Add-on: https://splunkbase.splunk.com/app/3662/ Known Affected: 4.8.1 Symptoms: You begin to predominantly see Hexadecimal events in your Cisco FireSIGHT Index/Sourcetype instead of real data, and you see large gaps between events (usually ~10 minutes, the time it takes for it to roll over a file). The 'Source' also ends with '.log.swp' instead of '.log'. Cause: $SPLUNK_HOME/etc/apps/TA-eStreamer/default/inputs.conf  [monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/data] disabled = 0 source = encore sourcetype = cisco:estreamer:data crcSalt = <SOURCE> The issue I believe is with the bolded line 'source = encore' because 'crcSalt = <SOURCE>' is also specified. Since all files have the same Source, all files have the same crcSalt which is why the actual '.log' is not collected. The '.swp' manages to get collected as Splunk checks the '.log' and since swp is a very short lived file Splunk accidentally collects a lot of garbage unrelated to the actual file contents (sorry Linux Admins for butchering the technical detail). Solution: Edit $SPLUNK_HOME/etc/apps/TA-eStreamer/default/inputs.conf and comment out the Source line, then restart Splunk services.   If someone knows of a way to override (via Local inputs.conf) source back with the filename (which changes frequently) so editing a Default inputs.conf is not necessary, please comment below. Those with the Cisco license allowing TAC Support on this add-on may want to raise this issue with them so they can fix it for new downloads and future versions -- I lack that particular license. Hope this helps someone (I did a search for encore and hex and didn't see any prior conversation on the topic).

I have a set up a single-node test instance of Splunk to try and ingest zScaler LSS (not NSS) logs via a TCP input. However, it is not ingesting any data, despite being able to see traffic via TCPDump on that port I have installed the latest zScaler Splunk App (v2.0.7) and the zScaler Technical Add-on (v3.1.2)     [root@ip-10-127-0-113 apps]# ls | grep scaler TA-Zscaler_CIM zscalersplunkapp     via the WebUI, I have set up a TCP input on port 10000, set the sourcetype, app and index options. I have checked to make sure that Splunk is listening on TCP/10000 and can see that it is     [root@ip-10-127-0-113 apps]# netstat -antp | grep 10000 tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 7992/splunkd tcp 0 0 10.127.0.113:10000 x.x.x.x:38392 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:51586 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:53844 SYN_RECV -     I can't see any errors in the _internal index (although I could be searching wrong). I'm using the below search:     index=_internal "err*"     The only errors I can see relate to the 'summarize' command. Any pointers would be really appreciated. Many thanks,  

Hi  Community, How to display the saved search report to make it to  open in statistic mode and allow for downloading of a .csv file .    Currently I  have to open the report in search to get the option to download the .csv .  I added "display.statistics.show = 1" option in the saved search    Thank you

Hello Splunkys  i Face some challanges right now. We run a Splunk Installation with about 50 Active Users with 10Different Roles. Now we have the need for allowing them to send them selfs alert Messages via EMAIL. First Problem:  According to to the Docs its not possible to send a email if your not a Admin and the SMTP server needs authentication.  Secound Problem, you can not set up per role or per user sender info only system wide via GUI.   I found out that you can supply username= and Password= parameters via SPL search but this do not apply to alerts. And the Creds then show up in plaintext in the logs.  I found that you can supply creds via alert_action.conf file per app. But then the creds would show up in the git_repo where we version our apps.    Some .conf files honor ENV variables but i did not find if alert_action.conf would do so? And then they would be still accessable by CLI.   Can it be so hard for Splunk to implement something so basic as per User email sending?   Has somebody accived something similar ?   

PLEASE HELP! This has been driving me mad for days! Every time an event is added, its re-reading the text file from the start and re-indexing events. I am getting hundreds of duplicate events and have tried a variety of combos in the inputs.conf, but still cant solve it! I am monitoring a series of text files. Each day a new .txt file is created and events are written into this text continuously throughout the day, until the beginning of the next, where again a new file is created. the files are named as follows. Statistics_20211104_034330_840.txt The contents of the file is as follows QPS statistics: SW-Version:3.64 [UTC+00:00] time,id,valid,invalid,mode,......[ETC ETC ETC] 2021-11-04T03:43:19+00:00,248559,1,0,A,....[ETC ETC ETC] 2021-11-04T03:43:19+00:00,248560,1,0,A,....[ETC ETC ETC] This is what I currently have in the inputs.conf [monitor://\\Lgwnasapp002\bsr$\] disabled = false index = idx_security_scanner sourcetype = QPSdata whitelist = .+Statistics_\d{8}_\d{6}_\d{1,5}\.txt crcSalt = <SOURCE> Any ideas?

