I use the add-on builder to create custom apps for interacting with the AWS API through Splunk, but I've found that some of the more recent boto3 features are missing from the version embedded within Splunk. Does anyone know how to update Splunk's embedded boto3 version?

How can I configure a different user and password other than admin to make rest end point calls to my Universal Forwader.  Current Functionality:    curl -k -u admin:changeme "https://<host>:<port>/services/receivers/simple?index=abc&source=test&sourcetype=test" -d "splunk rest test"   What I want:   curl -k -u mu_user:mypwd "https://<host>:<port>/services/receivers/simple?index=abc&source=test&sourcetype=test" -d "splunk rest test"     I tried putting this new user in authentication.conf with binddnuser and binddnpassword but it is throwing Unauthorized error.

Dear community, I am using this community since years, so far I've found everything I needed. Now I am stuck!!! I am trying the following: I want to list all the index'es fields so when I build a query, to know immediately if a specific source has that field. Second part is easy. Once I have the list I know what I need to do. So, basically, I need something like this: Fields index1 index2 index3 indexn field1 1 1 0 1 field2 0 0 1 1 fieldn 1 1 1 1   where 0 is when the field doesn't exist, 1 there is at least one value in the specific field. My search looks like: index IN ( index 1 index2 indexn ) | stats count(*) as * by index | transpose column_name=Field header_field=index |outputlookup whateverfile.csv The problem with this search is that it takes ages, I don't need a full count. I just need to count the first value it gets and stop and then move on. In this way I will have a count of 0 if the field doesn't exist, 1 if exists. Any ideas?    

Hi Team, I am trying to take the backup of lookups using search head console and for the same I have tried two ways. a) Using below Rest Command | rest /servicesNS/-/-/properties/lookups Issue :- Since we have only limited permissions, hence the links of lookups are not working. b) | inputlookup abcd.csv | append [inputlookup wxyz.csv] Issue:- I could see the output of both the .csv files but unable to identify the content from where abcd.csv or  wxyz.csv is starting. Can anyone please suggest the best possible way to do it from splunk gui since we have only power user access.

Is it possible to ingest data related specifically from Microsoft Defender Safe Links?  We have tried both Microsoft 365 Defender Add-on for Splunk and the Splunk Add-on for Microsoft Security without success.  Appears that both of these collect data from Incidents and alerts. Any help appreciated.  

Is there a way to create a report using metadata or any other data to list all the fields that are available by index and sourcetype.  Example  Just need to get a index, sourcetype and all available fields under them listed out as report. 

I am trying to build an Splunk addon via there API. I have 1800 input entries that are set poll every 24 hours. the problem I'm seeing is that I get at http 429 error from the API destination. Is there a way to tell Splunk to only run a single API at a time to not overload the destination server?

After upgrading the Splunk Add-on for Microsoft Office 365 to version 3.0.0 it is required that we disable ServiceHealth.Read.All in Office 365 Management APIs, and enable ServiceHealth.Read.All in Microsoft Graph as per the app doc. After following the instruction and assigning the delegated type to ServiceHealth.Read.All under the Microsoft Graph , I'm getting the below error in the logs: level=ERROR pid=23448 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:run:74 | datainput=b'ServiceUpdateMessages' start_time=1651772811 | message="Error retrieving Graph API Messages." exception='NoneType' object is not iterable The inputs under Office 365 Management APIs are working fine, which indicates that the configuration data like client id and secret are correct. Can someone please let me know what might be causing this issue?

I have a field extraction I've created that replaces a couple of previous extractions I deleted.  However I have a couple of reports that still reference the deleted extractions when I view the available fields in the events.   I've tried re-creating the report and still get the same behavior.  I will also mention if I change the evtid in the query below to another possible value, I get available fields I expect to see.  Any ideas what might be going on?  The extracted field is vmax_message.  vmax_host is also an extracted field and works just fine.         index=vmax_syslog sourcetype=vmax:syslog fmt=evt vmax_host=*san* evtid=5200 sev="warning" | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S") | chart values(symid) AS symid values(vmax_message) AS message values(sev) AS severity values(Time) as Time by vmax_host