As part of an TA that I am building, I have a requirement to change a few of the values in /apps/my_app/local/inputs.conf during the code run time . Scenario: My code will retrieve an oauth2_access_token and oauth2_refresh_token every hour and this needs to be updated in the inputs.conf. Any insight on how to achieve this? As far as I have checked, no helper functions exist for the same.  An alternative would be to keep another file somewhere inside the TA's directory to keep the latest values for these tokens. But is there a way we could get the actual app directory path from the script? using os.get_cwd is giving me the path : "/". Is this only during testing and it will change accordingly during the actual run ?  

Hi, I'm a newbie in developing Splunk add-on. My add-on has a setup view (with a setup page).  I am using Splunkjs and follow Splunk add-on sample app on GitHub. Splunk JavaScript SDK I configured with input script (call python script) and set interval to schedule run script automatic. But I want to run the python script for the first time, after completing the add-on setup. How can do that? Or can I create the button on the Setup page to manually run script input? Thank for help

I am trying to produce a table that can display 5xx status code counts per host over a timeframe (this will eventually be month, but for the purpose of this example will be by day). I downloaded the tutorial data  with apache logs and can see the data spans 8 days: source="access.log" host="www*" sourcetype="access_combined_wcookie" status=500 |timechart span=1d count by host I want to take this and analyze web server log files at work and increase span to 1 month. Is there a way for me to pivot /transform this data to get a breakdown that would provide the following table: Daily 500 status code dashboard host 02-25-22 02-26-22 02-27-22 etc 03-03-22 www1 13 39 35 etc 28 www2 24 31 45 etc 35 www3 18 51 34 etc 36   As stated above, I would like this by MONTH: Jan, Feb Mar etc so teams can glance at this table and see which hosts are improving/degrading or meeting SLOs etc. I do not want to create a bar chart, but rather keep the above format.  

Well  I am new to splunk enterprise  i have seen videos on how to send email via alert system i have did the mail server setting using "smtp.gmail.com:578" also username and pass i changed the google account setting less secure apps on still getting issue as +0530 ERROR sendemail:540 - SMTP AUTH extension not supported by server. while sending mail to: ********@Anonymous.com

Good morning,    Over the last couple weeks, we've seen that our configured inputs on in the Add-on for Salesforce Streaming API will occasionally stop with no notice. I have reviewed the logs in /opt/splunk/var/log/splunk/ta_sfdc_streaming_api_sfdc_streaming_api_events.log and it seems like maybe there is a JSON decode error, but the PID doesn't match the one I see as connecting to that SFDC environment. If I disable and re-enable it, it comes back online. Anyone else see this issue?

<title> Clam Scan Results </title> <event> <search> ref="anti-virus scan results"> </search> <option name="list.drilldown" >none</option>   error in 'search' command: unable to parse the search: Comparator '<' is missing a term on the left hand side?

Hi Team,   I want to calculate the % based on two different tables where I am using addcoltotals to calculate grand total. table 1: A  B  C v1 v2 v3 v4 v5 v6 T1 T2 T3 --- > grand total table 2: A B C x1 x2 x3 x4 x5 x6 T4 T5 T6  -> grand total   I want to calculate : F1 =T1/T4 F2 = T2/T5 F3 = T3/T6   could you please help me to find the solution.   can I store values of T in token and use eval command to calculate the results.   looking forward for the help  

https://apps.splunk.com/app/4770 Servicenow security operations event ingestion addon for splunkes And https://apps.splunk.com/app/3921 Servicenow security operations addon Both are supporting on-demand based incident creation in servicenow so what is the actual difference here. Anyone have any idea? Event ingestion add on required license addon from servicenow that I know. It is the only difference or something else also?

Hi Team, Any one has integrated below application with SPlunk if yes. Please suggest how Chromeleon- Chromatography Data System (CDS) software- Built with both the lab and IT in mind, this software delivers superior compliance tools, networking capabilities, instrument control, automation, and much more! Robotics DBC

Hi team, I am new to Splunk please help me here We have integrated one Algosec application with SPlunk Via Syslog method and collecting Audit logs Means successful login/ unsuccessful login to Algosec Application. In logs we are getting only Algosec application IP but not source IP(Which is actually trying to login). We have checked in AD logs based on username, target IP(Algosec IP) as well but not able see any information of source IP.  LDAP configuration is done on Algosec application So my question is which method is useful to get actual source IP 1. Could I get Source IP in Ldap audit logs via event viewer. if yes then how I can forward this logs to Splunk from Event viewer Windows Event Viewer > Applications and Services Logs > Directory Service https://www.manageengine.com/products/active-directory-audit/how-to/images/how-to-audit-ldap-queries-active-directory-2.png 2. Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)- This Ad-on is useful to get LDAP audit logs to find out source IP https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.3/User/AbouttheSplunkSupportingAdd-onforActiveDirectory

Hello All I wonder if you could share if there is an Splunk decoder for the "Splunk add-on for AWS" that can work well with Control Tower - currently Control Tower sends both CloudTrail and AWS Config to the same SNS Topic in which we've add a SQS queue subscribed to it. Because the queue now has both CloudTrail and Config,  choosing the "config" decoder generates errors such as the below because most of the messages are CloudTrail. records = document['configurationItems'] KeyError: 'configurationItems'  Thank you very much, Marco

I need to stop ingesting from 1 of 4 of my firewalls.  The path of our architecture is  firewalls >>>syslog>>>>deployment server>>indexer cluster>>>>search head I have tried commenting them out under deployment apps (inputs.conf ) in the deployment server, but  I am still seeing ingestion from that firewall.  Any help is appreciated! 

Trying to convince my boss to switch to Splunk but the biggest issue is ESM's ease of use. Everything is pretty much plug n play on ESM where Splunk takes a lot of work to get the same results. Here are a couple of examples: 1. ESM he can go in and easily create a watchlist with all the server IP's and add that to an alert to tell it not to alert if these IP's are in the src or dest. 1. Splunk i have to create a lookup then create a lookup definition then create the macro and if i want to add an IP to the file i have to go into the CLI and add the new IP 2. ESM has an alert page that you can look at all the alerts that have popped and check a box when you have decided that you have done enough investigate on that alert which allows other analyst to know that alert has already been investigated 2. I have not seen anything like this in Splunk without spending more money. 3. ESM really has no easy way to query on the fly so Splunk does win this one 4. He wants a solution that a new analyst can sit down with minimal training and use. I dont like the idea of button pushers but we don't have months or years to train a new analyst. (or the money) If i could resolve issue 1 and 2 so anyone could do that stuff without having to be a programmer and do it all in the GUI i think i could convince him. Licensing cost is not an issue, both are already licensed. Any ideas?