Quick Question. I don't understand how to use certificates for forwarders. We have 300+ UFs. There's no way they're all going to have their own unique certificate. How do I generate csr for the UFs' certificates? The certificates will need to be signed by a third party. If I have a certificate with the SANs of my indexers, could I use that certificate for my UFs too? Do I need to obtain a wildcard certificate for the UFs? Thanks    

Hello,   First, I already read this post : https://community.splunk.com/t5/Dashboards-Visualizations/Background-color-in-navbar-is-gone-in-7-1-and-7-2/td-p/359770 And tried its solution. It works sometimes but not all the times. My guess is that the div isn't always there for some reason. I opened the developer console in Chrome, and it seems that the objet's name is ".view---pages-enterprise---8-2-2-1---1zrJY". As you can see, there is the splunk version inside it. And it changes with dark mode: ".view---pages-dark---8-2-2-1---2d_9P" Do you have also this behavior and how can I successfully change the background color of the navbar accross Splunk upgrades?   Thanks

Hello, I'm trying to run the following:   | makeresults count=1 | eval data = "{\"something\":\"something\",\"something\":\"something\",\"something\":\"something\"}" | eval header = "{\"header-api-key\":\"something\"}" | curl method=post uri="https://api.something/v2" headerfield=header data=data debug=t verifyssl=false | table *   and I'm getting "{"status": "error", "result": "Invalid json format in the request". Also I tried to add "{\"content-type\":\"application/json\"}" like :   | eval header = "{"{\"content-type\":\"application/json\"}",\"header-api-key\":\"something\"}"   but I get the some error. Note that I have the latest version of TA-webtools Anyone has any suggestions?  Thank in advance 

Hi  I have Too many open files, but i have ulimit of 65536 I believe I have set my Splunk up correctly, but my Search head has crashed twice now in 2 days. Is 65536 too small? Should i try and make it bigger?       bash$ cat /proc/32536/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size unlimited unlimited bytes Max resident set unlimited unlimited bytes Max processes 790527 790527 processes Max open files 65536 65536 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 1546577 1546577 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us hp737srv autoengine /hp737srv2/apps/splunk/       I am also getting the following messages from my 3 indexers (I have an indexer cluster)   When I run the following command, I can see Splunk 1 hour after startup taking 4554?        bash$ lsof -u autoengine | grep splunk | awk 'BEGIN { total = 0; } $4 ~ /^[0-9]/ { total += 1 } END { print total }' 4554       So at the moment, I have made a case with Splunk, but I might have to put in nightly restarts if it keeps happening. In the last few months, I have set up a heave forwarder to send in HEC data to the indexers. This data has been increasing, so I am not sure if this is the issue? Thanks in advance

I am currently working on an integration from a python scrip, collecting a JSON object, and parsing it to an event via the Splunk Add-on Builder however the object does not seem to appear within Splunk.  From the Add-on Builder code, I have a loop that cycles round an array extracting objects to ingest as events:   for item in item_group: helper.log_warning(item) stat_time = int(time.time()) event = helper.new_event(time=stat_time,source="Addon-Helper", index="testing", sourcetype="_json", data=json.dumps(item)) ew.write_event(event) helper.log_warning(event)    When I pull the extract from the log I get:   2022-03-08 10:43:56,350 WARNING pid=59367 tid=MainThread file=base_modinput.py:log_warning:302 | {'field_1': 'value_string', 'field_2': 'value_string', 'field_3': 'value_float', 'field_4': 'value_string', 'field_5': ['value_IP'], 'field_6': 'value_string', 'field_7': value_time, 'field_8': 'value_string', 'field_9': 'value_string'} 2022-03-08 10:43:56,351 WARNING pid=59367 tid=MainThread file=base_modinput.py:log_warning:302 | <splunklib.modularinput.event.Event object at 0x7f9072656250>   However, there is nothing added to the "testing" index, nor on wildcard search, nor on error searching for ingestion.  In addition I have tried seeing the data field to a string, which still creates the object but Splunk does not seem to parse it:   event = helper.new_event(time=stat_time,source="Addon-Helper", index="testing", sourcetype="_json", data="Testing String") ew.write_event(event)   This may simply be a staring too long at a problem kind of challenge and missing something basic but any help would be great. 

