We are seeing strange behavior after updating Splunk from 8.0.4.1 to 8.2.4. The major issue is with all queries that use the streamstats command; after observing this behavior, we updated the command to include the time difference as well, dividing over the time delta when computing the difference between the two events. Occasionally, graphs display regular statistics for a short period of time before switching to an abnormal view (due to dashboard auto refresh). If anyone encounters such a problem, please let me know since most of our dashboards are affected, and we attempted to generalize and adapt this to all of these dashboards in the hope that this will cure the problem.  

When I uploaded the ZIP file for the app 'Windows Event Code Security Analysis' (https://github.com/stressboi/splunk_wineventcode_secanalysis) to my Splunk Cloud instance, the App Vetting process found the following error: undefined issues found. You must fix these issues before you can install your app. for details, see the report. Contents from report link: This XML file does not appear to have any style information associated with it. The document tree is shown below. <response> <messages> <msg type="ERROR">Not Found</msg> </messages> </response> Does anybody have any ideas how to solved it? Thank in advance for your help.

I am looking for a Alert query for monitoring the windows process below is the scenario 1. Lookup having a field name called "host" and "Process" 2. windows index query where the process gets updating in the field called "Name" and we have host field as well by default. 3. Query needs to pick the value from the "host" and "Process" from the lookup and finds the matching in the windows based index query, events should generate in Splunk results Kindly assist.

Hello colleagues, we've implemented the ingest_time lookups but unfortunately the expected field from the configured csv-lookup does not show up in our searches. Following implementation steps were executed: 1. props.conf & transforms.conf prepared and stored under $SPLUNK_HOME/etc/system/local on all indexer nodes within the cluster. 2. index_lookup.csv prepared and stored under $SPLUNK_HOME/etc/system/lookups on all indexer nodes within the cluster. 3. Rolling restart of the nodes 4. fields.conf prepared and deployed via SHD to our SHs props.conf: [aws:cloudwatch] TRANSFORMS-define_index = define_rds_index transforms.conf: [define_rds_index] INGEST_EVAL = test_index=json_extract(lookup("index_lookup.csv", json_object("account_id", account_id), json_array(index_tag)),"index_tag") index_lookup.csv: account_id index_tag 886089063862 index_platform-sandbox-dev   fields.conf: [test_index] INDEXED = True   Has anyone an idea if we missed a step or something is misconfigured? Thank you very much!      

Hi, I need to upgrade UF forwarder from version 6.5.1 to version 8.0; is possible do it immediatly or I must install some other version before to install 8.0? UF forwarders are linux, windows and solaris. Thanks to all.

After upgrade to 8.2.5 we suffer from another issue with visualliation and showing dramatic wrong data... built this morning at 11:30 Dashboard/panel shows after some time (here ca 30m) completely different avg-visual but more concerning completely wrong data for 'count_pm' metric : Please see attached  my xml code, what do I miss here?

Hi All,  We have our custom app and while performing the cloud vetting process on that app, we are getting the following error mentioned below.  We have already updated the Jquery in all our XML (version="1.1") . The error doesnt show the name of the file but we suspect it might be caused by one of the visualization JS files not related to XML. What best can be done to resolve these errors ?  Thanks.   check_for_vulnerable_javascript_library_usage 3rd party CORS request may execute parseHTML() executes scripts in event handlers jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS 3rd party CORS request may execute parseHTML() executes scripts in event handlers jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS XSS in the `of` option of the `.position()` util XSS Vulnerability on text options of jQuery UI datepicker XSS in the `altField` option of the Datepicker widget Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Hi all, I am using a Heavy Forwarder for a few API related integration Methods of various data sources. I have to consider an integration with HEC Integration now for a new source. Is it possible to use a Heavy Forwarder and add a HEC input to it? Or should a HEC be a seperate machine? Best, O.    

Hi everyone, I am trying to develop some apps in spunk with React and JS. I want to access Splunk lookup and get data from lookup but I do not see and function in SDK to help collect the lookup file. https://docs.splunk.com/Documentation/JavaScriptSDK  So how can I get the lookup file?. I think I can make a new search "| inputlookup" and get the search result.

Hello, We don't get data from service status and service messages from January with version 2.1 for the Add-on for Microsoft Office 365. Do you know if the new version (3.0) of this error is fixed? Thanks

Hello I have to find all the alerts and dashboards queries by sourcetype i saw this query but it is not contains the query inside the dashboard\alert   | union [| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" | search "eai:data"="*index=*" | eval Type="Dashboards" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] [| rest splunk_server="local" "/servicesNS/-/-/admin/macros" | search definition="*index=*" | eval Type="Macros" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] [| rest splunk_server="local" "/servicesNS/-/-/saved/searches" | search search="*index=*" | eval Type="Saved Searches/Alerts/Reports" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]   maybe there is another way to achieve my goal ?     thanks

Hi All, I'm trying to extract the card details in  my logs. Just confused how to extract the two or more card details or thier respective fields using rex command. Example : Visa card numbers regex is ^4[0-9]{12}(?:[0-9]{3})?$                     JCB card numbers regex is ^(?:2131|1800|35\d{3})\d{11}$ I just want to extract the Visa and JCB fileds to check my card details. Is thier a way to create named grouped fields for the above cards using rex command in a single search? Help me with the query guys. Thanks in advance.

Hi, I want to make a report or a CSV file from a search result. However, the search result is more than 7 million. So now I have a few queries: I am trying to save the search; however, whenever I try to open that search to show people how many and what type of events were found, it does not show. How can I make a report or CSV file for more than 7 million events? Please advise. Thanks & regard, Osama Faheem

Hi Experts,   I have an issue with the search string, I have a url text like below and I need to filter that out using regex. I am not able to create a regex that would give the count if the url string has two question mark symbols, not consecutive though. /shop/us/aabc-abc-aaa?filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)&cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s   Thanks