Hi! I've installed DB Connect for the first time today and can successfully get data from Oracle. While testing I've created a couple DB connect inputs with new sourcestypes (some name is required during creation) that I no longer need and that seem to be interfering with data processing - ex. new columns that I've added in SQL are not visible in new events after data fetch. I'd like to delete those source types but: * they do not show up in Settings > Source Types * they do show up in `| metadata type=sourcetypes index=myidx` but I don't know how to delete them using SPL How can I delete these leftover zombie source types and basically start over. Is deleting the whole index the only way?

Hello,  I have logs where there are multiple values for two fields. This data looks like this example below for each event. dest user builtinadmin computer1 user1 user2 true false         It comes from this raw data: <computer N=computer1 D=corp OS=Windows DC=false> <users> <user N='user1" builtinadmin="false" /> <user N="user2" builtinadmin="true" /> </users> </computer>   Is there a way to show the data like this instead where each user correctly correlates to the builinadmin value? dest user builtinadmin computer1 user1 true computer1 user2 false

Guys if you help me to extract fields from the raw events in props.conf in HF, I tried  EXTRACT command seems my regex is not ok or not sure what is the issue. I want to extract field and give name to them.  Regex I tried: ^(?:[^,\n]*,){7}(?<src_ip>[^,]+),(?<dst_ip>[^,]+)(?:[^:\n]*:){2}\d+,\d+,\d+,(?<src_port>\d+),(?<dst_port>\d+)(?:[^,\n]*,){5}(?<action>[^,]+)(?:[^,\n]*,){38} Also, ^(?:[^,\n]*,){7}src_ip=(?<src_ip>[^,]+),dst_ip=(?<dst_ip>[^,]+)(?:[^:\n]*:){2}\d+,\d+,\d+,src_port=(?<src_port>\d+),dst_port=(?<dst_port>\d+)(?:[^,\n]*,){5}action=(?<action>[^,]+)(?:[^,\n]*,){38} Sample log:  Mar 31 18:18:35 LUM-EVERE-PAFW-R8-17-T1 1,2022/03/31 18:18:35,015701001564,TRAFFIC,drop,2305,2022/03/31 18:18:35,10.81.13.68,34.240.162.53,0.0.0.0,0.0.0.0,prodedfl_access_1289,,,not-applicable,vsys4,prodedfl,prodcore,ae1.1512,,Syslog_Server,2022/03/31 18:18:35,0,1,60353,443,0,0,0x0,tcp,deny,66,66,0,1,2022/03/31 18:18:35,0,any,0,7022483376390954281,0x8000000000000000,10.0.0.0-10.255.255.255,Ireland,0,1,0,policy-deny,920,0,0,0,Production,LUM-EVERE-PAFW-R8-17-T1,from-policy,,,0,,0,,N/A,0,0,0,0,2d8c02f8-e86f-43cf-a459-01acdb26580a,0,0,,,,,,, Please help me to extract fields like src_ip, dst_ip, src_port, dst_port, action etc.

I've installed and configured the Cisco AMP for Endpoints Events Input app 2.0.2, and the API calls seem to work, but data isn't coming in, instead repetitively logging into $SPLUNK_HOME/var/log/splunk/amp4e_events_input.log the following messages: 2022-03-31 11:35:05,815 ERROR Amp4eEvents - Consumer Error that does not look like connection failure! See the traceback below. 2022-03-31 11:35:05,816 ERROR Amp4eEvents - Traceback (most recent call last):   File "/opt/splunk/etc/apps/amp4e_events_input/bin/util/stream_consumer.py", line 34, in run     self._connection = pika.BlockingConnection(pika.URLParameters(self._url))   File "/opt/splunk/etc/apps/amp4e_events_input/bin/pika/adapters/blocking_connection.py", line 377, in __init__     self._process_io_for_connection_setup()   File "/opt/splunk/etc/apps/amp4e_events_input/bin/pika/adapters/blocking_connection.py", line 417, in _process_io_for_connection_setup     self._open_error_result.is_ready)   File "/opt/splunk/etc/apps/amp4e_events_input/bin/pika/adapters/blocking_connection.py", line 469, in _flush_output     raise maybe_exception pika.exceptions.ProbableAuthenticationError: (403, 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.')  I don't know what broker logfile it's suggesting I reference, or how to fix this error since the authentication type is hard-coded in the app.  All the errors I'm finding when I search relate to RabbitMQ.