I have an index which has information for available bytes on each host. I want to display free bytes in a table for all the hosts. I have a csv file which has the hostname and the total bytes for each server.  I am trying something like below: index="perfmon" ([| from inputlookup:"HostTotalBytes_Lookup" | table host]) earliest=-5m latest=now | eval TotalBytes=[| from inputlookup:"HostTotalBytes_Lookup" | table totalBytes] | eval MemoryUsedPct = round((TotalBytes - Available_Bytes) / TotalBytes * 100, 2) | chart max(MemoryUsedPct) as "Used Memory", max(Available_Bytes) as "Available Bytes" by host   But it returns an error: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). I understand that I am trying to store an entire table in one variable and trying to use it as separate bytes against each host. I am quite new to Splunk and don't really know what to use in this case. Any help would be highly appreciated. My csv file looks like the following: host,name,totalBytes host1,host1_name,16000000000 host2,host2_name,16000000000 host3,host3_name,16000000000 host4,host4_name,16000000000

Hello All, We upgraded our test environment with Splunk 8.2 post which our JavaScript dashboards stopped working. The dashboards have been updated to include version="1.1" as suggested by the docs.  The JavaScript which isn't working is referencing jQuery as follows :    require([ "splunkjs/mvc", "splunkjs/mvc/utils", "splunkjs/mvc/tokenutils", "underscore", "jquery",......])   I am aware that 8.2 is dependent on jQuery 3.5 and I feel that this is causing the issue. But where in the code the updates need to be made is something I need assistance with.  @jeffland Do assist if possible. Thanks. 

Hi Team i have a log message and i want to filter the all log messages which contains the below highlighted text. and if the status value is other than 200 status!=200 separate that messages {"timestamp":"2022-03-04T11:04:41.143Z","message":"ABCDEFG :::{\"status\":200,\"headers\": {"timestamp":"2022-03-05T11:02:41.143Z","message":"ABCDEFG :::{\"status\":400,\"headers\": {"timestamp":"2022-03-02T11:05:41.143Z","message":"ABCDEFG :::{\"status\":500,\"headers\":

Hello, We are in need of field extractions in Splunk. What is the best and reliable way to do the field extraction in Splunk and data ingested is in json format.  Please let us know if there is any way to do the extractions during ingestion so that it gets auto extracted and by searching index=sample sourcetype=json we could get them as fields under the interesting fields. Can this be done by editing the props.conf file? Please do provide some examples which would of great help. Thanks.    

Hi, we would to correlate data between 2 idx, but we cant seem to find the right query. Examples Index= Firewall Sourcetype = A Field = Bytes, SourceIP Index=AD Sourcetype=B Field=SourceIP, Hostname We would like to calculate the byte in firewall index, and display the Hostname of SourceIP by correlating with AD index. Here is example of our query which not work well. (index=Firewall OR index=AD) sourcetype=A OR sourcetype=B | eval TotalBandwidth = round((Bytes)/1024/1204,2) | stats sum(TotalBandwidth) as "Total Bandwidth", latest(Hostname) as Hostname by SourceIP | sort 10 - "Total Bandwidth" When we run the above query, we able to display the as what we what, but some the result consist of unwanted Hostname. We tried to filter the Hostname by using | where Hostname!=" " ,  but the result is messed up. Other query that we have generate is;   (index=Firewall sourcetype=A SourceIP=* Bytes=*) OR (index=AD sourcetype=B SourceIP=* Hostname=*) | fields index SourceIP Bytes SourceIP Hostname | eval SourceIPNew=coalesce(SourceIP, SourceIP) | eval TotalBandwidth = round((Bytes)/1024/1204,2) | stats sum(TotalBandwidth) as "Total Bandwidth", values(Hostname) as Hostname by SourceIPNew   This also not working  . Please advise us. Thankyou.