Hello, We had a case recently, where following some issues with the apache certificate, the scheduled jobs got stuck in status "parsing" and after the apache issues have been cleared, the job was already expired. As a consequence, no other jobs with the same could be triggered, they got skipped. How would I avoid this kind of situation in the future? Is there any way to delete all expired jobs, which are not in status "done"? Would that be a solution? Kind Regards, Kamil

During the integration of Sailpoint initially got error for the certificate as below. https://community.splunk.com/t5/All-Apps-and-Add-ons/Certificate-error-with-SailPoint-Adaptive-Response-app/m-p/520271#M63493   After adding CA signed certificate in aob.py3 directory getting below error. 2022-03-21 23:07:22,432 ERROR pid=15767 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_sailpoint/bin/splunk_ta_sailpoint/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/Splunk_TA_sailpoint/bin/sailpoint_identityiq_auditevents.py", line 72, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/Splunk_TA_sailpoint/bin/input_module_sailpoint_identityiq_auditevents.py", line 143, in collect_events headers = build_header(helper, identityiq_url, client_id, client_secret) File "/opt/splunk/etc/apps/Splunk_TA_sailpoint/bin/input_module_sailpoint_identityiq_auditevents.py", line 109, in build_header return build_oauth2_header(helper, identityiq_url, client_id, client_secret) File "/opt/splunk/etc/apps/Splunk_TA_sailpoint/bin/input_module_sailpoint_identityiq_auditevents.py", line 94, in build_oauth2_header access_token = json.loads(token_body)['access_token'] File "/opt/splunk/lib/python3.7/json/__init__.py", line 348, in loads return _default_decoder.decode(s) File "/opt/splunk/lib/python3.7/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/opt/splunk/lib/python3.7/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Hi, I need some help setting up a dashboard that will allow us to closely monitor login activity of certain users and the IP address' they use to ensure we don't have any exploiters trying to access our systems.   Another thing I would like to do, if possible, is to create a dashboard where we can input a username, and then it will show us the login data for that user over a certain period of time. Regards, Aidan Smith

I am a bit confused here which the controller data. In this configuration data, if i put the Tier and Nodes as such in my C++ application main function, which tier will relate to which node? const char APP_NAME[] = "SampleC"; const char TIER_NAME[] = {"SampleCTier1", "SampleTier2"}; const char NODE_NAME[] = {"SampleCNode1", "SampleNode2", "SampleNode3"}; const char CONTROLLER_HOST[] = "controller.somehost.com"; const int CONTROLLER_PORT = 8080; const char CONTROLLER_ACCOUNT[] = "customer1"; const char CONTROLLER_ACCESS_KEY[] = "MyAccessKey"; const int CONTROLLER_USE_SSL = 0;

Hi experts, I would appreciate some design help with a query where I want to see all src_ip's querying for two different domains within X minutes of time interval during a longer time period.      

i am using transaction command to check the start time and end time of a transaction.  I have used: | transaction TxnId startswith="NEW TXN" endswith= "statusY" keeporphans=true | eval starttime=_time | eval endtime=_time+duration | eval starttime=strftime('starttime', "%Y-%m-%d %H:%M:%S.%3N") | eval endtime=strftime('endtime', "%Y-%m-%d %H:%M:%S.%3N") | table TxnId starttime endtime I want to check if all transactions have start time and end time for the success rate. Now even if the endswith="statusY" is not there, it is calculating its end time.  What can i do to make sure there should be no end time if the condition endswith="statusY" is not there. And if the condition of both startswith and endswith is met table should show status as success or else blank.  

We are considering to calculate specific filed (list)  during the indexing  the calculation will be -   | eval list=if(match(dhost,"\.[\w]{2,3}\.[\w]{2}:?[\d]?"),"mozilla","iana") 1. What is the performance impact  ? 2. how it should be done ?

  Trying to setup alert for two scenarios as metioned below: Scenario 1: to determine if the connection between Xyz and the abc service is healthy, check for the string “IEX API Call Successfully got agent schedules data” This message occurs in batches roughly every 5 minutes. Good threshold might be to alert if This message is not seen in >= 10 minutes. Scenario 2: Another item to check would be the connection between the service and the xyz host. The String for that is “Schedule successfully posted to the provider API”. The cadence for those messages is the same so an absence of > 10 minutes may be a good place to start. Below are the samnple splunk events. I would like to setup an alert if these keywords event does not appears in last 10 minutes then send e-mail alert. Please help. 3/21/22 4:44:13.000 AM 2022-03-21 04:44:13 [pool-6-thread-2] INFO c.i.e.i.s.c.i.AgentResourceServiceImpl - IEX API Call Successfully got agent schedules data. 3/21/22 4:44:13.000 AM 2022-03-21 04:44:13 [pool-6-thread-2] INFO c.i.e.i.s.c.i.AgentResourceServiceImpl - IEX API Call Successfully got agent schedules data. 3/21/22 4:44:13.000 AM 2022-03-21 04:44:13 [pool-6-thread-2] INFO c.i.e.i.s.c.i.AgentResourceServiceImpl - IEX API Call Successfully got agent schedules data. 3/21/22 4:44:13.000 AM 2022-03-21 04:44:13 [pool-6-thread-2] INFO c.i.e.f.a.w.s.i.SchedulesServiceImpl - Schedule successfully posted to the provider Api.  

Hi there, One of my colleagues has created a dashboard for audit to know that who logged into Splunk and how many times he logs into Splunk for the last 7 days for all the users. One of the users left the organization in January and we deleted the account with admin login. Now we are seeing his name in the dashboard and alerts were triggering on his name also. We have again checked the user list but his name was not available, but we are still seeing his name in the alerts and dashboard. Can anyone help me with it…

I met an issue after upgrade Splunk App Enterprise to 8.2.5. I have a custom dashboard which loads splunkJS stack libs by require([...]). It was working fine before 8.2.5. Recently we upgrade the splunk to 8.2.5 the dashboard broken due to undefined 'require'. Even though I add the require.js manually it will load those libs one by one but return 404. In 8.2.4 I notice it was loading visualizationloader.js Any recent change from splunk app cause this issue? Thanks in advance  

Hi, I have a need to periodically pull a specific health rule to identify whether a violation has occurred. This needs to be done through a Java program in order to trigger some other events in our applications. I understand that AppDynamics offers several health rule related APIs, specified here: https://docs.appdynamics.com/21.3/en/extend-appdynamics/appdynamics-apis/alert-and-respond-api/health-rule-api However, I cannot find one to provide a health rule is being violated at a given time. My question is, is there such API exposed by App Dynamics to listen to such event by periodically pulling such information, preferably an HTTP request?