We would like to use React to create a frontend for our Splunk App. We were able to integrate react and react-router to create and route to different pages successfully (ie myApp/eventPage), however on page refresh Splunk is unable to maintain the current route and we get a 404 page.  page refresh at /myApp --> works page refresh at /myApp/eventPage --> 404 This is also an issue if we would like users to be able to navigate to a specific page of our app from an external link.  Do you have an example or documentation on how to maintain multiple pages in a splunk app? Or is this a known limitation of using React with Splunk? Thanks in advance for your time and help!

HI Team, I am facing an issue with few of the servers which client had request to on-board new set of log data into splunk.  We had deployed the monitoring stanza & Parsing stanza by updating an existing app and app was successfully deployed into their respective servers. But we are unable to see the data ingest happening from the new monitoring stanza in Splunk. When troubleshooting could see this INFO related to the monitoring  stanza in _internal logs. Apart from this is INFO, there is no other messages or Events related to the below source found in the _internal logs.   Monitoring Stanza details [monitor:///usr/local/tet/t12/var/was/log/server.log] sourcetype = usr:genericapp:server index = test_index disabled = 0 ignoreOlderThan = 14d Parsing stanza: [usr:genericapp:wfserver] NO_BINARY_CHECK=true LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\.\d{3} TIME_PREFIX=^ TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N MAX_TIMESTAMP_LOOKAHEAD= 23 SHOULD_LINEMERGE=false internal logs: 1:40:04.292 PM 02-25-2022 13:40:04.292 +0000 INFO TailingProcessor - Parsing configuration stanza: monitor:///usr/local/tet/t12/var/was/log/server.log Kindly guide me to fix this .  

Hello please I will ask several questions and thank you for taking step by step because I am a student and this is my first time using splunk enterprise: I want to monitor my active directory I found the application "splunk for windows infrastructure" I have successfully configured add on Splunk_TA_microsoft_ad on the portal. of course these 2 add ons exist in C:\Program Files\SplunkUniversalForwarder\etc\apps on my active directory server for licensing reasons I only enabled index [WinEventLog://Security] for the input of the add on Splunk_TA [WinEventLog://Security] disabled = 0 start_from oldest current_only = 0 evt_resolve_ad_obj = 1 Interval checkpoint = 5 whitelist= 4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719 blacklist1 = EventCode="4662" Message="Object Type: (?! \s*group Policy Container)" blacklist2 = EventCode="566" Message="Object Type: (?! \s*group PolicyContainer)" renderXml=true and I created the local folder from which I copied the input.con and app.conf files after modification. but when I run the Splunk for windows infrastructure application I find no information: either the search is waiting for input or no results found. I don't know what configuration I missed. Of course, I deactivated the firewall carefully and when I do raw searches with search and reporting I got the information so the logs are sent from the server but there is a problem at the application level If not, do you have another proposal for AD monitoring?? and thank you

Hi ,  Why are we receiving this kind of issue on "o365:cas:api" while the others listed below are working as expected. o365:graph:api o365:management:activity o365:service:updateMessage We didn't put a Cloud App Security Token in the tenant configuration since we already have the client secret, Tenant ID, Client Id, Tenant Subdomain and Tenant Data Center Is it needed for the "o365:cas:api" to work? ERROR : 2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=utils.py:wrapper:72 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 184, in run return consumer.run() File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 47, in run for message in reports.get(self._session): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 639, in get raise O365PortalError(response) splunk_ta_o365.common.portal.O365PortalError: 401:{"detail":"Invalid token"} 2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:__init__:50 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="failed to get error code" body=b'{"detail":"Invalid token"}' Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 44, in __init__ self._code = data['error']['code']

Hi All, I am trying onboard AWS S3 Bucket logs to splunk cloud using the ARN name,   Question from my client is how to restrict access to only splunk cloud to the S3 Bucket in their AWS and no one else should be able to access the S3 Bucket using the ARN name?  

Hi all, I applied an 14-days trail license for splunk cloud to develop an cloud app. I followed the link https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud to deploy a private app on cloud platform. However, when I launch the 'App Management' and click the 'Uploaded Apps' tag, the browser keeps 'loading' but not displaying the desired page. I checked the browser's console, the response indicates that '<msg type="WARN">DMC is disabled</msg>'. How can I fix this issue? Regards, Blake

Hi, Below warning message is showing in our Search head cluster. Search peer XXXBIXX has the following message: Received event for unconfigured/disabled/deleted index=A with source="B" host="host::C" sourcetype="D". So far received events from 2 missing index(es). I have verified "A" Index is not exists in our indexers and from the host no internal logs received except license_usage.log. how to figured out where the inputs configured for this host host="host::C" ?

