Hi,   I am trying to get an App Key from your Controller: I tried the step 3 in the wizard: by selecting Install the iOS Agent and selected the option Auto-generate a new Mobile App Group    After loading it generates the code snippet in the controller but it doesn't have an app key in the code snippet.   FYI I am using the sample app for running and exploring the AppD. To use the sample app I need to have an app key to keep it in appdelegate but here in the controller by generating it's getting empty. Is there any process or steps involved to generate?   ADEumAgentConfiguration *config = [[ADEumAgentConfiguration alloc] initWithAppKey:@" "];   ^ Post edited by @Ryan.Paredez for formatting and searchability    

Good morning! I updated my index cluster/shc to 8.2.6 yesterday, and everything went fairly well, except for the "Health of Splunk Deployment" screen (Top RIght of screen, the (!) next to my username. On different instances, it is either completely broken:   Or working (ish)   In either case, I cannot scroll down to see the rest of it. I have restarted the instances, changed browsers, etc. It was definitely working before.

I have 2 sourcetype WinHostMon and wineventlog with Splunk add-on for Microsoft windows. After doing Asset and Identity configuration in Splunk ES. the lookup file is fine and I can see the results with the search command: | inputlookup test_assets2.csv and Asset Lookup information is also displayed in ES > Security Domains > Identity > Asset Center dashboard. But there is a problem that the enrichment fields for data like dest_asset, dest_asset_id, ... only appear in the WinHostMon sourcetype. Can someone help me pls? Thank you very much!

Hi Teams, I am newbie to splunk, I have log message like this: 10/04/2022 10:12:31.000   START RequestId: 46618528-6242-4eee-97b2-270e875bac1e Version: 165 END RequestId: 46618528-6242-4eee-97b2-270e875bac1e REPORT RequestId: 46618528-6242-4eee-97b2-270e875bac1e Duration: 68.98 ms Billed Duration: 69 ms Memory Size: 256 MB Max Memory Used: 170 MB START RequestId: 9a8f3f1e-aa03-40d9-a064-bb10a47a92eb Version: 163 END RequestId: 9a8f3f1e-aa03-40d9-a064-bb10a47a92eb REPORT RequestId: 9a8f3f1e-aa03-40d9-a064-bb10a47a92eb Duration: 3.76 ms Billed Duration: 4 ms Memory Size: 256 MB Max Memory Used: 184 MB   I want to get MaxMemory Used value as percentage (Max Memory Used/Memory Size) in each message and create time chart to show this value. Can anyone help me in this!

timechart [stats count | eval range="$timeRange$" | eval search=case(range=="-6h", "span=30m ", range=="-1d", "span=1h ", range=="-3d", "span=2h ", range=="-7d", "span=4h ")] can't work after upgrade splunk from 8.0.6 to 8.2.5.

Hi I know this is probably an easy one but I'm new and need some help. I have the following Field Called "Account Name" Account Name                                   Alan Test Account                              Debbie Production Account          John Dev Account                             Ed Test Account                                  I would like to create a new field called Environment that matches Test, Production ,Dev Account Name                                  Environment Alan Test Account                             Test Debbie Production Account         Production John Dev Account                            Dev Ed Test Account                                 Test

Hello, We're running into an issue with a UF sending data to a new metrics index under an app deployed by our deployment server. None of the perfmon inputs are sending data into our new index, and we're not seeing any errors. We also have the Splunk TA Windows Base app deployed to these same servers, and if we test adjusting the inputs.conf stanzas in the TA app to send perfmon metrics to our new index, it works fine. Below are the input stanzas from both apps: Custom app: ## Process [perfmon://Process] counters = % Processor Time; % User Time- Private disabled = 0 instances = * interval = 60 mode = single object = Process useEnglishOnly=true index = custom_metrics TA Windows Base originally: ## Process [perfmon://Process] counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private disabled = 0 instances = * interval = 10 mode = single object = Process useEnglishOnly=true index = ava_cs_metrics   TA Windows Base changed to point to our new index (which writes to the index fine) : ## Process [perfmon://Process] counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private disabled = 0 instances = * interval = 10 mode = single object = Process useEnglishOnly=true index = custom_metrics  

Hi All, I want to pull AD logs to Splunk Cloud. I see some source about Splunk Add-on for Microsoft Windows 6.0.0 and above which pulls the AD logs and another Add-on also does the same thing. I am confused. Can you point me in the right direction?    Thanks In Advance.  

