to do Splunk search with the help of API I am getting 404 error while doing this call response = self.session.get(self.base_url + '/servicesNS/'+self.username+'/search/auth/login', data=payload)   can someone please tell me why this is happening?

Hello, I am trying to integrate Splunk and Resilient and faced with the following problem: in adaptive response I have mapped all required and interesting fields to be send to Resilient. After event is triggered - only raw data comes to SOAR. I have checked no errors on splunk side. On Resilient side there was error, but I have also fixed it - no luck com.co3.domain.exceptions.FieldsRequiredException: The following fields are required: 'cs_cloud_url','cs_sensor_id' com.ibm.resilient.common.domain.exceptions.Co3IllegalArgumentException: Incident name cannot be null/empty Do you have any ideas why only raw data comes from splunk?   Thank you

I have a dashboard that has 5 single value charts in 4 rows and all these rows display collective information about more than 1 process and now I'm using a drill down to a new dashboard to display detailed info about them. Is there a way we can add a button or split view kind of thing in the same dashboard when someone clicks on that button it should display that and should have hide or unhide functionality rather than using drilldown.Any help is highly appreciated.Thanks

Hi Community, I have a inputs.conf monitor that looks like this [monitor:///var/log/logfiles/.../app.log] index=englogs sourcetype=eng:custom The above monitor will cover these paths to the app.log files /var/log/logfiles/database/eng/comm/surface/app.log /var/log/logfiles/trunk/sec/comm/water/app.log /var/log/logfiles/other/fin/app.log And many, many more... I have a file that I want to sourcetype as access_combined (not eng:custom). /var/log/logfiles/scapes/web01/app.log This path falls within the scope of the above monitored stanza. What is the best way to accomplish this? Do I use a blacklist in the .../app.log eng:custom monitor and then create another monitor stanza for the web01/app.log access_combined that immediately follows this? Thank you

I am using python 3.9.5 splunk enterprise version 8+ splunk-python-sdk latest. My enterprise splunk supports TLS1.2 only, is it possible to use a specific TLS version with the splunk-python-sdk Can someone help with this?      

I am looking for best practices for determining when I have reached the limits of the number of data inputs that should be set up on a heavy forwarder. I have an existing heavy forwarder where I am running DB Connect to query ~20 different databases and frequencies. On this same heavy forwarder I have ~250 data inputs that query rest api's for various storage appliance data. I am experiencing splunk daemon stability issues when my Linux server is rebooted or the Splunk daemon is restarted. The CPU load will max out on the configuration and cause the Splunk daemon to be shut down. My heavy forwarder is a virtual server with 14 vcpu and 16GB memory. It is running on RHEL7 with the ulimits set as Splunk specified. Are there any documented configurations for heavy forwarders? Is there anything that might help besides trying to increase resources on this server such as configuration file settings?

If I had logs for the `_internal` index and logs for a `linux_os` index on a Heavy Forwarder, does the HF prioritize the `linux_os` index data prior to the `_internal` data on the host? Is there any precedence for data Splunk is monitoring?  Does Indexers have a precedence for what kind of data to index first?

Hello, I am looking for a solution to send Splunk alerts to Splunk mobile application. So far I was using the "Splunk Cloud Gateway" splunkbase on my Splunk lab (standalone Splunk VM) which was based on Splunk 8.0.x. Since I wanted to upgrade recently to Splunk 8.2.4, I needed to also move to the "embedded" Splunk Secure Gateway app. Since I did not needed the former indexed data, I decided to remove Splunk 8.0 and do a fresh install of 8.2.4 (no upgrade on Splunk side nor migration from Cloud Gateway to Secure Gateway). After "opt-in" for Secure Gateway, the gateway managed to stay "connected" for a duration of ~10 minutes (I can see "ping-pong" messages in Secure Gateway logs/_internal index). But it stopped suddenly to work (status in dashboard is now desperately showing  "not connected") ... Last "ping-pong" exchange is the following one: This was "today morning " at 0:20 AM (twenty past midnight, 10 minutes after gateway optin/config). On the errors side, the first one ever I can see is this one (7 min before 0:20 AM): Then this one when it stopped the "ping-pong" traffic (at 0:20 AM):  And then such ones:   I've checked all the logs of the gateway, enabled DEBUG traces, analyzed the python code, checked these errors, changed the "timeouts" for bigger values in the app conf file, looked at the "Troubleshooting sections" of the doc ... but I could not find yet why it suddenly stopped to work. To be complete, I am running on a lab VM (2 vCPU, 8GB of RAM) (which is under the prereq "specs", I know) and with SSL self-sign certificate generated by Splunk when I changed the server settings to use HTTPS. I am behind a Sophos UTM 9.7 which is protecting my home network and I've made a rule to disable filtering (like SSL scanning etc) for URLs that ends by *.spl.mobi  Would you have any directions or clues for fixing that connectivity issue? Thanks in advance   

