I know this is available at an application level, but is there a way to do it at a tier level so other tiers in the application are not affected? Or is there a cunning workaround where we could disable it for all and then have a health rule so it still fires for the other tiers? Thanks! Jeremy.

Hello everyone,  We are using the Ta_nix add-on to get some logs from the Linux servers. But we notice that at the Monitor console when we run the Health Check we get this Alert That index comes from that specific app and looks like is generation a lot of sourcetypes. I checked the documentation and I cannot see it as a know issue.  So I would like to know if this is an expected behavior or if there is any way we can fix this.  Splunk Enterprise: 8.2.2 - over x86_64 x86_64 GNU/Linux Splunk_TA_nix : 8.3.1   Thank you in advance

The basic issue I faced was a dashboard with prominent single-value visualisation what was to display a count of exceptions.  The users wanted 0 exceptions to be "good" color and a range of colors after that. To demonstrate, here is a simple test dashboard making use fo the excellent features of single-value viz.   <form> <label>test single value viz</label> <fieldset submitButton="false"> <input type="text" token="limit"> <label>limit</label> <default>2</default> <initialValue>2</initialValue> </input> </fieldset> <row> <panel> <single> <search> <query>| gentimes start=1/25/2022 end=1/26/2022 increment=1h | eval count=random()%$limit$ | eval _time=starttime | table _time count | timechart span=6h sum(count) as count</query> <earliest>-1h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> </row> </form>   Default limit of 2 will result in a viz showing a lovely blue background and some values and trendline depending on the random data generated. limit 20 will produce most likely an orange background limit 200 a red background All this is expected and in accordance with the default viz that was produced by using the "Save As Dashboard Panel" option from the base window. A limit of 1 - which results in all data values of 0 gives the green background.  This is still expected. Where I struggle is the limit of 0 (or less) which will give no data as number % 0 is undefined.  The data for such a search has no values in the count column.    So what to do?  The single value viz has decided that null values are nearer max value than min value which makes sense if you use dafault colors because max value is colored red.  But if in your situation your low values are more abberent and you consider null values are abberations you'd want to have the nulls colored like your min value.  Also strange though si the value on the chart shows 0, even if all the values in the data set are null.  Suddenly null became 0 and not undefined, and thus 0 is treated as higher than max instead of lower than min.  I find this to be a mistake - either it's treated as 0 so color it as 0 and show it as 0 or it's treated as null so colour it as null and show it as null (or undefinied or something other than 0) The only workaround I could find (without looking at css chnages) is a bit ugly and may not suit all situations. I cludge the upper limit to some value "higher than I could ever reach" (famous last words) and stick the colour I want to display for no data there.   <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41","0x53a051"]</option> <option name="rangeValues">[0,30,70,100,100000000]</option>   In the real world situation I had, zero values was considered good, and no data at all is also good so the quick fix of the viz as above was enough to allow users to visualise the date. A better solution is to change the base search to something that always returned a 0  rather than null or add a line after the timechart to force nulls to an acceptable value.   I like the latter as it's far more clear what's going on.   | eval count=coalesce(count ,0)   When no data at all is returned by base search (as happened in my real world case) it can be handled the normal way with hidden panel to display when no data returned.  Side note on this: I usually have a panel that displays when there is no data for the base search but there is some data in the index/sourcetype and a different panel when there is no data at all.  This is because on rare occasions you may have a problem with a forwarder or any number of other reasons resulting in events taking longer than expected to appear in an index.  Letting user know this is the case rather than assuming "all's good" is better in my view. In real world data it's ugly to manipulate source into vizualisation just to make it look right.  Sometimes we have to, but here I think the single-value vizualisation needs an option to let the user decide how to display missing or null values.  