Hi, we have a severe performance issue with dbxlookup in DB Connect App 3.8 for a MySQL DB. dbxlookups in a Splunk Query take several minutes to return results.  The strange thing is, that it only happens when using dbxlookup. Using dbxquery is blazing fast (1.4 seconds to return 100K results) and also when configuring the lookup in the DB Connect app (where you run the actual SQL query that is to be used for the lookup) it is extremely fast. Example of using dbxlookup in a search:   | makeresults | eval page_id=510376245 | dbxlookup connection="myDB" query="SELECT C.CONTENTID as content_id,C.TITLE as page_title, S.SPACEKEY as space_key,S.SPACENAME as space_name FROM CONTENT AS C LEFT JOIN SPACES AS S ON (C.SPACEID=S.SPACEID) ORDER BY C.CONTENTID DESC" "content_id" AS "page_id"   The search job inspector shows the long time the dbxlookup took. The search log does not yield any helpful information:   03-31-2022 16:27:11.988 INFO SearchParser [110743 StatusEnforcerThread] - PARSING: table _time, page_id 03-31-2022 16:27:11.988 INFO SearchParser [110743 StatusEnforcerThread] - PARSING: head 20 03-31-2022 16:27:11.988 INFO SearchParser [110743 StatusEnforcerThread] - PARSING: dbxlookup lookup="scwiki_db" 03-31-2022 16:27:11.988 INFO ChunkedExternProcessor [110743 StatusEnforcerThread] - Running process: /opt/splunk/jdk1.8.0_111/bin/java -Dlogback.configurationFile\=../config/command_logback.xml -DDBX_COMMAND_LOG_LEVEL\=DEBUG -cp ../jars/dbxquery.jar com.splunk.dbx.command.DbxLookupCommand 03-31-2022 16:27:12.585 INFO DispatchExecutor [110743 StatusEnforcerThread] - BEGIN OPEN: Processor=dbxlookup 03-31-2022 16:27:12.605 INFO DispatchExecutor [110743 StatusEnforcerThread] - END OPEN: Processor=dbxlookup 03-31-2022 16:27:12.605 INFO ChunkedExternProcessor [110743 StatusEnforcerThread] - Skipping custom search command since we are in preview mode: dbxlookup 03-31-2022 16:27:12.620 INFO PreviewExecutor [110743 StatusEnforcerThread] - Finished preview generation in 0.663433841 seconds. 03-31-2022 16:27:13.143 INFO DispatchExecutor [110818 phase_1] - END OPEN: Processor=table 03-31-2022 16:27:13.143 INFO DispatchExecutor [110818 phase_1] - BEGIN OPEN: Processor=dbxlookup 03-31-2022 16:27:13.364 INFO DispatchExecutor [110818 phase_1] - END OPEN: Processor=dbxlookup 03-31-2022 16:27:14.627 INFO ReducePhaseExecutor [110743 StatusEnforcerThread] - ReducePhaseExecutor=1 action=PREVIEW -> here the delay happens 03-31-2022 16:29:44.577 INFO PreviewExecutor [110743 StatusEnforcerThread] - Stopping preview triggers since search almost finished 03-31-2022 16:29:44.580 INFO DownloadRemoteDataTransaction [110818 phase_1] - Downloading logs from all remote event providers 03-31-2022 16:29:44.849 INFO ReducePhaseExecutor [110818 phase_1] - Downloading all remote search.log files took 0.270 seconds 03-31-2022 16:29:44.850 INFO DownloadRemoteDataTransaction [110818 phase_1] - Downloading logs from all remote event providers     So it must have something to do with the way dbxlookup works. Could be an java issue or an mysql driver issue, a combination of both or something completely different :-). We are using the latest DB Connect MySQL Add-On. I am grateful for any hints or tipps on how to troubleshoot this furter. Or an actual solution :-).

