I have a rex built that when plugged into rex101 works fine, but when applied via a Splunk query, returns a blank result. Text: 2022/02/01 23:07:26.979 [ERROR] [nrfClient.Discovery.nrf] Message send failed, response [Type:ABC Http2_Status:404 CauseCode:"CONTEXT_NOT_FOUND" RetryExhausted:true MsgType:1434 ServiceName:nabc SelectedProfileName:"abc-profile" FailureProfile:"FHABC" GroupID:"ABC-*" ]   rex: Http2_Status:\d{3}\sCauseCode:\"(?<Error2>\w+)\"\s   rex101 result: CONTEXT_NOT_FOUND   But when plugged into Splunk, it comes back with a blank result.  

I have an automated script that creates a log file that marks the beginning and end of specific events during a web page process that I am wanting to monitor how long each process takes. I have put flags in the log file to notate the beginning of a process and the end of that process. OpenPage, Login, Search, Book, CustomerInfo, Seats, ClosePage. I can monitor that a certain process runs and the duration with the transaction command transaction startswith="LoginProcessStart" endswith="LoginProcessEnd" I don't know how to monitor several processes to add to the same table/chart. I have tried using multiple transaction commands, but I get an error stating the preceding search does not guarantee time-ordered events. Any ideas of how to approach this problem? Thank you for any ideas you may have.  

Hi  I have a year data and i want to create a search query to find the week tread. want to highlight week wise trend e.g. activity is high on 3rd week of every month or 1week on most of the months followed by 4th week. I am using is  ("index="index" source in ("source") | timechart span=1w count by activity"), which gives me data weekly for the months. Thanks

I'm working on an indexer to try to forward all data ingested with IT Essentials Work + Splunk Add-on for Unix & Linux to a remote indexer cluster. Until now, that indexer is receiving events into all itsi_* indexes, but, when I try to setup the forwarding option into that indexer, I cannot set the forwardedindex.n.whitelist and blacklist to forward only the itsi_* indexes to the IDX Cluster. I've try to overwrite all default whitelists and blacklists on local and reset whitelists with itsi_* indexes, but, this still forwarding all indexes, nor only itsi_* indexes. My outputs.conf file is like following: [tcpout] defaultGroup = default-autolb-group forwardedindex.0.whitelist = forwardedindex.1.blacklist = forwardedindex.2.whitelist = forwardedindex.0.whitelist = (itsi_grouped_alerts|itsi_im_meta|itsi_im_metrics|itsi_import_objects|itsi_notable_archive|itsi_notable_audit|itsi_summary|itsi_summary_metrics|itsi_tracked_alerts) indexAndForward = 1 [tcpout:default-autolb-group] disabled = false server = HFtoIDXCluster:9997 useACK = true If I use a "default" config option, overwriting the lists not resetting (not declaring the default 3 lists empty on the tcpout stanza) I have the same behaviour. This is the first time I try to set forwarding options from an indexer. I need to forward this data because it's used for administration of each Splunk instances, and it's required to get into a specific Splunk Enterprise cluster, but, all other indexes it's not required to be forwarded. Have I miss something to specify into config files? Best regards

When using input link, the default selected input appear like this: Then, when you select any of them, it gets like this: I would like to apply the css style of a selected input link button to the default when loading the dashboard. I can play with tokens to do this, I just cannot find the applied css. I know it might be found be inspecting the page somehow, but I cannot locate it. I have this run anywhere example: <form> <label>TEST</label> <row> <panel> <html> <style> #button button{ background-color: #F7F8FA !important; margin-right: 10px; } .dashboard-panel, .panel-body.html{ background: #F2F4F5 !important; } </style> <center> TEST </center> </html> </panel> </row> <row> <panel> <input id="button" type="link"> <label></label> <choice value="A">A</choice> <choice value="B">B</choice> <default>A</default> <change> <condition value="A"> <set token="show_pabel_a">true</set> <unset token="show_pabel_b"></unset> </condition> <condition value="B"> <unset token="show_pabel_a"></unset> <set token="show_pabel_b">true</set> </condition> </change> </input> <single depends="$show_pabel_a$"> <search> <progress> <condition match="'job.resultCount' &gt; 0"> <set token="show_panel_a">true</set> </condition> </progress> <query>| makeresults | eval test="A" | fields - _time</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </single> <single depends="$show_pabel_b$"> <search> <progress> <condition match="'job.resultCount' &gt; 0"> <set token="show_panel_a">true</set> </condition> </progress> <query>| makeresults | eval test="B"</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </single> </panel> </row> </form>  

