I'm attempting to run a query and I've run into a really weird situation where if I run a query with "head 10 | fields *" I'm getting results but if I use "stats" with any field it does not return results. For example, this query is returning the results:     index=main sourcetype=o365:management:activity Field1=Value1 | head 10 | fields *       This is returning no results:     index=main sourcetype=o365:management:activity Field1=Value1 | stats count by _time     Somehow this does work and returns the result   index=main sourcetype=o365:management:activity Field1=Value1 | head 10 | stats count by _time   I've looked into it and did not manage to find similar issues, did anyone see anything similar before?

In my ES App, I have a rule where I noted some discrepancy regarding the source country for the src  ip  112.196.162.127. Using 'iplocation'  command in SPL it shows as Turkey. But in whoisdomaintools it shows as India. 112.196.162.127 IP Address Whois | DomainTools.com Any suggestion why this is the case ?

Hello Splunk Community I am writing a c# .net core API to install the Splunk app. I was able to install the app via postman call successfully. Now, I am automating the same call via c#. The request headers generated by Postman and C# API to install the app route match to be exactly the same, however, when I call this route https://docs.splunk.com/Documentation/SplunkCloud/8.2.2201/Config/ManageApps#Install_an_app via my API, I keep getting 403 Forbidden. I know the tokens I am passing are correct, and ACL-Legal-Ack flag is set to Y. What else could be missing that is throwing this error?

We have a custom dashboard and whenever we load it I'm getting this error " A custom Javascript error caused an issue loading your dashboard, like due to the dashboard version update. See the developer console for more details" We are running Splunk 8.2.5. Has something changed? this was working previously? any idea how I can resolve this ?

Hello how are you? We are having trouble connecting with the CISCO ACI Add-on for Splunk - Configuration Screen (https://splunkbase.splunk.com/app/1897/) with my APIC It throws us the following error: "Error: Could not login with provided credentials for APIC aci.blp.com.ar. Error: HTTPSConnectionPool(host='aci.XXXXXX.com', port=443): Max retries exceeded with url: /api/aaaLogin .json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)'))). Message: None" Any ideas? Thanks since now

Has anyone here set an alert in Splunk monitoring of Salesforce that runs a script on alert action that calls back in to the org? I'm just now looking at the possibility of creating some "self healing" alerting for a recurring issue we have in SF prod (scheduled batch jobs falling out of queue) and saw the option to run a script in Splunk on alert. Salesforce has an executeanonymous (string apexcode) method through Tooling API exposed in both SOAP and REST. My thought was to have a class built in my SF Prod org that Splunk could just call in to which would handle the logic of finding what's fallen out of spool & kick off the script to put it back in the hopper. 

Hello all,  I am having trouble with a search that is not returning results as it should. The search is below and I have attached an example of the lookup file. When I run a search just looking for an individual IP it does return events but is not working with the lookup file. Any help is appreciated. index=wineventlog OR index=fortigate | lookup TORIP TORIP AS src_ip OUTPUT TORIP | search TORIP=*  

Hello I am using the Spunk_TA_nix and a server class to push that out to all nix boxes, but server class is not granular enough to select between RHEL 7 and RHEL 8 boxes.    In RHEL 8 I want to monitor the path /var/log/audit but NOT in RHEL 7.  Is there an inputs.conf stanza to try and accomplish directory monitoring by OS version?  Or how else would one go about this?

Hi all, I would like to use the SNMP modular input to collect SNMP data from ~100 network switches. SNMP modular input shall be installed at a forwarder server? The polling interval is 10 mins. Is there any limit on the number of pollings supported? I think I may need to poll ~8000 OIDs in each 10-min polling interval. Is there any CPU/memory loading concern?  

Hi , I have a multisite indexer cluster (3 sites , 2 indexers each, total 6 indexers) .  we have kept -  site_replication_factor = origin:2,total:5  site_search_factor = origin:2,total:4   we have this query , if we scale up the indexer cluster and add up more indexers and change the site_replication_factor & site_search_factor accordingly , then what will be the impact on the whole architecture . anything we need to take care of before scaling up the architecture . Let me know .

hi all I am running on a windows heavy forwarder on Splunk Enterprise 8.1.7.2 and I listen to ports tcp 9514 and udp 514. The data comes in to the main index and I perform a transforms/ props to a other index and the logs go into my indexers and search heads (both search head and indexers are redhat 7.9 splunk enteprise 8.2.0) However in my heavy forwarders i send a copy off to another set of splunk redhat 7.9 heavy forwarders but it seems anything besides the default splunk logs on tcp 9997 does not reach them My config is follows   Inputs.conf [tcp:9514] disabled = false connection_host=ip index =main ##inputs.conf [udp:9514] disabled = false connection_host=ip index =main [udp:514] disabled = false connection_host=ip index =main [tcp:514] disabled = false connection_host=ip index =main     ##transforms.conf [index_redirect_to_pci] REGEX = . DEST_KEY = _MetaData:Index FORMAT = pci ### props.conf [host::x.x.x.x] TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci   How do I get the logs for the 514 and 9514 to be forwarded to the second set of heavy forwarders I have one redhat heavy forwarder that I installed syslog-ng on and change splunk to monitor that folder and remove the listen to port 514 and that's the only splunk heavy forwarder that can send syslog data over to the second set of splunk that is not receiving the logs from the transformed index

Hi All, I'm trying to get my existing addon updated with the latest splunk add-on builder v4.We had developed the existing addon with a previous version of add-on builder , we got a information from the splunk team to rebuild the addon with latest builder. It will be of great help if you can provide me links on how this can be done, or any advise.   Thanks.

  I need some assistance with the Splunk Cloud migration assessment tool. We plan to move to Splunk Cloud but there are no results for 2 of the preflight check searches but there is data in the index the search pulls from. The searches are: | tstats dc(host) AS hosts where `scma_source_internal_index` source=*license_usage.log TERM(Usage) earliest=-24h@h by index   And   | tstats dc(host) AS hosts where `scma_source_internal_index` sourcetype=splunkd earliest=-4h@h by index   I was reading through the troubleshooting guide and it mentioned that there is a bug where tstats doesn’t work well with reading the internal indexes so it states to reach out to Splunk Support(which I have done but no response yet). The current version of splunk enterprise is 8.2.2.1