I need to filter different error values for a range of different instruments. To do this, I have created a macro and lookup that uses the host-field and the name of the measurement field to determine if the value should be removed or not. This part of the function works well, but in some cases, we also need to correct the measurements in different time periods due to calibrations etc. For those cases, I have created columns in the lookup named "case_<number>" which contains time_start, time_stop, value_to_remove, adjustment_value. An example would be host=extensometer_001 with a distance_mm-field where we need to correct the following measurements: - Remove -222 between unix time 1644546240 and 1644586240 - Adjust +30 for measurements between unix time 1641546240 and 1644566200 The case-columns in the lookup would then look like this: case_001=1644546240,1644586240,-222 case_002=1641546240,1644566200,,30 To be able to handle zero or more cases per host and field, I use foreach in the following way:   | foreach "case_*" [| makemv delim="," <<FIELD>> | eval distance_mm= if(_time > mvindex(<<FIELD>>,0) AND _time < mvindex(<<FIELD>>,1) AND like(distance_mm,mvindex(<<FIELD>>,2)), "NULL", distance_mm) | eval distance_mm= if(_time > mvindex(<<FIELD>>,0) AND _time < mvindex(<<FIELD>>,1) AND mvindex(<<FIELD>>,3)!="",distance_mm+tonumber(mvindex(<<FIELD>>,3)),distance_mm) ]   The problem is that when I looka at "All time" and graph distance_mm with timechart at the end of the search, I end up seeing empty buckets all the way back to the first event indexed in the index (even if the data in my search is not that old). If I remove the foreach section, the problem goes away. I cannot see what is happening that makes timechart show this period without data. The interesting thing is that if look at the data in "Statistics" view right before the timechart then it only shows the time period with data. It is only when the timechart command is run that the empty buckets appear.   Image of results with foreach: Image of results without foreach: Does anyone know what is going wrong here or how in the worst case to get around it? (I could use cont=false to make Splunk zoom into the area where there is data, but then I would not be able to choose "show gaps" where data is missing which is a requirement from the client.) Full search:   | tstats summariesonly=false allow_old_summaries=false avg("Extensometer.distance_mm") as distance_mm FROM datamodel=Extensometer WHERE sourcetype="EXT" BY host, sourcetype, _time span=60min | eval field="distance_mm" | lookup error-filtering.csv instrument as host field as field | foreach "case_*" [| makemv delim="," <<FIELD>> | eval distance_mm= if(_time > mvindex(<<FIELD>>,0) AND _time < mvindex(<<FIELD>>,1) AND like(distance_mm,mvindex(<<FIELD>>,2)), "NULL", distance_mm) | eval distance_mm= if(_time > mvindex(<<FIELD>>,0) AND _time < mvindex(<<FIELD>>,1) AND mvindex(<<FIELD>>,3)!="",distance_mm+tonumber(mvindex(<<FIELD>>,3)),distance_mm) ] | streamstats window=2 earliest(distance_mm) as earliest_distance_mm latest(distance_mm) as latest_distance_mm by host | eval change_distance_mm=(latest_distance_mm - earliest_distance_mm) | streamstats sum(change_distance_mm) as acc_change_distance_mm by host | timechart span=1w limit=0 eval(round(avg(acc_change_distance_mm),2)) as distance_mm by host