunklib/binding.py", line 1199, in get\n return self.request(url, { 'method': "GET", 'headers': headers })\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunklib/binding.py", line 1262, in request\n raise HTTPError(response)\nsplunklib.binding.HTTPError: HTTP 404 Not Found -- b'{"messages":[{"type":"ERROR","text":"Not Found"}]}'\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 113, in init_persistent\n hand.execute(info)\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 636, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunk_aoblib/rest_migration.py", line 39, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunktaucclib/rest_handler/admin_external.py", line 63, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/<APP_NAME>/bin/<APP_NAME>/aob_py3/splunktaucclib/rest_handler/handler.py", line 129, in wrapper\n raise RestError(exc.status, str(exc))\nsplunktaucclib.rest_handler.error.RestError: REST Error [404]: Not Found -- HTTP 404 Not Found -- b'{"messages":[{"type":"ERROR","text":"Not Found"}]}'\n 06-26-2022 13:36:02.878 +0000 ERROR AdminManagerExternal - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [404]: Not Found -- HTTP 404 Not Found -- b'{"messages":[{"type":"ERROR","text":"Not Found"}]}'". See splunkd.log for more details. -------------------------------------------------------     This behavior is not reproducing in case we upgrade the addon from previous version. Please help me resolve this.  

Hi @guilmxm , I have installed and configured NMON monitoring app in my distributed Splunk environment all features are working and responding perfectly. But this Inventory summery was not showing list of Linux hosts. I have gone through the doc as well but not getting what needs to be done for this. Can anyone please let me know what needs to be done from my end.. Thanks in advance!      

Hi, Thanks in advance Below events is in splunk .We have two repos in git 1. AAA 2.BBB.When ever the repos will replicate and both repos should be same file. But in my case after replicate both repos files are missing so i should compare the files and whare are the files is missing and send an alert as difference in repos. INTERESTING FIELDS: CODE.Modified_files{} TOOLKIT.Modified_files{}   Expected output after comparing: CODE.Modified_files{} "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/logs/refs/heads/master", "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/version.json" TOOLKIT.Modified_files{} "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/logs/refs/heads/master" These files are only present in AAA repo but not in BBB. So we need compare both AAA and BBB missing files. As per the event and show the difference.         { "CODE": { "modified_files": [ "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/HEAD", "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/config", "a/D:\\\\splunk_code_replication\\\\BBB_CODE/.git/HEAD", "a/D:\\\\splunk_code_replication\\\\BBB_CODE/.git/config", "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/logs/refs/heads/master", "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/version.json" ] } } { "TOOlKIT": { "modified_files": [ "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/HEAD", "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/config", "a/D:\\\\splunk_code_replication\\\\BBB_TOOLKIT/.git/HEAD", "a/D:\\\\splunk_code_replication\\\\BBB_TOOLKIT/.git/config", "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/logs/refs/heads/master", ] } }          

On my replication bundle I have a whole list of unwanted files that exists from a particular App "XYZ" which are as shown below      apps/XYZ/bin/suds/mx/typer.pyc apps/XYZ/bin/suds/mx/encoded.py apps/XYZ/bin/suds/mx/__init__.pyc apps/XYZ/bin/suds/mx/literal.py apps/XYZ/bin/suds/mx/__init__.py apps/XYZ/bin/suds/options.py apps/XYZ/bin/suds/sudsobject.py     Now, how can i apply replicationblacklist to anything that is under the APP "XYZ" ?    distsearch.conf   [replicationBlacklist] ....  

All,  I've noticed by default that Splunk Forwarder gives itself /bin/bash  in /etc/passwd.  e.g. splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash I changed it to the below and restarted: splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.  Is there any reason I should leave Splunk user with a Shell?    thanks!

Simple setup, two different sites with a single clustered Indexer in each, a local Heavy Forwarder that is also the deployment server for the UF's, and a SH in each site. I've deployed the TA_docker_simple app in both sites, installed on both HF's and the intended docker servers at each site.  Works great in one site but I get no data indexed in the other.  All UF's send in the data from the .sh scripts that the app contains (I can see event counts in their metrics.log) but on the problem site HF, I'm seeing messages like this: 06-27-2022 21:00:50.057 +0000 WARN DateParserVerbose - Accepted time (Fri Apr 1 18:31:29 2022) is suspiciously far away from the previous event's time (Fri Apr 1 19:46:38 2022), but still accepted because it was extracted by the same pattern. Context: source=docker_simple_ps|host=XXXXXX|docker:ps|6581 host = XXXXXXX source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd splunk_server = XXXXXXXX Which looks like it's trying to use a string date that is in the script output but isn't the timestamp (it's the container creation timestamp). The actual timestamp is an epoch integer at the beginning of each event.  Even if it were getting imported with the invalid timestamps I would see the data with a realtime search but I see nothing coming in.  I'm not sure how to resolve this.  Both sites are using the same copy of the app on the HF (minus the inputs.conf) and on the UFs.    It works perfectly in one site but not the other.  I've used btool to verify the props and transforms on the HF's are exactly the same.  It's probably something obvious but I can't figure this one out.

Hello everyone,   We found that the VM has more RAM allocated currently we have 12GB of RAM for each Search Head, but that can be increase to 48GB of RAM. I have been reading and increase the capacity of the Search Heads can affect the indexer nodes: An increase in search tier capacity corresponds to increased search load on the indexing tier, requiring scaling of the indexer nodes. Scaling either tier can be done vertically by increasing per-instance hardware resources, or horizontally by increasing the total node count. And that make sense, currently the environment has more searches than indexers and I think increase the capacity of the SH can overwhelm the  indexers. Current environment: 3 SH (cluster) and 2 Indexers(cluster). I would appreciate any recommendation to do this as good as possible and be able to use the memory allocated.   Kind Regards.

Hello Splunkers,  I've an issue with my event time configuration. It has incorrect timestamp. Below are my props settings..it doesn't seem to be working. Please Advise TIME_FORMAT = %Y-%m-%d %H:%M:%S TIME_PREFIX = ^ TZ = UTC-4 MAX_TIMESTAMP_LOOKAHEAD = 20    Sample log format Time                                                                      Event 6/27/21 8:30:56.000 PM                #Software: banana Internet Information Services 19.0                                                                    #Version: 10.0                                                                    #Date: 2021-06-27 20:32:46                                                                    #Fields: Sacramento is the capital of California 6/27/21 8:30:56.000 PM                 #Software: pineapple Internet Information Services 39.0                                                                     #Version: 12.0                                                                     #Date: 2021-06-27 20:32:46                                                                     #Fields: Austin is the capital of Texas    

Hello, When I plot a chart between two columns, I am not able to see all the values on the x-axis instead only the name of the column is visible. I have around 180 values in the x-axis column. How do I solve the problem. 

I have rows in the form: ID Field1 Field2 Field3   And I would like to create a histogram that shows the values of all three fields. I can make one for Field1 by doing stats count by Field1 span=1000 but I can't seem to figure out how I would get the other values into the same table. Do I need to do multiple searches and join them? How would I go about doing that?