Hi I am sending open telemetry Log data to Splunk. I am sending 3 different types of logs to one index and to one source type (For the moment) Is it possible to receive this data into Splunk and then create 3 different types of Sourcetypes, based on the event data, not the data? splunk_hec/logs: # pushed to splunk token: "ac3fa6bf-f9df-4757-a5e5-9ee7bf23160d" endpoint: "https://dell425srv:9088/services/collector" source: "mx" sourcetype: "otel" index: "murex_logs" tls: insecure_skip_verify: true   In the below image we can see the event data is called log.type. There can be three of them. I need to make 3 source types from these 3.   Normally I would use a transform, but I think I can only use that on the data, not the event data? Any help would be great  Thanks in advance Robbie

Hi at all, I'm trying to implement some Use Cases from Security Essentials App, using AWS data. I found the following problem: I'd like to use a Use case called "Multiple Account Deletion by an Administrator" but the App tells me that there isn't the accelerated "Change" Data Model, that instead is present and accelerated. The strange thing is that the message doesn't say that there isn't data, but that there isn't an accelerated DataModel. Where could I search the problem? Thank you in advance. Ciao. Giuseppe

Hello Splunk Community, I am pretty new to Splunk and I have a use case where different subsets of logs are to be forwarded to different indexes from the same monitor location. For example all logs matching a pattern(like a regex) should go to index1 and all other logs should go to default index. I found this Splunk documentation but this is forwarding logs from different monitor locations. I have the following in inputs.conf.. inputs.conf [monitor:///<monitor-location>] index = <my-index> sourcetype = <type> Can you please help?  

Hi, Please let me know if you can help me get this metric (Unique User Count)? If yes, kindly let me know how to derive it. Best Regards Mohan Krishna V ^Post edited by @Ryan.Paredez post was split off into its own post and the title changed to reflect the question. 

I am trying to create a dashboard for an allowlist. Basically the user should be able to fill in the required fields and select whether to add, remove, or reauthorize the user and update the lookup table. This is what I have so far:   <form version="1.1" theme="dark"> <label>USB BAU Allowlist</label> <description>This is a dashboard that will allow you to add and remove users to a usb allowlist with a BAU activity.</description> <fieldset submitButton="true" autoRun="false"> <input type="text" token="user_tok" searchWhenChanged="false"> <label>User</label> <default></default> </input> <input type="text" token="email_tok" searchWhenChanged="false"> <label>Email</label> <default></default> </input> <input type="text" token="description_tok" searchWhenChanged="false"> <label>Description</label> <default></default> </input> <input type="dropdown" token="revisit_tok" searchWhenChanged="false"> <label>Revisit</label> <choice value="select">Select</choice> <choice value="1 month">1 Month</choice> <choice value="2 month">2 Month</choice> <choice value="3 month">3 Month</choice> <choice value="4 month">4 Month</choice> <choice value="5 month">5 Month</choice> <choice value="6 month">6 Month</choice> </input> <input type="dropdown" token="dropdown_tok" searchWhenChanged="false"> <label>Action</label> <choice value="add">Add</choice> <choice value="remove">Remove</choice> <choice value="reauthorize">Reauthorize</choice> <search> <query> </query> </search> </input> </fieldset> <row> <panel> <title>blah Lookup Table</title> <table> <title>blah Lookup</title> <search> <query>| inputlookup blah.csv | append [ | makeresults | eval user="$user_tok$", email="$email_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$" | fields - _time ] | table user, email, description, revisit | outputlookup blah.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  

I'm using Database connect V3.9.0. I'm trying use it to connect to impala Database which is external Database but I cant find the external database option to add it (as shown in the attached snapshot). Should I add another app or plugin to add external database connection feature? Thanks,

Hi, Can anyone help me how can I change the field of my query to exclude those with  PRODUCED labels query: index="hcg_ph_t2_bigdataservices_prod" sourcetype="be:streaming-services" earliest=-3h@h latest=@h | search stream_type IN (Datascore_Compress, Datascore_Decompress, Eservices_Eload, Eservices_Ebills) | eval service_details=stream_type." - ".kafka_datatype | bucket span=90m _time | stats sum(kafka_count) as count by _time service_details | stats latest(count) as current_count earliest(count) as past_count by service_details PRODUCED items which is under kafka_datatype:   I have tried to add this to my query but still does not exclude those with PRODUCED: | sort .kafka_datatype asc | fields - "PRODUCED" Please help.  Thank you, Jake

Hi All,   I've stumbled on a very frustrating problem.  I've created a HEC token to use in Zendesk so that Zendesk can send webhooks to splunk.  When i try to test the connection i receive the following error: {"text":"Invalid authorization","code":3} I looked on the forum and found this:  https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-Why-am-I-getting-error-quot-Invalid/m-p/231409  I have tried to put the user  Splunk in front of the token and can see in chrome developer tools that it is being sent, however i am not able to successfully connect. From another machine on the network, with curl and using the word Splunk i am able to successfully post a message. Please note I do not believe this to be a firewall/port issue as that problem was resolved for me to get to this stage. Any help would be appreciated. Thanks in advance

I want to convert the result from https://community.splunk.com/t5/Splunk-Search/Find-users-who-have-done-an-event-A-but-not-done-an-event-B/m-p/110560 into monthly timechart. I have tried the following query, but does not work:     index="x" (event="A" OR event="B") | stats count(eval(event="A")) as ACount count(eval(event="B")) as Bcount by userId | where ACount >= 1 AND BCount < 1 | timechart span=1mon count as result     Can anyone help me with this query?