I am looking for a way to move AK and HI on the dashboard to be viewed with the continental US. I did find the following documentation: https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/mapsChorConfig#:~:text=One%20exception%20is%20the%20placement,increase%20the%20%22y%22%20value.   However when I convert the JSON to XML it states that 'LogicalBounds' is invalid. Is there a way to use this? I do not want to zoom in and out on my splunk dashboard to view data.

I have version 1.76 of the TA-user-agents app installed on my search head for use with searching against web access logs; to prepare for this, I created a field extraction called "http_user_agent" to extract a string similar to this: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15 When I run the following search over a 15 minute timeframe in Fast Mode...   index=foo source=*access* sourcetype=bar | lookup user_agents http_user_agent | search ua_family="Safari" ua_os_family="Mac OS X" | eval browserOS = ua_family . ":" . ua_os_family | timechart count by browserOS limit=0   ...I find that it takes what seems to be a VERY long time to complete (446 seconds to search through 418,000 events). If I just run the base search without the "lookup", "search", "eval" and "timechart", it takes 3.3 seconds to execute against the same number of events. Is this expected behavior for the TA, or is my search not optimized correctly? 

Hello, I am trying to perform an offline container install of SC4S and keep getting the following error when trying to enable sc4s.service [/usr/lib/systemd/system/sc4s.service:30] Trailing garbage, ignoring. [/usr/lib/systemd/system/sc4s.service:31] Unknown lvalue '-e "SC4S_CONTAINER_HOST' in section 'Service' [/usr/lib/systemd/system/sc4s.service:32] Missing '='. [/usr/lib/systemd/system/sc4s.service:30] Trailing garbage, ignoring. [/usr/lib/systemd/system/sc4s.service:31] Unknown lvalue '-e "SC4S_CONTAINER_HOST' in section 'Service' [/usr/lib/systemd/system/sc4s.service:32] Missing '='. This is the template I am using with modifications suggested in the offline installation guide: [Unit] Description=SC4S Container Wants=NetworkManager.service network-online.target docker.service After=NetworkManager.service network-online.target docker.service Requires=docker.service [Install] WantedBy=multi-user.target [Service] Environment="SC4S_IMAGE=sc4slocal:latest" # Required mount point for syslog-ng persist data (including disk buffer) Environment="SC4S_PERSIST_MOUNT=splunk-sc4s-var:/var/lib/syslog-ng" # Optional mount point for local overrides and configurations; see notes in docs Environment="SC4S_LOCAL_MOUNT=/opt/sc4s/local:/etc/syslog-ng/conf.d/local:z" # Optional mount point for local disk archive (EWMM output) files Environment="SC4S_ARCHIVE_MOUNT=/opt/sc4s/archive:/var/lib/syslog-ng/archive:z" # Map location of TLS custom TLS Environment="SC4S_TLS_MOUNT=/opt/sc4s/tls:/etc/syslog-ng/tls:z" TimeoutStartSec=0 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)" ExecStart=/usr/bin/docker run \ -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \ -v "$SC4S_PERSIST_MOUNT" \ -v "$SC4S_LOCAL_MOUNT" \ -v "$SC4S_ARCHIVE_MOUNT" \ -v "$SC4S_TLS_MOUNT" \ --env-file=/opt/sc4s/env_file \ --network host \ --name SC4S \ --rm $SC4S_IMAGE Restart=on-abnormal Any advice on what might be wrong with the service file?