I recently upgraded the estreamer addon from version 3.0.0 to the 5.1.0 on our Splunk Heavy Forwarder. Since there were no specific upgrade steps mentioned to upgrade from old version to latest, I installed the addon over the existing one.    However, after installing the new addon, we stopped receiving logs from IPS and got the below error when I ran following cmd  /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test ERROR below Traceback (most recent call last):   File "./estreamer/preflight.py", line 34, in <module>     import estreamer.crossprocesslogging   File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/__init__.py", line 28, in <module>     from estreamer.connection import Connection   File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 23, in <module>     import ssl   File "/opt/splunk/lib/python3.7/ssl.py", line 98, in <module>     import _ssl # if we can't import it, let the error propagate ImportError: /opt/splunk/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so: undefined symbol: SSL_CTX_get0_param

Here is what is on Splunkbase (maybe others, too): Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub) Cisco Umbrella Add-On for Splunk: https://splunkbase.splunk.com/app/3926/ Cisco Umbrella Investigate Add-on: https://splunkbase.splunk.com/app/3324/ (https://developer.cisco.com/docs/cloud-security/#!umbrella-investigate-add-on-for-splunk/set-up-credentials) Cisco Cloud Security Umbrella Add-on for Splunk: https://splunkbase.splunk.com/app/5557/ There is clearly a great deal of duplication and I am VERY confused about what is what and which to use. There are at least 2 things to be done: 1: Data Input: Pull in security events. 2: Ad-Hoc Lookup: Enrich Splunk events with threat detail. I am hoping for 2 kinds of help: 1: A suggestion on which apps to use. 2: Step-by-step details on how to set each up.

Hi There, How do I showcase only US on the choropleth map for the dashboard? That is the dashboard panel should have two views - one US and one the world view.  I know we can zoom out and in but you'll have to do that each time you load the dashboard for the US related view.    Appreciate the help. 

Hi  I am trying to build a multi-input textbox dashboard based on a KVstore lookup. My query is like this   | inputlookup <some-host-detail-kvlookup> | search $computer_name$ OR $computer_number$ OR $computer_id$ | fields computerName computerNumber ComputerId ...   each token has a prefix i.e. <fieldName> =  (which is the column header field in the lookup) each token also has an initial value = null  thus the query runs like this      | search computerName=null OR computerNumber=null OR ComputerId=null | search computerName=FOO OR computerNumber=null OR ComputerId=null     as you can see setting  the <fieldName> to null allows the search to run without breaking, but after a user enters FOO for the computerName value, they need to reset the blank search inputs back to null.   Otherwise if a blank is passed like    | search computerName= OR computerNumber=null OR ComputerId=null   the search breaks.   Any suggestions how to ignore the empty inputs or a way to reset the initial values to null again is greatly appreciated.  OR if anyone has a suggestion to do this another way, I would very much like to hear. Thank you

Hi I need to extract only name values (first word value eg:james) from the below Name filed I tried with  rex field=Name mode=sed "s/\W+\s\w.*//g" but not working Name james buildingA jack buildingB firstfloor   Can you please help me with this.  

According to this article, Basic Authentication Deprecation MS is moving to modern authentication in October of 2022.  As of now, the only authentication method allowed in the app is basic.  I see here https://splunkbase.splunk.com/app/3720/ that they will update the app.  Does anyone know an ETA for that? What I'm driving at is, I'd like to see the ability to switch between auth methods before basic auth gets deprecated by MS.  

I'm working with a Splunk install that someone else had setup.  There's a few customizations that have disabled the HTTPS access over 8089.  I'm trying to run the Upgrade Readiness App before upgrading (From Splunk (from version 8.0.1), but would like to run the scan over HTTP without having to revert all the custom settings in Splunk.  Is there a way to change the Upgrade Readiness App to scan over HTTP instead? Thank You, Jason

Hi! I have a dashboard that has search input fields that allow to run a search and the results are displayed on the table.  I want to create a custom button to act on the data from the search. I don't want to repeat the search using tokens and searchmanager. Is it possible to load the full results from the table on javascript in the case of a multi page table like this : I know it's possible to download a .csv file using the SID from the search but I want to know if there is other way to do it.   I can extract the data from the table page that's currently rendered on the dashboard.   Thank you in advance.

Hey guys, I hope you're doing well,    I didn't receive the SMS verification code or SMS alters on the Splunk on-call product. My team across the world (US, Brazil, Ecuador) are receiving SMSs but I'm (from Paraguay) not receiving the SMS. The phone zone code for Paraguay is +595 and a complete phone number should be +595 XXX XXXXXX.  I tried with two different phone numbers.   Do you have any suggestions?    Thanks,       

Hi. Does anyone know how to use background, or highlight a specifi are in the chart between two values? For example, below is a chart and then i'd have two overlay values, and i'd like to highlight the area between those values in green. Where field A is 15,000,000 and field b is 20,000,000. Thank you in advance!  

Hi, How can we get the number of users per min in the User Experience section from Appdynamics? ^ Post edited by @Ryan.Paredez to add a title that has a question. Please try your best to ask a question in the title. This helps others Search and find existing content.