Hello. Community help please. I can't figure out the problem with the data transfer to splunk. I have an index and data sources from servers. The problem is that some of the data is lost during transfers. There are files on the server that are updated with a new name after a certain time. For example there are files N2-1.out01324, N2-1.out01325 they are searchable and Splunk can see them. But then files are updated with new name for example N2-1.out01326, N2-1.out01327 and these files are not available Splunk can't see them. Then the list is updated and files N2-1.out01328-1329 are visible again

Hi. I'm having a nightmare getting this adaptive response TA working.  Has anybody got it working? I'm getting the following error. ta_forescout_response_init.py:45 - CRITICAL - Unexpected error while getting alert actions from CounterACT: HTTPSConnectionPool(host='forescout.mattlab.local', port=443): Max retries exceeded with url: /splunk/actions_info?auth=CounterACT%20A6885132-A0EE-4AED-A2A3-8C01AF148957 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) The guide I've followed is here.  Specifically page 15: https://www.forescout.com/resources/app-and-add-on-for-splunk-how-to-guide-2-9-1/ ******************************************************************************************** To enable HTTPS communication using Forescout eyeExtend for Splunk: 1. Operators must not use the default self-signed web-portal certificate; instead, they need to procure their own certificate. See Appendix System Certificate for Web Portal. 2. Once the certificates are installed on the CounterACT Appliance, the Forescout platform Public Key Certificate must be appended to the cacert.pem file at the following location: $SPLUNK_HOME/lib/python2.7/site-packages/requests/cacert.pem **************************************************************************** I have created a server certificate for forescout and copied the CA cert over to request directory below root@splunklinux:/opt/splunk/lib/python3.7/site-packages/requests# ls -al total 228 drwxrwxrwx 3 10777 10777 4096 May 15 21:56 . drwxrwxrwx 73 10777 10777 4096 May 2 12:56 .. -rwxrwxrwx 1 10777 10777 21344 Feb 1 00:57 adapters.py -rwxrwxrwx 1 10777 10777 6271 Feb 1 00:57 api.py -rwxrwxrwx 1 10777 10777 10206 Feb 1 00:57 auth.py -rw-r--r-- 1 root root 2110 May 15 19:26 cacert.pem -rwxrwxrwx 1 10777 10777 453 Feb 1 00:57 certs.py -rwxrwxrwx 1 10777 10777 1678 Feb 1 00:57 compat.py -rwxrwxrwx 1 10777 10777 18430 Feb 1 00:57 cookies.py -rwxrwxrwx 1 10777 10777 3185 Feb 1 00:57 exceptions.py -rwxrwxrwx 1 10777 10777 3515 Feb 1 00:57 help.py -rwxrwxrwx 1 10777 10777 757 Feb 1 00:57 hooks.py -rwxrwxrwx 1 10777 10777 3921 Feb 1 00:57 __init__.py -rwxrwxrwx 1 10777 10777 1096 Feb 1 00:57 _internal_utils.py -rwxrwxrwx 1 10777 10777 34210 Feb 1 00:57 models.py -rwxrwxrwx 1 10777 10777 542 Feb 1 00:57 packages.py drwxrwxrwx 2 root root 4096 May 15 21:59 __pycache__ -rwxrwxrwx 1 10777 10777 29332 May 15 21:56 sessions.py -rwxrwxrwx 1 10777 10777 4129 Feb 1 00:57 status_codes.py -rwxrwxrwx 1 10777 10777 2981 Feb 1 00:57 structures.py -rwxrwxrwx 1 10777 10777 30049 Feb 1 00:57 utils.py -rwxrwxrwx 1 10777 10777 436 Feb 1 00:57 __version__.py there was no cacert.pem file in this location - what does it mean append the public key to the cacert.pem file?  i just copied the ca cert from my forescout signed CA over to this location and called it cacert.pem as it didn't exist?  

Given below is a snippet of splunk event. My requirement is to find all the occurrences of "isOutstanding": true. Here the point to note is that one event may/may not have multiple occurrences. Need to find the total count from multiple events over a period of time. { \"school\": { \"schoolId\": \"1\", \"schoolName\": \"SchoolX\", \"schoolType\": \"private\", \"students\": [ { \"id\": \"1\", \"isOutstanding\": true, }, { \"id\": \"2\", \"isOutstanding\": false, }, { \"id\": \"3\", \"isOutstanding\": false, } ] } } The below Splunk query index=myIndex "isOutstanding":true gives the count of events having "isOutstanding": true. But it doesn't consider the count of multiple occurrences in one event. How can I get the count of all the occourences in an event? TIA