HI - From one button. I am looking to launch a URL (working) and reset a token "comment_token" to * with javascript (not working).. any help would be wonderful, please.   <form theme="dark" script="someJsCode.js"> <input type="text" token="comment_token" searchWhenChanged="true"> <label>Comment</label> <default>*</default> <initialValue>*</initialValue> </input> <html> <style>.btn-primary { margin: 5px 10px 5px 0; }</style> <a href="http://$mte_machine$:4444/executeScript/envMonitoring@@qcst_processingScriptsChecks.sh/-updateComment/$runid_token$/$script_token$/$npid_token$/%22$comment_token$%22" id="buttonId" target="_blank" class="btn btn-primary" style="height:25px;width:250px;">Submit</a> </html>     Java script require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function ($, mvc) { var tokens = mvc.Components.get("default"); $('#buttonId').on("click", function (e){ tokens.set("form.comment_token", "*"); }); });   I think its this line - tokens.set("form.comment_token", "*"); but i cant be sure   

Can you please help, how to construct stats  metrics for the below docker logs. ThreadID=124;ThreadIDHex=0000007c;ThreadName=[XNIO-2 task-32];Node=XXXXXX;TransID=;ConsumerSenderID=NA;URI=/getBaselinedcategorylist;ServiceName=findXXXX;TranasactionStartTime=;TransactionEndTime=2021-11-05 05:34:34.366;TotalResponseTime=;TransactionStatus=SUCCESS;Method=GET;StatusCode=200;ErrorMsg=;CaptureLocation=MicroserviceResponse; ThreadID=124;ThreadIDHex=0000007c;ThreadName=[XNIO-2 task-32];Node=XXXXXX;TransID=;ConsumerSenderID=NA;URI=/getBaselinedcategorylist;ServiceName=findXXXX;TranasactionStartTime=2021-11-05 05:34:34.264;TransactionEndTime=;TotalResponseTime=;TransactionStatus=;Method=GET;StatusCode=;ErrorMsg=;CaptureLocation=MicroserviceRequest; status should give transactioncount , transactionstatus, average, 90thP URI Method.

Hi all, Maybe a dummy question, do I need to setup Universal Forwarder on Splunk server to monitor and index data? (so it's like the server is forwarding data to itself) I tested setup an app in etc/apps/ with below config but it doesn't work. inputs.conf   [batch:///opt/splunk/temp/test_forward/*] move_policy = sinkhole disabled = 0 index = test sourcetype = test crcSalt = test _TCP_ROUTING = test   outputs.conf   [indexAndForward] index = false [tcpout] indexAndForward = false maxQueueSize = 200MB [tcpout:test] server = <server IP>:9997   Thanks

Reviewing some docs to use Splunk Cloud (trial version) with a Java App with log4j2 I need to configure a Http Event Collector to get a Token (I did this part). But in the log4j2.xml file I need to set the token and the URL, where or how can I get the URL? Thanks

Hi team, I have such event in splunk that log the employee number in each online meeting. I want to  find and sats the employee number distribution and percentage% I have below query that the bin span is continuous number 100. <baseQuery> |bin empNumber span=100 |stats count by empNumber |eventstats sum(count) as total |eval ratio%=round(empNumber/total*100,2) |fields - total,empNumber |sort - ratio%   But now the stats requirement is changed. Because 90% online meeting has employee number less than 100, so I want to set such not continuous bins in one query 1) for online meeting that  employee number less than 100, I want to set the bin value to 10 2)for online meeting that employee number greater than 100, I want to set the bin value to 100 And I don't want to query two times, stats by binvalue=100 first, then stats binvalue=10 again. I want to make it happen in one query. Questions: how to change  my existing query to meet the query requirement.