Hi, Hope everyone are safe and doing great.! I have a project to do with column header merging. Are we able to achieve the below format in splunk. If so, can someone please provide some suggestions Please find the attachment for your reference. Thank you.

  Hi, There are more than 1000 UF Windows and Linux systems installed. It is a distributed environment with around 100 systems at each location, one indexer deployed, and each indexer connected to a search head. Our next step is to verify that all the hosts have been configured properly and are reporting to the indexer. In cases where a host does not have the source or sourcetype, we need to update the list to match host and not match host against the below lookup table. Could someone please suggest the spl.   source sourcetype WinEventLog:Security WinEventLog WinEventLog:Application WinEventLog WinEventLog:System WinEventLog     /var/log/haproxy/haproxy.log haproxy /var/log/audit/audit.log audit /var/log/maillog postfix_syslog /var/log/messages linux_messages_syslog /var/log/cron cron   Thanks Manickam

I'm wondering how to properly onboard a file containing: - A header with file list - A separator (a horizontal line consisting of a sequence of dash characters) - Events - one per line - in a tab-delimited (at least that's what I know for now - it's still to be confirmed) format In general, the file format is supposed to have a constant set of fields so your typical delimited extraction should work but I have two issues: 1) The separator - I suppose the only way to get rid of it would be to match in on regex and redirect to null queue. Not pretty but doable. 2) The date - should FIELD_NAMES and TIMESTAMP_FIELDS work even without INDEXED_EXTRACTIONS? I'm also wondering how to tackle daylight saving for  timestamps without TZ info. I can set, for example, TZ=CET for given sourcetype but if the source applies daylight saving and reports events in CET or CEST depending on time of the year, my events will be an hour off for half a year, right?

Hi All, I try to monitor Cisco UCCE v12.6 with AppDynamics. there is documentation but its lack of guidance. I Already enable performance monitoring on cloud connect but the application doesn't show up in controller. Do you guys have any idea and same problem? here is the documentation:  https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_12_6_1/configuration/guide/ucce_b_serviceability-guide-for-cisco-unified_12_6/ucce_b_serviceability-guide-for-cisco-unified_12_6_chapter_010000.html Regards, Ruli

Hi, I am sure this question must have asked multiple times and infact I've come across multiple posts but I am still unanswered. So I am a Splunk developer/analyst who is looking to integrate my Splunk Enterprise with OpsGenie to send alert notifications but when I look at the integration here https://support.atlassian.com/opsgenie/docs/integrate-opsgenie-with-splunk/ it says to install an app in Splunk base and when I go to that app https://splunkbase.splunk.com/app/3759/ it says "This app is NOT supported by Splunk. Please read about what that means for you here." What does this mean? As an Admin we can see the app when we browse in Splunk. Does it mean if we install it it won't break or could break other things? Let me know if anyone has done this integration on their on-prem Splunk enterprise architecture. Any input is appreciated.

Hello Splunk Community,    I have a merged event which shows if a service is running or down. Here is an example of the event in splunk:   ******************************************************************************* All services are running 1092827|default|service1is running 37238191|default|service2 is running 16272373|default|service3 is running *******************************************************************************   How can I split the merged events so I can extract the service name, status (running/down) & host? 16272373|default|service3 is running Host |      | ServiceName is Status

Greetings, I was told by my instructor to use your product for an assignment, however, I am not getting the results that are shown.  It seems as if Splunk is not reading the data from my files.  I was able to add the data but when I perform the search, it returns zero results.  Attached is a screenshot of what it should look like.  How do I accurately import my files?     Here is a screenshot of what my results are showing: Please help.   Thanks, Melissa

I have two searches, one to train ML model  and second to apply the model. I would like to run them in sequence, first train ML search should run  and after that apply ML search  should run, for each day.  In current splunk backfill script, it backfills first Train ML search for whole time period selected for backfill, then it start backfill  for apply ML model. Is there any way to solve the issue?

I have splunk search - index=cloud EventName: "Error Occurred" XChangeToSalesForce | rename message as "Message" _time as Time | table Time,Message When i search on splunk search, i get the below response 1637759064  Multiple Terms found for the same agency. Agency code:  But when the email is sent, i get nothing on the message field Time Message 1637759064    

Hello, I am trying to execute the following query but keep getting... Error in 'eval' command: The expression is malformed. Expected AND. . . . | streamstats current=f last(_time) as last_time by host | eval gap = last_time - _time | where gap > 50 | convert ctime(last_time) as last_time | eval refresh_seconds = (avg(last_time) / 1000) as refresh_minutes What am I doing wrong?    

