I have  this 'Email' Data Model in ES. The model is populated by macro and tags(2 eventypes populated by saved searches) (`cim_Email_indexes`) tag=IS_Email  The two eventtypes have IS_Email tag associated to them . Now,  A new source needs to be fed into the dataModel. The fields of the new source  are cim compatible but are not fed into the dataModel. And I checked the corresponding eventType and there were some tags associated to it but IS_Email tag wasn't there. So, To add the data from this new EventType into the datamodel, if I just add IS_Email tag into it(the eventtype), is it sufficient ? Or anything else is required ? If this is sufficient, then after adding the Tag, do I need to rebuild the Email DataModel  ?

Hello everyone, Thanks for reading, my english is not good at all. I have this: A B C D E F G 1 1 0 4 1 0 0 1 2 0 2 2 0 9 0 0 0 1 3 0 8 0 1 0 0 4 0 9 0 0 0 9 5 0 0 0 0 0 8 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0   So, i need sum all value of each column I would like to have this: Column sum A 2 B 4 C 0 D 24 E 15 F 1 G 26

I have released an app for Splunk Enterprise. As Splunk Enterprise is kind of on-premise product and runs on customers' local host, I use file log to collect debug logs with reference to https://dev.splunk.com/enterprise/docs/developapps/addsupport/logging/loggingsplunkextensions. I can read the local file and index the logs in 'search' result. Now I need to migrate the app on Splunk Cloud. How can I collect the debug log for apps on cloud. Does the link still work on Cloud? If not, is there other guides for this?

My dilemma. index=prod_s3  sourcetype=My_Sourcetype earliest=-30m (host=2016) OR (host=2018) OR (host=2015) OR (host=2017) |stats count as value by host The above query will return a count for each host that is ingesting, however If one of the above hosts is not ingesting, I wish to alert on that host, displaying the host name as output with a message. Any help is appreciate.  

Hi, We have 3 search heads in a SHC, I am planning to deploy "Splunk_SA_CIM" in my SHC from Deployer. Question 1- Once the "Splunk_SA_CIM" is deployed in SHC members, and then for example i edit the "cim_Network_Traffic_indexes" macro from Search Head GUI (Search heads are behind LB) and add the firewall index in it and then accelerate the "Network Traffic" DM from GUI, Will this accelerate this DM in all 3 Search Head members and Macro too will be updated in all 3 SH members ? Question 2 - or should i make above changes in "Splunk_SA_CIM" app under "local" folder in macros.conf and datamodels.conf in deployer and push to SHC ? Question 3 - What is the correct way to manage/update datamodels config in "Splunk_SA_CIM" app like adding indexes/enabling acceleration/adding removing fields in a Search head cluster which will have Enterprise Security app installed as well in near future?

We are working on automating the installation and configuration of Splunk DB Connect.  For the purposes of this question we are using DB Connect version 3.6.0 My question is how does the identity.dat file get generated.  We know it gets generated on a fresh DB Connect install the first time an identity is created manually.  Our issue is the DB Connect API endpoint for creating identities returns a 200 OK when creating an identity for the first time - but it does not get created and no identity.dat file is generated. If after a fresh install of DB Connect we manually though the UI add an identity - the identity.dat file is successfully generated.  We are then able to hit the endpoint to create identities and it creates them correctly. The endpoint that we are hitting is:   /servicesNS/nobody/splunk_app_db_connect/db_connect/dbxproxy/identities   The payload that we are uploading to the endpoint is formatted as such:   def output(self): data = {} data["name"] = self.db_identity_name data["username"] = self.db_username data["password"] = self.db_password data["disabled"] = self.disabled data["domain_name"] = self.domain_name data["use_win_auth"] = self.use_win_auth return data  

Hi The <Selection> in the bottom code is not working correctly and I can't figure out why. I am looking to select the time when I click on a bar on the graph. To give me the time of the bar, however, it is always giving me the start time of the graph and not the zoomed-in time of the bar.   <panel depends="$host_token$"> <chart> <title>Sig Events Error Count by MX Component</title> <search> <query>| mstats max("mx.process.errors") prestats=true WHERE "index"="metrics_test" AND mx.env=$host_token$ AND log.type=sig-event span=60s BY "log.type" pid replica.name service.name | search "psrsvd_nx_mx.process.errors" &gt; 0 | rename "service.name" as service_name | rename "replica.name" as replica_name | eval Process_Name=((service_name . " # ") . replica_name) | timechart max("mx.process.errors") AS Error_Log_Nb by Process_Name limit=10000 | eval Error_Log_Nb=substr(Error_Log_Nb, 1, len(Error_Log_Nb)-7)</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> <selection> <set token="time_token_selection.earliest">$start$</set> <!--set token="time_token_selection.latest">$end$</set--> <eval token="time_token_selection.latest">$time_token_selection.earliest$+5</eval> </selection> </chart> </panel>   IN the below we can see i am click on the bar However, the time in the tokens is the start and end, not the time on the bar that i have clicked on. Regards Robert