I'm using Splunk Enterprise 8.2.4 and I would like to start getting my Windows Forwarder Estate (8.2.4) to send it's perform. Initially I thought this would be easy but I was wrong. I though that out of the box that Splunk would allow me collect Windows perfmon data straight to a metrics index.  I think from reading the guide here that the pattern is as follows: Configure the forwarder inputs stanza as normal i.e. as you would to collect say the CPU metrics to an events index Point it at a metrics index tagged with a custom sourcetype Transform/parse the event to metrics format at the indexer when received based on sourcetype Is this understanding correct and of so does anyone have a bundle of Transforms ready to go (perhaps a TA or app that does this like Splunk Add-on for Microsoft Windows | Splunkbase )?

Hello all, In our company I need to create a daily email notification for  Remote logn Disabled account Event Log Stopped or Cleared Search Account Lockout  Please suggest which windows event correspond to above alerts. From my reading I think 4624, 4725, 1102, 4740 are the windows event IDs that I need to monitor but not sure. Thank you

I have a field whose value ranges from 0 to 20. I want to plot the graph to find the range of values being hit for the field every day. I tried using timechart but instead of it giving me ranges per day it starts building out graphs per value, like value 1 occurred on day1 ,day 2, day 4. I need it to tell me what all values occurred on a particular day rather than what days have those values.   index=a $search string$ | eval bytes=bytes/1000000 | timechart count by bytes   Hope I could explain what I am trying here..

Hello Splunk community. I have a query that is running currently as shown below:   index=myIndex* api.metaData.pid="my_plugin_id" | rename api.p as apiName | chart count BY apiName "api.metaData.status" | multikv forceheader=1 | table apiName success error NULL | eval line=printf("%-85s% 10s% 10s% 7s",apiName, success, error, NULL) | stats list(line) as line | eval headers=printf("%-85s% 10s% 10s% 7s","API Name","Success","Error", "NULL") | eval line=mvappend(headers,line) | fields - headers   Which displays a table with "API Name","Success","Error", "NULL" counts. This works as expected. Now i want to add a new column in the table which displays the latency value (tp95 and tp99) for each apiName . The time taken by each api is in the field api.metadata.tt. How can i achieve this ? I am new to splunk and I am literally stuck at this point. Could someone please help me. Thank you Info: Just to let you guys know, my query has these additional logic to format things because of related question here

Splunk forwarder is running in the host and sending the audit logs to Splunk instances through HEC. Now i want to send debug logs to another instance through another HEC end point. Is that possible to configure to HEC end points in Splunk forwarder?

Hi I am trying to onboard the streaming events from Salesforce into my Splunk and trying to use the 'Splunk Add-on for Salesforce Streaming API' for same. I have an http proxy at instance level to allow the connect to the internet facing Salesforce Sandbox Instance. After setting up the required connection and inputs, the data is not getting onboarded. And I am getting following ERROR messages at ta_sfdc_streaming_api_sfdc_streaming_api_events.log My Splunk Version : 8.1.5 How to solve this?' ################## ERROR pid=434886 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/current/etc/apps/TA-sfdc-streaming-api/bin/sfdc_streaming_api_events.py", line 66, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/input_module_sfdc_streaming_api_events.py", line 26, in collect_events loop.run_until_complete(task) File "/opt/splunk/current/lib/python3.7/asyncio/base_events.py", line 587, in run_until_complete return future.result() File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/input_module_sfdc_streaming_api_events.py", line 61, in connect_sfdc async with sf_streaming_client as client: File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiosfstream/exceptions.py", line 143, in async_wrapper return await func(*args, **kwargs) File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiosfstream/client.py", line 246, in __aenter__ return cast("Client", await super().__aenter__()) File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiocometd/client.py", line 432, in __aenter__ await self.open() File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiosfstream/exceptions.py", line 143, in async_wrapper return await func(*args, **kwargs) File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiosfstream/client.py", line 143, in open await authenticator.authenticate() File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiosfstream/auth.py", line 100, in authenticate status_code, response_data = await self._authenticate() File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiosfstream/auth.py", line 187, in _authenticate response = await session.post(self._token_url, data=data) File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiohttp/client.py", line 619, in _request break File "/opt/splunk/etc/apps/TA-sfdc-streaming-api/bin/../lib/aiohttp/helpers.py", line 656, in __exit__ raise asyncio.TimeoutError from None concurrent.futures._base.TimeoutError