Getting this issue on a windows server. There's only an inputs.conf file with the following  [monitor://L:\Logs\ApplicationLogs*.log] sourcetype = xxx index = yy disabled = 0   1/12/2022 05:03.3 1000 ERROR WatchedFile [7088 tailreader0] -   Bug during applyPendingMetadata, header processor does not own the indexed extractions confs.         1/12/2022 05:03.3 1000 ERROR TailReader [7088 tailreader0] - Ignoring path="L:\Logs\ApplicationLogs20220112VServer.log" due to:   Bug during applyPendingMetadata, header processor does not own the indexed extractions confs.          

Hello Splunkers!  I am trying to find a way to set up a cron schedule on DB connect app?  I want to run the schedule every second week of Tuesday of the month.  So, the next schedule should be 02/08/2022, then 03/08/2022, then 04/05/2022 .... We tried super hard to make this work.  Below is what we tried:   I thought this would work then, it shows the next schedule will be on 1/18 not next month.    Any brilliant ideas our Splunkers have??   Thanks in advanced. 

Is there a way to make a call python script from a dashboard and display the received output data from the script into the dashboard. In reality I am not looking into diggesting this data into splunk but only display on demand when looking at the dashboard.  

I'm trying to have Splunk submit two separate events in one run .   def run(): logging.info("Running Test....") now = time.time() output = f""" <stream> <event> <time>{now}</time> <data>event_status="(0)Item0."</data> </event> <event> <time>{now}</time> <data>event_status="(1)Item1."</data> </event> </stream> """ print(output) sys.stdout.flush()     This runs and the XML is submitted but it only shows as a single event     1/12/22 9:47:54.000 PM <stream> <event> <time>1642024074.8583786</time> <data>event_status="(0)Item0."</data> </event> <event> <time>1642024074.8583786</time> <data>event_status="(1)Item1."</data> </event> </stream>     Is there any way to submit these two events so they show up as separate events?  I'm looking at polling multiple statistics for a multitenant application and would like to display each tenant separately.

I've been able to run a dashboard from the command line by  1. copy and pasting simple xml into a file 2. updating tokens with desired values 3. running the pdf render command from curl, e.g., curl  -sku guest:pwd "https://splunkhost:8089/services/pdfgen/render" --data-urlencode "input-dashboard-xml=$(cat sample-dashboard.xml)" -d namespace=search -d paper-size=a4-landscape > mydash.pdf Is there a way to use python/rest to do the same? I tried some of the endpoints and it creates the dashboard xml with extra scaffolding. Seems to be intended for adding and updating dashboards rather than running the dashboard itself.

Have a few Windows server that I need to enable file monitoring on to be sending logs to Splunk Ent. server. I could use your hands-on experience please, including any SPLs, do's & don't. I found this link but is too generic. https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/MonitorfilesystemchangesonWindows Thanks a million in advance. Have a great week ahead.

Helloo, i am using the MLTK, i get this error Error in 'fit' command: (ImportError) DLL load failed while importing _arpack: The specified procedure could not be found. It will be great if the team can help me to solve this.  

Hi All, I am writing a playbook that  sends an automated email when a case is opened in phantom.   I know If you are doing a manual promotion (via GUI), then you would need to have a REST query get executed from a playbook hitting the container endpoint and looking for "container_type": "case".  Then you would just have a format block to populate the REST results and have a connected send email action via SMTP.  what are the steps to get a REST query get executed?   Brandy

I'm trying to get a new sourcetype (NetApp user-level audit logs, exported as XML) to work, and I think my fields.conf tokenizer is breaking things. But I'm not really sure how, or why, or what to do about it. The raw data is XML, but I'm not using KV_MODE=xml because that doesn't properly handle all the attributes. So, I've got a bunch of custom regular expressions, the true backbone of all enterprise software. Here's a single sample event (but you can probably disregard most of it, it's just here for completeness): <Event><System><Provider Name="NetApp-Security-Auditing" Guid="{guid-edited}"/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2022-01-12T15:42:41.096809000Z"/><Correlation/><Channel>Security</Channel><Computer>server-name-edited</Computer><ComputerUUID>guid-edited</ComputerUUID><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">1.2.3.4</Data><Data Name="SubjectUnix" Uid="1234" Gid="1234" Local="false"></Data><Data Name="SubjectUserSid">S-1-5-21-3579272529-1234567890-2280984729-123456</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">ACCOUNTS</Data><Data Name="SubjectUserName">davidsmith</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">Directory</Data><Data Name="HandleID">00000000000444;00;002a62a7;0d3d88a4</Data><Data Name="ObjectName">(Shares);/LogTestActivity/dsmith/wordpress-shared/plugins-shared</Data><Data Name="AccessList">%%4416 %%4423 </Data><Data Name="AccessMask">81</Data><Data Name="DesiredAccess">Read Data; List Directory; Read Attributes; </Data><Data Name="Attributes">Open a directory; </Data></EventData></Event> My custom app's props.conf has a couple dozen lines like this, for each element I want to be able to search on: EXTRACT-DesiredAccess = <Data Name="DesiredAccess">(?<DesiredAccess>.*?)<\/Data> EXTRACT-HandleID = <Data Name="HandleID">(?<HandleID>.*?)<\/Data> EXTRACT-InformationRequested = <Data Name="InformationRequested">(?<InformationRequested>.*?)<\/Data> This works as you'd expect, except for a couple of fields where they're composites. This is most noticeable in the DesiredAccess element, which in our example looks like: <Data Name="DesiredAccess">Read Data; List Directory; Read Attributes; </Data> Thus you get a single field with "Read Data; List Directory; Read Attributes; " and if you only need to look for, say, "List Directory," you have to get clever with your searches. So, I added a fields.conf file with this in it: [DesiredAccess] TOKENIZER = \s?(.*?); When I paste the 'raw' contents of that field, and that regex, into a tool like regex101.com, it works and returns the expected results. Similarly, it also works if I remove it from fields.conf, and put it in as a makemv command: index=nonprod_pe | makemv tokenizer="\s?(.*?);" DesiredAccess With the TOKENIZER element in fields.conf, the DesiredAccess attribute just doesn't populate, period. So I assume it's the problem. (Since this is in an app, the app's metadata does contain explicit "export = system" lines for both [props] and [fields]. And the app is on indexers and search heads. Probably doesn't need to be in both places, but hey I'm still learning...) So, what am I doing wrong with my fields.conf tokenizer, that's caused it to fail completely to identify any elements?

Hello, I am trying to integrate Automic Automation Intelligence tool  with Splunk. https://www.broadcom.com/products/software/automation/automic-automation-intelligence Basically this tool is reads Autosys database to download the job run history like success, failures etc. Want to integrate with splunk so that I can create a dashboard with the job run history. The job run history should be fetched real time. Is there any way to do that? Any API calls or any other way? Please suggest.