We are running the latest update for Splunk Enterprise Security, which includes the new "Cloud Security" option., In Cloud Security, I can see some data when using the "Microsoft 365 Security Option". However, no data is shown for the following options: Security Groups IAM Activity Network ACLs Access Analyzer Is there some configuration that I have missed? Thanks. Steve Rogers

Hello,   I need to build a search where I can subtract a token from the previous value in a row. Example I know how to get the first count (800) which is simply calculated through a query I already have. I do not know how to get the token to subtract from the value of the cell right above. Does anyone who how to write this into Splunk query logic that can compute these values? _time Count Notes 05:00 800 Saved token = 100 05:05 700 800-100 05:10 600 700-100

Looking for the new location to check for Splunk patches, it used to be here - https://www.splunk.com/en_us/product-security/announcements-archive.html We are required to check for any new patches monthly and the location has moved.

 I have created a lookup table with filename and cutofftime within which we have to receive the file. I have to compare Cutofftime to check if its falling within 30 mins of current time and retrieve that particular file name from lookup  and search for it. Please help me with query

I have changed the certificate on server.conf to take my created cert for port 8089. This is the same cert that I have been using for port 8000. I change server.conf according to documentation, reboot and verify the certificate. Port 8089 is pointing to the new cert. However, when trying to sign in to port 8000, I get the following error. Login failed due to incorrectly configured Multifactor authentication. Contact Splunk support for resolving this issue   PLease advise, we are using DUO.  This is what my sslConfig portion looks like in my server.conf [sslConfig] sslPassword = ****************************************************************************** privKeyPath = C:\Program Files\Splunk\etc\auth\mycerts\*****************.key serverCert = C:\Program Files\Splunk\etc\auth\mycerts\*****************.pem sslRootCAPath = C:\Program Files\Splunk\etc\auth\mycerts\************.pem requireClientCert = False

Hello, I'm attempting to set the panel back ground color to transparent witin a couple Choropleth panels in Dashboard Studio. However, nothing seems to work... I have attempted to set the background using the following: "transparent": true,  "backgroundColor": "rgba(0, 0, 0, 0)", "backgroundColor": "transparent", I can successfully change the color to white or other colors. but not transparent.  Thanks in advance!

Hello all, I am facing issue in collecting data from two of the hosts.e are using rsyslog to injest data. Logs are getting updated in the logdump of the HF but im not able to see the logs in splunk. We can see logs from other hosts , but having issues with two particular hosts with high log volume. I dont see any error/warning related to queueing. While checking the status of rsyslog service, we can see the below errors. invalid or yet-unknown config file command 'TCPServerAddress' - have you forgotten to load a module? [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/3003 ] Could not create tcp listener, ignoring port 515 bind-address (null). [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2077 ] module 'imtcp.so' already in this config, cannot be added [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2221 ] Any suggestions/feedback is welcomes. Thanks

Hello All , What is the best way to collect and monitor system health and performance metrics from various security devices and endpoint devices. Log collection will be SNMP based or API Please recommend any Add-on or App if available for infrastructure health monitoring.  Is Splunk ITSI recommended for this requirement   TIA

We recently updated our Splunk App to use the latest SDK, and since then, we've been running into this issue where our custom configuration page (where users enter an API key for our service) fails to load with the below error.  The error seems to indicate that the issue is with the field having no value at the initial install (which has always been the default state).  Any suggestions on how we can address this?   {"messages":[{"type":"ERROR","text":"Unexpected error \"<class 'splunktaucclib.rest_handler.error.RestError'>\" from python handler: \"REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File \"/opt/splunk/etc/apps/SA-GreyNoise/bin/SA_GreyNoise/splunktaucclib/rest_handler/handler.py\", line 124, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File \"/opt/splunk/etc/apps/SA-GreyNoise/bin/SA_GreyNoise/splunktaucclib/rest_handler/handler.py\", line 303, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File \"/opt/splunk/etc/apps/SA-GreyNoise/bin/SA_GreyNoise/splunktaucclib/rest_handler/credentials.py\", line 203, in decrypt_for_get\n data[field_name] = clear_password[field_name]\nTypeError: 'NoneType' object is not subscriptable\n\". See splunkd.log/python.log for more details."}]}  

Hi, I need to create a chart to show top categories per time. At the moment, the timechart I am getting is placing the time axis on the y-axis and the categories on the x-axis. In addition, there are over 50 possible categories and the user should be seeing the top 20 categories with the respective count for each time period. So I would imagine 20 line of the graph, no? Here is what I currently have:   Can you please help? Many thanks, Patrick

I am trying to create a report that will show month over month reporting for web service average response time as a percentage against a threshold sourcetype="web_logs" `web_resp_index` * | bucket _time span=month | stats count as total_count count(eval(resp_time>=500)) as fail_count count(eval(resp_time<500)) as success_count count(eval(resp_time=="")) as null_count by source _time | eval success_percent=round((resp_count/total_count)*100,2) | eval _time=strftime(_time, "%b") | Fields - total_count fail_count success_count null_count I now have : source _time success_percent www1 Jan 94.6 www1 Feb 93.2 www1 Mar 94.3 www2 Jan 98.5 www2 Feb 92.4 www2 Mar 84   I am looking to transpose and group so that I have 1 row per source and monthly columns Source Jan Feb Mar www1 94.6 93.2 94.3 www2 98.5 92.4 84