Hello Team, I wanted to understand if Splunk captures data/logs generated from Glue jobs. If yes, can you share what all metrics are captured? How do they get captured? Also, if the metrics captured for Athena and Aurora could also be explained, it will be helpful. Thanks!

Hi Helpers - Below is my usecase where I am stuck with my ES upgrade.  My Splunk version recently upgraded from 7.2.7 to 8.1.3 Post the Splunk upgrade, Splunk ES views were throwing pop-up messages “Timelines could not be loaded”. Splunk ES was on 4.5.2 which was working fine on Splunk 7.2.7. Since it looked incompatible, we planned to upgrade it to 6.2.0. Below is the process followed. It's on a SHC environment with 3 Search Heads   On ES Deployer, take backups of etc/shcluster/apps to etc/apps folders On ES Deployer, copied the apps (SA-*, DA-*, SplunkEnterpriseSecuritySuite) from etc/shcluster/apps to etc/apps folder Ran the upgrade command – (/opt/splunk/bin/splunk install app ./splunk-enterprise-security_620.spl -update 1) Ran the essinstall command as per the install documentation – (/opt/splunk/bin/splunk search '| essinstall --deployment_type shc_deployer' -auth admin:TelstraDR01 action=upgrade) – (Output attached) /opt/splunk/bin/splunk restart – (Multiple Invalid Stanzas and Output attached) Planning to replace all conf files from backup apps directories to the upgraded apps directories as we have noticed there is a change in the conf files. Not sure which ones to replace and the consequences – PENDING   Bit confused with the documentation. Upgrade documentation didn't have essinstall action=upgrade part. But read about it in some blog. Am I supposed to run it or not? When I followed the upgrade documentation, only SplunkEnterpriseSecuritySuite app folder got changed and the remaining SA-* and DA-* apps were unchanged. But SA-* and DA-* got changed when I ran essinstall command followed by splunk restart. All this is just on deployer. Haven't pushed any changes to search heads. Has anyone recently did ES upgrade and can share me clear steps to be followed? Raised a Splunk support case and they are advicing just to follow the upgrade doco which is fully not clear. Thanks & Regards, Naresh

Hi, I’m using the Event Timeline viz to create a timeline. The visualisation works when its a single panel in a dashboard. However, I need this timeline visualisation to work in a dashboard with a drilldown from other panels. The functionality of this timeline works as expected on this drilldown dashboard…….EXCEPT the time axis is not labelled. Same queey and options as the standalone dashboard,same data used,same panel settings…..but time axis is labelled in the standalone dashboard but not in the dashboard I actually need it to work,the drill down dashboard. What could be the reason for this?Are the bins needing to be a certain form for this viz perhaps?Any way to force this viz to show the time axis? Thanks, Patrick

In a log if there are two similar words with different value , how to retrieve value of second word using regex ? Example: "Display details of value =abc and value=def for id=1". how to display value "def" ?   index=* "Letters" |rex field=_raw max_match=0 "value=?(?<value2>[^\n]*)" |stats values(value2) as letter by id   Above query returns 1     "abc and value=def"  

I've seen this on some older posts, but I am currently battling this issue. For some hosts, restarting it makes the logs start flowing again without the above error message (Suggesting a delayed start is the answer). But on some of them, a restart does nothing, there is real security logs that Splunk is merely reporting above error message for. 

I am getting IPv6 with collapsed zero's and IPv4 quad (ie "fe80::192.168.10.100") for source and I want to parse out the IPv6 part of that field.  What do I need to add in my prop to parse that part out?  Thank you for any and all help.

Hello,  I would like to know if I can monitor IOT with Appdyamics and is so what agent should I use. thanks.  ^ Post edited by @Ryan.Paredez . Please have the title of the post be in a digestible question format. This helps others search and find content. 

I have the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/) installed on my heavy forwarder and ingesting audit data from an event hub input configured as a central repository for our tenant's audit data. This is working like a champ. I see tons of event hub data, it's all parsing as expected. I'd love to use some dashboards to avoid making my own. I saw that the Microsoft Azure App for Splunk contains dashboards (https://splunkbase.splunk.com/app/4882/) for data collected from both the Cloud Services add-on above as well as the standard Azure add-on. Seems like what I want. However, after deploying the app to my SHC none of the dashboards work. Digging further into it it appears that the sourcetype the App is looking for is totally different than the sourcetype that the MCS add-on generates. All the events in the index are sourcetype=mscs:azure:eventhub but the App is looking for sourcetype=azure:eventhub. The question is, is the App actually supposed to work with the MCS add-on and if so does anyone have advice on making that work? Or is there a different app that provides dashboards for the data ingested by the MCS add-on? It looks like I could change the sourcetype in the configuration of the App but that doesn't feel like something I should be changing when the description says it works with the add-on.

Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me with my question. We use splunk cloud enterprise security. We have AWS environment mostly with Linux instances what I want to achieve is to search on splunk for any new files put in /tmp or /sbin and etc.  Was googling, searching in documentation all I can find is this document https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Data/Monitorfilesanddirectories that says that I should use CLI. But this doesn't`t make seance we use splunk cloud there is no CLI right? And I think this article is about accessing and monitoring Splunk files right?  So yee in short how to search for any new files added in to instances.   Cheers.