I am using a chart command to get a list of IP's and servers with an error. I am attempting to only get the top 10 results. For some reason when I do the top for IP I do not get results but if I do it for server I get results. index=foo result=error | chart count by server, ip | top limit=10 ip  

First time installer of Qualys-TA. After completing all the setup in UI, i ran the command (as mentioned in page 26 of the docs: https://www.qualys.com/docs/qualys-ta-for-splunk.pdf " cd $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform $SPLUNK_HOME/bin/splunk cmd python ./bin/run.py -k -s -u   <qualys username> -p <qualys password> " This throws an error in log ($SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log)  as follows: qualysModule.splunkpopulator.basepopulator.BasePopulatorException: could not load API response. Reason: 'Event' object has no attribute 'write_event' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/qualys_log_populator.py", line 240, in _run qlogger.error(e.message) AttributeError: 'BasePopulatorException' object has no attribute 'message' When i added more debug info to the various python scripts, i saw that the error pointed to "NoneType" for self.EVENT_WRITER.   The above log contained more info as below: TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Python interpreter version = 3 TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Qualys TA version=1.8.11 TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Running for policy_posture_info. Host name to be used: $decideOnStartup. Index configured: main. Run duration: 9 * * * *. Default start date: 1999-01-01T00:00:00Z. TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: TA-QualysCloudPlatform using username trann3ls73 and its associated password. TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: API URL changed to https://qualysguard.qg3.apps.qualys.com for policy_posture_info data input TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Another instance of policy_posture_info is already running with PID 508724. I am exiting.   on doing ps-ax | grep splunk, i could see many instances running as below:   root@splunktest:/opt/splunk/etc/apps/TA-QualysCloudPlatform/tmp# ps ax | grep splunk 12657 ? Sl 15:28 splunkd -p 8090 start 12658 ? Ss 0:00 [splunkd pid=12657] splunkd -p 8090 start [process-runner] 508681 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py 508724 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py 508734 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py 508908 ? S 0:21 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py 555183 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py 555192 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py 555219 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py 565505 ? Sl 0:15 splunkd -p 8089 restart 565506 ? Ss 0:00 [splunkd pid=565505] splunkd -p 8089 restart [process-runner]   Finally, after killing those PIDs , i could get rid of the error. This really needs to be fixed or a proper troubleshooting must be documented as it caused me headaches for 2 whole days! Thanks!

Hello, I just configured a new Custom Threat Intelligence feed in Splunk Enterprise Security and I'm getting a strange error in the audit view: 2021-11-24 10:31:04,387+0000 ERROR pid=78967 tid=MainThread file=base_modinput.py:execute:820 | Execution failed: 'ThreatlistModularInput' object has no attribute 'file_path' Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 811, in execute log_exception_and_continue=True File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 388, in do_run self.run(stanza) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 679, in run self.execute_workloads(stanza, args, last_run) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 587, in execute_workloads 'file_path': self.file_path, AttributeError: 'ThreatlistModularInput' object has no attribute 'file_path' The URL of the feed is :https://api.maltiverse.com/collection/uYxZknEB8jmkCY9eQoUJ/download?filetype=splunk-ipv4&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjIyNjg0OTQ3NTEsImlhdCI6MTYzNzc3NDc1MSwic3ViIjo5MDMwfQ.mpM7tahLJEtUoM7fhwYzoHvQSOIuMTQVtCyGAEBDj3g And as you can notice it is a CSV where column 1 is the description and the second is the IP address, so filling up the formulary in the Threat Intelligence module in Splunk ES with the following format: Field Value File parser auto Delimiting regular expression , Extracting regular expression   Fields description:$1,ip:$2 Ignorign regular expression (^#|^\s*$) Skip header lines 1 Intelligence file encoding UTF8 Sinkhole Yes   Can anybody help me out? Thanks in advance

Good afternoon everyone! I'm hoping someone can assist in shedding some light on the following issue. I'm getting the following error : "Error in 'eval' command: The expression is malformed. Expected )." and I'm uncertain why it isn't functioning. Perhaps there's something I'm missing or I've attempted this eval incorrectly. Any assistance would be greatly appreciated! I've provided the end part of my overall query, the objective here is to determine if there's an increase in the SCORE by 5% each day over a 3 day period, and if there is on any of the days, then flag it.  | eval SCORE=(Asales + Bsales / ITEM_COUNT) | stats dc(ITEM) as ITEM_COUNT  values(ITEM) as ITEM sum(SALES) as TotalSales sum(SCORE) as SCORE by _time TITLE | where ITEM_COUNT > 1 | eval 0DATE=if(_time >= relative_time(now(), "-1d@-d"),SCORE,0) | eval 1DATE=if(_time >= relative_time(now(), "-2d@-1d"),SCORE,0) | eval 2DATE=if(_time >= relative_time(now(), "-3d@-2d"),SCORE,0) | eval 1TREND=if(1DATE > 0DATE*1.05,1,0) | eval 2TREND=if(2DATE > 0DATE*1.05,1,0) | eval BREAK=if((2DATE+3DATE) > 0,"TRUE","FALSE") | table * everything works up to | where ITEM_COUNT > 1 and I'm getting results as anticipated. but the eval itself is failing. I've also attempted to add each of these evals via an appendpipe but to no avail.  Thanks in advance!

Hi, I created a dashboard using javascript tabs and would like to have the panels when clicked, send users to the corresponding tab where they can see more details related to that panel. For example, if I were to click panel A, it sends me to tab A and load all the panels associated with panel A. Is this something that is possible since the tabs use javascript? Here is also a link to the tabs tutorial I followed if it helps: https://www.splunk.com/en_us/blog/tips-and-tricks/making-a-dashboard-with-tabs-and-searches-that-run-when-clicked.html   Thanks