Hello, Everyone. I want to Install Universal Forwarder in RHEL5 32bit version. Is it available for installation provide any link and It should be compactable with the latest version of Splunk main. Any Idea for this thanks in advance.

Hi All, I was trying to find the unencrypted passwords in my logs by using one anchor pattern. After getting the password value by anchor pattern, I have to check whether it is encrypted or not. In my logs the encyption is done by using asterisk(*) symbol. So, It has been difficult for me to differentiate between user entered password and encrypted password as user password can also have the asterisk(*) symbol. There are no prior requirements for the passwords like atleast 1Uppercase, 1 lowercase etc.. The Password will have no min length. Passwords can be like: 1. 1234556687 2. RonnieAlex 3. Tyler@123 4. #%@cosmic123 5. A***B*V*****U**Y***(Encrypted password in my log)  Help me with the regex that matches all the above cases. Thx in advance

Hi, I am using a multiselect input with the following query: |inputlookup ABC | eval hjk=_key | lookup XYZ asset OUTPUT ass AS name, app AS application | stats values( application) However, when I add this onto the actual dashboard, no results are generated as expected on the actual input. What am I doing incorrectly? Thanks,

Hi, I am new to Splunk. I just started using it last month. For me the below  " | eval error=substr(msg, 0, 1000) |  table error app_name"    is not working  with my alert event. It doesn't work for large strings with 20k or more characters. The table cells show blank in this case. But values can be found in verbose mode but in fast mode. However it works when the msg is of ~1150 characters.

Hi All, We are facing a weird issue where we are unable to see any new incidents on PCI compliance >Incidents review. When we click the new incident it just returns no notable events found. No changes were made on ES or Splunk. Has anybody faced this kind of issue?

splunklib.binding.HTTPError: HTTP 500 Internal Server Error -- b'{"messages":[{"type":"ERROR","text":"Cannot call handler \'splunk_ta_aws_settings_proxy\' due to missing script \'aws_proxy_settings_rh.py\'."}]}' 2022-06-18 19:03:38,719 level=INFO pid=14431 tid=MainThread logger=splunksdc.collector pos=collector.py:run:270 | | message="Modular input exited." 2022-06-18 19:03:51,931 level=INFO pid=14435 tid=MainThread logger=splunksdc.collector pos=collector.py:run:267 | | message="Modular input started." 2022-06-18 19:03:51,940 level=ERROR pid=14435 tid=MainThread logger=splunk_ta_aws.modinputs.sqs_based_s3.handler pos=utils.py:wrapper:77 | datainput="SqsBasedS3Input" start_time=1655579031 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/bin/splunksdc/utils.py", line 75, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/sqs_based_s3/handler.py", line 857, in run proxy = ProxySettings.load(config) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/bin/splunk_ta_aws/common/proxy.py", line 40, in load virtual=True, File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/bin/splunksdc/config.py", line 38, in load content = self._cached_load(path) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/bin/splunksdc/config.py", line 52, in _cached_load content = self._fresh_load(path) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/bin/splunksdc/config.py", line 64, in _fresh_load elements = self._get(path, query) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/bin/splunksdc/config.py", line 68, in _get response = self._service.get(path, **query) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/lib/splunklib/binding.py", line 288, in wrapper return request_fun(self, *args, **kwargs) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/lib/splunklib/binding.py", line 69, in new_f val = f(*args, **kwargs) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/lib/splunklib/binding.py", line 684, in get response = self.http.get(path, all_headers, **query) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/lib/splunklib/binding.py", line 1197, in get return self.request(url, { 'method': "GET", 'headers': headers }) File "/opt/splunk/etc/slave-apps/Splunk_TA_aws/lib/splunklib/binding.py", line 1260, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 500 Internal Server Error -- b'{"messages":[{"type":"ERROR","text":"Cannot call handler \'splunk_ta_aws_settings_proxy\' due to missing script \'aws_proxy_settings_rh.py\'."}]}' 2022-06-18 19:03:51,942 level=INFO pid=14435 tid=MainThread logger=splunksdc.collector pos=collector.py:run:270 | | message="Modular input exited."   Earlier it was working fine, it's not working post i tried changing password.conf file, what should i do now? Reverting the password.conf is not working 

how do i setup my indexer with Splunk aws add on from config files, our indexers doesn't have web. UI.   The question is how do I update Secret Key and Access Key from the backend within the indexers /opt/splunk/etc/slave-app/Splunk_TA_aws/?  is there any file which i need to update?

I have two Searches and following are its result individually - index="myindex" <my search 1> | table App Size Count App  Size  Count App1 5GB   100 App2 100GB 10000 index=myindex" <my search 2> | table App Size Count App  Size Count App3 15GB 1500 Now I want to run a report that shows result of all Apps (1 to 3) together. So, I used append. index="myindex" <my search 1> | table App Size Count | append [search index=myindex" <my search 2> | table App Size Count] | addcoltotals But when I used it, I didn't get the complete result. "Size" column is showing different value. Something like this - App  Size  Count App1 5GB   100 App2 100GB 10000 App3 7GB   720 What should be used to get the complete resultset as we got for each search. Best way to merge two query resultsets.   Thanks!