If you have a dashboard that has a panel with a  search like the one below: | rest splunk_server=* /services/-/-/admin/......../appName/local | table name splunk_server title How can you make it so that it searches the other search heads? (a search like the one above returns values for the current search head and its peers - indexers)   

Hello all, we're configuring Splunk Enterprise security app within our environment, while testing alerts  the alert actions for sending email notifications are not working. Checked the internal error logs and observed the below. Any idea what is causing this error? ERROR:root:(501, b'Syntax error, parameters in command "mail FROM:<internal server> size=9571" unrecognized or missing' ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/search/bin/sendemail.py Thank you.

We are getting the Caused by: java.io.InterruptedIOException: timeout exception in the logs. from the server. However the server is not giving the response code to us.  I am looking for the standard practice for the timeout monitoring to be followed in Splunk to plot the graph for number of timeouts being received per second. Shall we add the error code like 408 in the exception at client side or we should plot the graph for on basis of text "timeout"  count with over the time.  Looking for the assistance and suggestions.

Hello community. I have an on-premises installation of Phantom, The database is running on the same server. When I go to Administration>System Health, all the tables are empty. There are no information about memory, load, disk and the status of the services is Unknown. Phantom is working properly so my guess is that there is an issue with the graphs. I have tried to restart the server but no result. This is what i see in System Health tab:   What could be the problem here? Thank you.

Hi, I am trying to configure PaloAlto logs via the Splunk Connect for Syslog. I followed the instructions here  https://splunk.github.io/splunk-connect-for-syslog/main/sources/PaloaltoNetworks/ I configured the syslog at PaloAlto according the instructions. I also c I can see the syslog connections arriving to the host from the firewall using the command tcpdump port 514. Add the following lines to splunk_metadata.csv   pan_config,index,test pan_correlation,index,test pan_globalprotect,index,test pan_hipmatch,index,test pan_log,index,test pan_system,index,test pan_threat,index,test pan_traffic,index,test pan_userid,index,test       And restart sc4s   systemctl restart sc4s   I checked the index test and it is empty. I enabled the debug by adding with the line in the env_file   SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug   and it seems like the index defined in the spplunk_metadata.csv is not taken, instead osnix is used.   curl -k -u "sc4s HEC debug:$SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN" "https://splunk.XX.XXX.XXu:8088/services/collector/event" -d '{"time":"1643726324.000","sourcetype":"nix:syslog","source":"program:","index":"osnix","host":"atlas-fw-01.XXX.XX.XX","fields":{"sc4s_vendor_product":"nix_syslog","sc4s_syslog_severity":"info","sc4s_syslog_format":"rfc5424_strict","sc4s_syslog_facility":"user","sc4s_proto":"UDP","sc4s_loghost":"xxxxxxxxxx","sc4s_fromhostip":"192.168.10.100","sc4s_destport":"514","sc4s_container":"xxxxxxxx"},"event":"2022-02-01T14:38:44.000+00:00 atlas-fw-01.xxx.xxx.xxx - - - - 1,2022/02/01 15:38:43,011901021137,TRAFFIC,end,2561,2022/02/01 15:38:43,192.168.20.63,157.240.27.54,154.14.118.254,157.240.27.54,Normal traffic,xxx\\yyy,,quic,vsys1,Internal,External,ae1,ae2.6,Splunk,2022/02/01 15:38:43,113676,1,56081,443,49985,443,0x400019,udp,allow,7358,2250,5108,19,2022/02/01 15:36:43,0,any,,7030011678692056750,0x0,192.168.0.0-192.168.255.255,Germany,,7,12,aged-out,0,0,0,0,,atlas-fw-01,from-policy,,,0,,0,,N/A,0,0,0,0,c8250554-4ccd-46e3-8498-e74cfe9cdd10,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2022-02-01T15:38:44.130+01:00,,,infrastructure,networking,browser-based,1,tunnel-other-application,,quic,no,no,0"}'    I already check and the HEC token is allowed to index test. Could someone tell me what is happening? thanks