Hello, we've installed splunk and after the license expired on december 18th or so. Now we have converted the license into a free license. But the search still doesn't work, everytime i try to search something "*" or in my other index i get: ----snip--- Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK. ----snip--- Only Searching in "index=_internal" works. Looking in settings->licensing: -----snip---- Free license group Change license group This server is configured to use licenses from the Free license group Add license Usage report Alerts Licensing alerts notify you of excessive indexing warnings and licensing misconfigurations. Learn more Current 1 pool warning reported by 1 indexer Correct by midnight to avoid warning Learn more 1 pool violation reported by 1 indexer Correct by midnight to avoid warning Learn more Permanent 18 pool quota overage warnings reported by 1 indexer 13 hours ago Local server information Indexer name ######### License expiration 19 Jan 2038, 04:14:07 Licensed daily volume 500 MB Volume used today 0 MB (0.007% of quota) Warning count 18 Debug information All license details All indexer details -----snip---- We are evaluating splunk and have only a couple kB per day, to the data amount is not the problem. Do you have an advices? with best Regards Peter  

Hello, I have a specific question concerning translations with i18n. So what I want to do is translate an i18n-token  in a HTML-environenment which contains "normal" Splunk token and resolve them. For example the i18n token "i18n_coil_machine2_vor_x_tagen2": "$tok_coil_machine_2$ vor $tok_latest_stack_time_2$ Tagen". When I insert the token in a dashboard title it works and it resolves the inner token. But when I use it in a HTML it does not: Results in title: "XXX vor YYY Tagen" Results in HTML: $tok_coil_machine_2$ vor $tok_latest_stack_time_2$ Tagen Here is a minimal working example : <dashboard script="translation.js"> <init> <set token="tok_coil_machine_2">XXX</set> <set token="tok_latest_stack_time_2">YYY</set> </init> <label>TEST</label> <row> <panel> <title>i18n_coil_machine2_vor_x_tagen2</title> <html>Only Token: $tok_coil_machine_2$ und $tok_latest_stack_time_2$</html> <html> IN HTML: <span i18ntag="">i18n_coil_machine2_vor_x_tagen2</span></html> </panel> </row> </dashboard> Is there a solution for this? I would be very thankful for any help.

Hi, I tried to configure CloudTrail SQS Based S3 and I got the following message: "Warning: This message does not have a valid SNS Signature None None doesn't match required format '^https://sns\\.[-a-z0-9]+\\.amazonaws\\.com(?:\\.cn)?/'" Sometimes I also get: "Failed to delete message" I have no clue where to look in order to solve this issue. I will appreciate any help!

Stage(Field name) Capa Capa_india north_Capa checkcapaend NET net_east southNETregion showmeNET us_net   From the field Stage, if the value contains capa 0r Capa I need to color the bar chart as Blue. Otherwise need to show the bar chart color as Orange.   Thanks in advance.

hi,  I tried to Install google Cloud Platform Add-On, the pubsub input. When I tried to set the input parameters, i got the error "Error response received from server: External handler failed with code '1' and output: '[Errno 104] Connection reset by peer '".   someone can tell me what can it be, and how to solve it?

Hi. I have a dashboard with 80 panels. Panels are numeric value( type:Single Value). I would like to bulid one panel which count panels which are not 0.  In below example i would like build one panel which will show 1 because one panel is over then 0 and it's red.

We have a process that writes log lines to a log file. Every 15 min the entire log file is overwritten. If there are new lines, those are added. Old lines are retained.   We want the Heavy Forwarder to send to Splunk only the new lines, even though the entire file has got overwritten. Is that possible?

Greetings Splunkers, I have recently started having triggered alerts from a couple of correlation searches that when attempting to fix or troubleshoot the specific rule, the query would actually fail for errors relating to the query itself (example: unescaped slashes, lookups that do not exist etc.) How do those Notables even trigger if the query itself fails? How do I audit changes done to a correlation search to make sure no changes were done to the rule? Thanks, Regards,

When i convert following timestamp to human readable format i am getting "12/31/9999 23:59:59" instead of '01/04/22 06:03:47' "timestamp": 1641294227243 I'm using strftime(timestamp,"%m/%d/%Y %H:%M:%S") function for the conversion. Could you please help me to find out the right conversion method? Thanks in advance! 

I use a lookup to define alert/SLO specifications. I use the lookups as input filters to my alert searches where I can. The lookup column name is sli_dimensions_alert: (there are other columns in the lookup): sli_dimensions_alert="env,service_name,type,class" The sli_dimensions_alert field specification can have multiple comma separated values. For example: sli_dimensions_alert="env,service_name,type,class" My goal is to create an alert_name based on that CSV value list. Example raw data: env="PRD" service_name="EXGMGR" type="ERROR" class="TIMEOUT" I want to create a macro, calculated field or automatic lookup to transform sli_dimensions_alert="env,service_name,type,class" into alert_name="PRD-EXGMGR-ERROR-TIMEOUT". I've tried a variety of combinations with split, mvjoin, mvmap, but haven't found a way to make it work.

I want to divide different multi-values based on IP. Current results: IP date event risk 1.1.1.1 2022-01-01 2022-01-02 apache struts ipv4 fragment high row   my search: mysearch | mvexpand date | mvexpand event | mvexpand risk | table ip date event risk reuslt: IP date event risk 1.1.1.1 2022-01-01 apache struts high 1.1.1.1 2022-01-01 apache struts row 1.1.1.1 2022-01-01 ipv4 fragment high 1.1.1.1 2022-01-01   ipv4 fragment row 1.1.1.1 2022-01-02 apache struts high 1.1.1.1 2022-01-02 apache struts row 1.1.1.1 2022-01-02 ipv4 fragment high 1.1.1.1 2022-01-02 ipv4 fragment row   I want IP date event risk 1.1.1.1 2022-01-01 apache struts high 1.1.1.1 2022-01-02 ipv4 fragment row please help me...

After updating the Splunk Add-On for AWS to 5.2.1 we are no longer receiving Cloudtrail data through a proxy server.  The message from the _internal index is "message="Warning: This message does not have a valid SNS Signature <urlopen error [Errno 110] Connection timed out>".  If I bypass the proxy and allow outbound connections from the Splunk server on port 443 (with the proxy enabled in both the addon and server.conf) it is able to retrieve the data.  We are running Splunk Enterprise 8.2.3.2 on a single instance.

I have created an IP choropleth map that correctly shows colors and numbers. I then save it as a dashboard. When no data is loaded on the dashboard yet I am able to hover mouse over each country and the tooltip shows the Country name + 0 IPs correctly. After any data has begun to load, the mouse tooltip shows the country + # IPs for the 1st country that the mouse hovers over, even if I hover the mouse over other countries. Is this a bug? Am I doing something wrong? Splunk version: 8.2.3 on Linux.   Thanks in Advance! 

Hello, We 've got some problem with the service status part of the Splunk Add-on for Microsoft Office 365, since monday evening. The TA failed to get data and report the following message: "splunk_ta_o365.common.portal.O365PortalError: 403:Please use MSGraph to access this resource https://docs.microsoft.com/en-us/graph/api /resources/service-communications-api-overview?view=graph-rest-1.0&preserve-view=true" . I've seen a link on microsoft doc "https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference" which says that the "Office 365 Service Communications API" will be retired and is replace by MS Graph API Do you know if an updated TA would be post soon ? Thanks