I have the data format below, and I would like to filldown with specific field value base on command Field1. i.e.  Fill Field2 with character 'B' if Field1 is 'A'        Fill Filed2 with character 'C' if Field1 is 'B' Data: Field1 Field2 Field3 Field4 A   fooA barB A   abc def A B ghi jkl B C fooB barC B   aaa bbb B   ccc ddd   Change to below format Field1 Field2 Field3 Field4 A B fooA barB A B abc def A B ghi jkl B C fooB barC B C aaa bbb B C ccc ddd  

Hello, Thank you for taking the time to consider my question. I'm trying to visualize the health of several windows & linux systems using IT essentials work, and no matter what I do it seems like I just can't get the data to actually be read by IT essentials Work (ITEW).  For testing purposes, I have only started with Windows machines, since I figured those would be better documented and easier. I have installed the Splunk Add on for Microsoft on both the indexer/search head as well as the client, and added the custom inputs.conf which is linked from Splunk Security Essentials App on monitoring CPU/Memory performance on remote windows systems.  I have installed IT essentials work on my indexer/search head, and it automatically created the "itsi_im_metrics" index, which should collect the data being reported by the foreign host, and then allow ITEW to read it and visualize it, right? When I go into "indexes" on the indexer/search head, it shows that it has thousands of events within that index, and shows it was recently updated as of just a few minutes prior, so the flow it working. However this index doesn't show any events when I search for it in both the normal search & reporting search bar, as well as the ITEW search bar.  It's obviously something stupid that I missed on my end, since I feel like it's missing one small configuration and then it will work fine, but the fact that there's no guides or videos on this practice and just some very generic documentation on ITSI/ITEW is very disappointing.  Thank you in advance for considering and assisting me with this, and I look forward to your responses so I can resolve this issue. Any help that leads to the solution will of course be accepted and rewarded with karma for those who appreciate that.  Thanks again

Hello,  Thank you for taking the time to consider my question. I'm currently working on getting the InfoSec App (https://splunkbase.splunk.com/app/4240/) integrated via Common Information Model with active directory logs that are obtained either through the Splunk Supporting Add on for Active Directory, or the Splunk Add on for Microsoft Windows.  There doesn't seem to be any real good documentation for this process for beginners, even though this is likely a very easy integration for Splunk Admins given how many use cases there are for it and the prevalence of AD in large organizations.  My question is how do people normally ingest data from AD through an inputs.conf (please link documentation of an example inputs.conf file that does this, if it exists, I can't find one) And some best practices for indexes that are supported for mapping AD auth data to CIM by default. I'm not trying to do anything special here, it just seems like this should have tutorials all over the place and nobody has taken the time to really explain the process of this from start to finish, which is extremely frustrating for people trying to teach this to themselves without expensive Splunk ondemand support having to walk you through it.  Any help regarding this would be greatly appreciated. For context I have already installed both Supporting Add ons for MSFT and AD on the indexer/search head, and installed the Splunk TA for windows on the actual AD host, where I'm assuming I need to use some sort of admon configuration to monitor active directory, but it's unclear what index I should be sending them to, and how that index should be configured on the search head. 

Hello splunkers, while trying to build splunk environment for the first time . I came across the above error message while trying to connect  the 2 indexers to the SH. I also tried to run: ./splunk add search-server <ipaddress>:8089 -auth admin:password -remoteUsername admin -remotePassword password. yet running to the same error message:  An error occurred: Error while sending public key to search peer: Connect Timeout root@spunk-sh:/opt/splunk/bin#   someone please help me set the environment . thank you

I am running a very big report which is on 95% after 36 hours and I see that the results size is ~ 2GB and the results should be sent by email  how I can find the results once the report is completed since I think the mail will fail due to the size 

Will custom command created using python reduce search performance For example, If i try to write alternate script for |spath command, comparing to spath will custom command reduce the search time or increase it??

Hello team, I am new to using SPLUNK. I have a little problem. After installing my splunk server, I started setting up my universal-forwarder on the kali linux client. where I type the commands below: ──(root㉿kali)-[/opt/splunkforwarder/bin] └─# ./splunk add forward-server 192.168.0.24:9997 Splunk username: root Password: Login failedI have an error message on the login/password for your information: - ping is OK between client and server - I connect to the web interface of the server on the client. - The port opening parameters on the server 9997/8089 ok - I don't think I have a login/password problem since it's the same one I use on the server. - I changed the password to see if it's not a keyboard problem at the letter level without success Do you have an idea please? Regards