Hi, we are running a distributed Splunk environment and do monitor the messages which appearing when there are issues within the ecosystem.  We did read about how to customize messages and official Splunk docs for messages.conf but weren't able to receive good answers to that. Maybe one of you does have more experience with that https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Customizeuserexperience https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Messagesconf Can someone help to explain those parameters and the behavior? target = [auto|ui|log|ui,log|none] * Sets the message display target. * "auto" means the message display target is automatically determined by context. * "ui" messages are displayed in Splunk Web and can be passed on from search peers to search heads in a distributed search environment. * "log" messages are displayed only in the log files for the instance under the BulletinBoard component, with log levels that respect their message severity. For example, messages with severity "info" are displayed as INFO log entries. * "ui,log" combines the functions of the "ui" and "log" options. * "none" completely hides the message. (Please consider using "log" and reducing severity instead. Using "none" might impact diagnosability.) * Default: auto I try to find a way to control if messages are getting distributed to another instance like Monitoring Console or if they should only appear on the system where the issue  happend. Is that possible? Where do I find those event if I select "log" as parameter? do they appear only in splunkd.log? Thanks    

My company is using Splunk to store data for our apps, and we would like to use Tableau to build visualizations. I have installed the driver for Splunk, but I'm not clear on the required credentials, which are server, port, username, and password. I have access to our company's Splunk Enterprise, but It's automatically logged in once I connect to my company's VPN, which means I do not know my username or password. I also have difficulty finding the server and port. I tried "splunk.xxx(my company's name).com" as the server, 8089 as the port, and my corporate credentials as username and password; however, it didn't work. Can someone help me with this problem? Thanks a lot.

Hi all, as in the previous posts I and II I'd like to anonymize names of cities and to keep the length of a string. The nature of logs is quite complex. I'm sharing the part in question: 2022-03-31 15:23:11,210 INFO ...  - ... 381 lines omitted ... F_AUSWEISENDE=12.02.2022  F_AUSWEISNUMMER=A2A2A2AAA F_BEHOERDE=Berlin F_BV_FREITEXTANTRAG= --------------- What I'd like to get is: 2022-03-31 15:23:11,210 INFO ...  - ... 381 lines omitted ... F_AUSWEISENDE=12.02.2022  F_AUSWEISNUMMER=A2A2A2AAA F_BEHOERDE=XXXXXX F_BV_FREITEXTANTRAG= --------------- Sometimes, unfortunately, the names are more complex and include processing errors: F_BEHOERDE=Stadt Rastatt B\xFCrgerb\xFCro then I'd like to get: F_BEHOERDE=XXXXX XXXXXXX XXXXXXXXXXXXXXXX I've managed to create the regex which anonymizes city names but doesn't keep the length of them. If the dynamic version is not possible. Probably I will need to stick with this: s/F_BEHOERDE=.*/F_BEHOERDE=XXXXX/g  I'll be grateful for any hints

Hi, Is it possible to use Python (or other languages) to get logs that originated from specific hosts? For example, search for a list of hosts and return the logs that were ingested during a specific date range. Thanks !   

The Splunk api trying to get data from the remote client api server, but it's showing SSL untrusted error. We want splunk to check or use the CA certificate copied into system and it should trust it, we need system path where we can copy the CA certificate file which will automatically use by splunk whenever it call to that remote api server.

Background In our company,  Splunk is owned by devops. I don't have the access to develop Splunk(like Splunk Dev). I can only use it and can't do or argue anything about Splunk settings! Many commands like 'eventstats' cannot be run due to space limit. For all that, we want to mine some useful data in log files(we cannot get the log files directly but can only get by Splunk, by the way). We want to find the potential bugs before the customers encountered them. Problems I tried to get the raw log events files by running the command which is simple but can get all events, after it finished, I clicked the "download" button. But some files are too big to download(10GB mostly)! So I want to find a way to run Splunk spider program to get the raw events. But I know this field of Splunk poorly. Have you tried this, or if you can think out another automated or half-automated solution ? Thanks!