I'm creating an Ansible playbook for installing the UF in our org, and I discovered being able to use user_seed.conf for the initial --accept-license call, but now I am wanting something similar when running a subsequent ./splunk install app <path to SPL file> -auth <username:passwd> Can I use the hashed password value here or maybe call the user_seed.conf file again?   Thanks!

I am trying to route metric type events to a null queue to avoid indexing them but they are still coming through.  Any ideas if there is a special way to do this?   props.conf: [azr_proda_metrics] TRANSFORMS-set= kubenullmetrics   transforms.conf: [kubenullmetrics] REGEX=metric_name=kube.cluster.cpu.request| metric_name=kube.cluster.memory.request DEST_KEY=queue FORMAT=nullQueue

Hi Guys ,    I have a query running in this job ID on databricks:   And , everytime when I try to transport these 5 rows from Databricks into Splunk running in this job 18363943 , it only returns just 1 one row at all: SPL to transport data from Databricks: | databricksjob job_id="18363943" | eval event_name = "Fraude - risco na selfie", severity="High", source = "DataBricks", jira_update_comment = " " | table-result  event_name , severity, consumer_id,biometric_origin,score, source, jira_update_comment Results with only one row: Could you guys help me with this solution or show me where I'm making mistakes writting the code? I need a script that returns these 5 rows. Thanks for advance.

Hi, I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this. Thanks!

We have several servers succesfully forwarding eventlogs to our on prem splunk server. No one can remember the credentials when installing the forwarder. What is the best way to handle this problem without breaking forwarding on the other servers? Thanks    

Hi All I am using an app called Murex, I am Admin on the environment but i cant see the Sharing (permissions) column on this app. On all other apps I can see the permissions, but not on this one? Any ideas anyone? for example in another app with the same user.    

 In above image i couldn’t able to access the date input,It’s actually a client server as user I couldn’t able access it.please let me know how to enable the input field that user can access   thank you veeru

Hello,  This is regarding https://splunkbase.splunk.com/app/4283/#/details  Can someone pls advise how to configure the Auto cache update ?   Where in ES should i enable "Cache auto update" and whatever has been mentioned in the below steps ?

Hello all, I'm am new to Splunk and installed the free Enterprise version to start learning to expand my skill set. I am able to install Splunk locally and monitor files on the computer it is installed on. However I am now wanting to try to monitor a remote computer. I have set up a test VM and was going to install the Universal Forwarder when it asked me for my Receiving Indexer. Obviously I cannot input the 127.0.0.1 for the IP, so I tried changing the IP where the Splunk server is running. Per the Splunk documentation, I changed the mgmtHostPort line in the web.conf from 127.0.0.1:8089 to 10.xx.xx.xx:8089. I also added the SPLUNK_BINDIP=10.xx.xx.xx to the splunk-launch.conf file. After doing this, I tried to restart Splunk and it timed out due with a entry in the log, "Could not bind to ip 10.xx.xx.xx port 8089". Ok - so I reverted all my changes to their default configuration and now when I try to log into Splunk, I get "500 Internal Server Error". Everything is as it was when it was first installed and I could log in, and I've also tried 3-4 times restarting the Splunk service on my PC. This is a Windows installation p.s. Any ideas? This happened last week and the only thing I could do to fix it was uninstall and reinstall Splunk. Is that the only fix for when Splunk acts up? Thanks!

Hello,  I would like change bare host name to host name with a domain name. According to all articles I have changed the following configuration files using CLI and manual methods:  ./splunk set servername nazwahosta.domena.koncowka, ./splunk set default-hostname and added to $Splunk_home/etc/system/local/deploymentclient.conf [deployment-client] clientName = host.domain.name Afterwards - instance name and client name changed into version with domain name but host name didn't. I am using deployment server and found that someone had a similar problem (but with no solution): Event from add-on Splunk app Windows source withou... - Splunk Community I bet that the problem lies somewhere in Splunk_TA_windows app props or conf file but can't find where exactly.  Does anybody know where is the problem? Have a nice day!

Hi Team,   Do we have IntelliSense editor support in Phantom Playbook editor in the browser, OR can we integrate existing phantom instance into VSCode to develop playbook python code using intelligent suggestions. and test/execute it in the phantom debugger or vscode debugger. 

While most Warn and Errors show up on the Job dropdown (1) some are also displayed in an area right below the search bar (2). Looking at HTML this placeholder is named search-searchflashmessages What's the name for this area ( to discuss this with Support ) ? Is it possible to config which messages to show/not show in here ? Looking at documentation this area is not detailed: https://docs.splunk.com/Documentation/Splunk/8.2.4/Search/WhatsinSplunkSearch

I have this weird issue where the same exact search, run for a same exact period returns different number of events each time it is run. Thus, rendering all attempts for accurate reporting obsolete. It doesn't matter the type of search, for instance, if it has some statistics or it's just plain search - same searches return different results. We've checked all the usual stuff - event sampling is turned off, indexing time is OK and it's not lagging, so no skewing of the results can come from this. Searches are run directly against indexes, no data models are involved and search logs for the searches are identical for the runs compared to each other. What we discovered for sure is, that this issue affects only indexes that are stored in an S3 Storage. Locally kept indexes are fine and do not have this issue. The S3 storage was tested, it is configured correctly, there are no network disruptions, there are no errors in the logs concerning it, there's nothing that could hint a problem. Yet, the problem remains. Any idea what may be causing this? Attaching a screenshot just for visualization, and here's the search for which it was made:     index="qualys" sourcetype="qualys:hostDetection" PATCHABLE="YES" NETBIOS="*"​