I am currently monitoring AD account data using InfoSec. However, the number of accounts under the "Compliance" tab and the "Health" tab that are being monitored is not the correct number. Even the numbers presented don't agree with each other.  My data on AD appears to be CIM compliant as the CIM_Authentication section under "Health" is green. Only pulling from the "main" index from source types WinEventLog and ActiveDirectory.  My data sources appear correct.   Any ideas why InfoSec would not display the proper amount of accounts in AD? Am I looking at this wrong?

Hi Experts, The documentation indicates that Splunk Cloud supports encrypted assertions with SAML SSO: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/HowSAMLSSOworks  "Configure automatic decryption of SAML assertions from an IdP" However, the instructions for obtaining the Splunk instance's encryption certificate appear to be for Splunk Enterprise installs, not for Splunk Cloud. For example, "On your Splunk platform instance, change to the $SPLUNK_HOME/etc/auth directory." A little help?

While editing the Notable, we have options called "Edit selected".  Can anyone help me with how to put the limit(number of Notable to be edited) at one time? eg: If I want to update 20 Notable with the same work note. I will check mark 20 Notable and update the Work note. However, I just want to put a Max limit of 10 Notable to be updated /edited in a single time. 

When I try to start the splunkd service, it gives me the following crash log.   [build 51d9cac7b837] 2022-05-16 14:43:39 Received fatal signal 6 (Aborted). Cause: Signal sent by PID 2084 running under UID 26001. Crashing thread: TcpChannelThread

I need to extract the below field, Required a Regex for the same 1)trc values I need to get regex for "Asva.nsearoon@peypafe.com" 2) tsd values I need to get regex for "flipkart.com" 3)SIP values I need to get regex for "198.161.151.190" Below the sample logs. {"etype":"User","eid":"prvs=343333211os.com","ut":"Regular","tsd":"\"flipkart.com\" <Flipkart@youraccount-alerts.com>","sip":"198.161.151.190","srt":"1","trc":"Asva.nsearoon@peypafe.com"," Thanks,  

Hi at all, this is probably a stupid question but I have few experience on Splunk Cloud. I uploaded a custom app on Splunk Cloud and the validation upload procedure asked to me to move all images and JSs from $SPLUNK_HOME/etc/apps/my_app/appserver/static to $SPLUNK_HOME/etc/apps/my_app/appserver After this update I was able to upload my custom App, but now all the images aren't visible and JSs non executed because the path is chaged from /static/app/my_app/appserver/my_image.png to what? Thank you in advance. Ciao. Giuseppe

below is the data which has multiple features for a single item. I want to write a regex which could search all occurrences of feature (not just first occurance) and then count the feature . I have written below search string but count value is not consistent. can someone plz take a look and advice. Many thanks in advance. |makeresults | eval _raw="[{\"\"feature\"\": \"\"INTDATA\"\"}, {\"\"feature\"\": \"\"INTDATA2\"\"}, {\"\"feature\"\": \"\"MGDAT0\"\"}, {\"\"feature\"\": \"\"MGPR2TI\"\"}, {\"\"feature\"\": \"\"MSTORE\"\"}, {\"\"feature\"\": \"\"PNINCLWAP\"\"}, {\"\"feature\"\": \"\"PRMCAFIND\"\"}, {\"\"feature\"\": \"\"3WY\"\"}, {\"\"feature\"\": \"\"CFC\"\"}, {\"\"feature\"\": \"\"CFU\"\"}, {\"\"feature\"\": \"\"CLIP\"\"}, {\"\"feature\"\": \"\"CLIR\"\"}, {\"\"feature\"\": \"\"CLW\"\"}, {\"\"feature\"\": \"\"DATA\"\"}, {\"\"feature\"\": \"\"CAMTAC\"\"}, {\"\"feature\"\": \"\"HOLD\"\"}, {\"\"feature\"\": \"\"INROAM\"\"}, {\"\"feature\"\": \"\"ISP\"\"}, {\"\"feature\"\": \"\"MSTORE\"\"}, {\"\"feature\"\": \"\"NWROAM\"\"}, {\"\"feature\"\": \"\"PERMGL\"\"}, {\"\"feature\"\": \"\"SMSO\"\"}, {\"\"feature\"\": \"\"VM\"\"}, {\"\"feature\"\": \"\"GFLEX\"\"}]" |rex max_match=0 "\"\"feature\"\": \"\"(?<feature>.*?)\"\"}" |stats count(feature) by feature

Dear Splunkers, We are upgrading our UFs in our environment, and I noticed that the number of clients is increasing due to the upgrading process. Right now, I'm seeing the same clients with the same information except the GUIDs (Client Name) are different while the old one had not phoned home for a while, is this considered a problem? and how long will it be there until the  Forwarder Manager drops it? thanks, 

Just making sure that I didn't miss something. There is no way to set RF and SF based on which site the originates from? I mean - let's say that I have two sites and I don't want the data to be replicated between sites in any way. The customer understand that there is no site-level data resiliency and in case of a site outage faces unavailability of all the buckets stored at that site and is OK with that. I know that I could simply do - for example - origin:2, total:2 but that means that I have to have the same settings in both sites but if I wanted to have different settings at each site? Of course I could do separate clusters at each site but that also means more fuss with managing configurations - deploying apps and so on. Anything I missed?