我们正在调研使用Splunk来为AWS（中国）环境做日志分析和监控，但是我们发现Splunk8.0+ 结合Splunk Add-on for AWS 5.0+是无法连接到AWS（中国）的STS终端节点的。 原因是AWS（中国）官网中的STS终端节点地址有误（AWS官方也证实了这个错误并计划修改）。  AWS（中国）给出的终端节点地址是https://sts.cn-north-1.amazonaws.com和https://sts.cn-northwest-1.amazonaws.com 。这是错误的，正确的地址是https://sts.cn-north-1.amazonaws.com.cn和https://sts.cn-northwest-1.amazonaws.com.cn   AWS（中国）正在积极修复该问题，希望在Splunk以及Splunk Add-on for AWS也尽快修复该节点的问题，谢谢！   联系邮箱：chengsiyin@light2cloud.com    

So following ui-tour Splunk documentation and other similar questions about ui-tour.conf. But i just can't get it to work. ui-tour.conf is located in /app/myapp/local - tried with /app/myapp/default, etc/system/local  - none of it does the charm. [documentation-tour] type = image label = Welcome tour imageName1 = search1.png imageCaption1 = After adding data use the Search view to run searches, design data visualizations, save reports, and create dashboards. To know more about context = myapp picture is saved in img map ( like it said in documentation). So maybe I'm getting this wrong but it should start when i run dashboard documentation on myapp, but when I run dashboard documentation it doesn't run. So my question do i need to change something dashboards for it to run because I didn't get that feeling reading documentation and other questions. Thank you in advance.

Hello Splunkers!! One a everyday basis one of my Splunk instances goes down and i am getting below error. Please suggest me for the permanent fix and workaround for the below error.   splunkd 7081 was not running. Stopping splunk helpers... Done. Stopped helpers. Removing stale pid file... done. splunkd is not running.

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=xxxx:xxxx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

I configured the javaagent for the springboot application with the exact steps in the Getting Started wizard, however, when I start the spring boot application, I am getting below error.  The agent is not getting started and the application is not getting detected by appdynamics.  Can you please help resolve.   Thanks. Java 9+ detected, booting with Java9Util enabled. Full Agent Registration Info Resolver using selfService [true] Full Agent Registration Info Resolver using selfService [true] Full Agent Registration Info Resolver using ephemeral node setting [false] Full Agent Registration Info Resolver using application name [Create User] Full Agent Registration Info Resolver using tier name [app-tier] Full Agent Registration Info Resolver using node name [laptop] Install Directory resolved to[C:\dev\code\spring-boot-rest-api-tutorial-master\appagent] getBootstrapResource not available on ClassLoader Class with name [com.ibm.lang.management.internal.ExtendedOperatingSystemMXBeanImpl] is not available in classpath, so will ignore export access. java.lang.ClassNotFoundException: Unable to load class io.opentelemetry.sdk.resources.ResourceProvider at com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader.findClass(Post19AgentClassLoader.java:73) at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClassInternal(AgentClassLoader.java:422) at com.singularity.ee.agent.appagent.kernel.classloader.Post17AgentClassLoader.loadClassParentLast(Post17AgentClassLoader.java:69) at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClass(AgentClassLoader.java:320) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:398) at com.singularity.ee.agent.appagent.AgentEntryPoint.createJava9Module(AgentEntryPoint.java:796) at com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:632) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:513) at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:525) java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.singularity.ee.agent.appagent.AgentEntryPoint$1.run(AgentEntryPoint.java:649) Caused by: java.lang.IllegalAccessError: class org.apache.logging.log4j.core.LoggerContext (in module com.appdynamics.appagent) cannot access class java.beans.PropertyChangeEvent (in module java.desktop) because module com.appdynamics.appagent does not read module java.desktop at com.appdynamics.appagent/org.apache.logging.log4j.core.LoggerContext.updateLoggers(LoggerContext.java:657) at com.appdynamics.appagent/org.apache.logging.log4j.core.LoggerContext.updateLoggers(LoggerContext.java:644) at com.appdynamics.appagent/org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:550) at com.appdynamics.appagent/org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:620) at com.appdynamics.appagent/org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:637) at com.appdynamics.appagent/org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:231) at com.appdynamics.appagent/org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:243) at com.appdynamics.appagent/org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:45) at com.appdynamics.appagent/org.apache.logging.log4j.LogManager.getContext(LogManager.java:174) at com.appdynamics.appagent/org.apache.logging.log4j.LogManager.getLogger(LogManager.java:648) at com.appdynamics.appagent/com.singularity.ee.agent.util.log4j.ADLoggerFactory.getLogger(ADLoggerFactory.java:61) at com.appdynamics.appagent/com.singularity.ee.agent.util.bounded.collections.BoundsEnforcer.<clinit>(BoundsEnforcer.java:53) at com.appdynamics.appagent/com.singularity.ee.agent.util.bounded.collections.BoundsEnforcer$Builder.build(BoundsEnforcer.java:388) at com.appdynamics.appagent/com.singularity.ee.agent.util.bounded.collections.BoundedConcurrentReferenceHashMap.<init>(BoundedConcurrentReferenceHashMap.java:73) at com.appdynamics.appagent/com.singularity.ee.agent.util.bounded.collections.BoundedConcurrentReferenceHashMapBuilder.build(BoundedConcurrentReferenceHashMapBuilder.java:114) at com.appdynamics.appagent/com.singularity.ee.agent.util.reflect.ReflectionUtility.<clinit>(ReflectionUtility.java:154) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.setLog4j2LoaderUtilDisabled(JavaAgent.java:332) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.setupLog4J2(JavaAgent.java:607) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:359) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:346) ... 5 more Process finished with exit code -1

We found that the searchable events for our  wineventlog only goes back about 4 months but the searchable retention is set to 2 years 364 days (which is a total of 3 years). Splunk has said that the most likely scenario is that someone has changed the retention period recently.  We would like to find out who has modified the searchable retention period. I have looked in the audit logs but that also only goes back about 5 months and have not found anything useful. I have also googled and have not found any solutions. Would appreciate any help. Thank you.

We recently upgraded Splunk from 7.2.x to 8.1.3. We also upgraded our existing Fortinet apps/add-ons as follows: Fortinet Fortigate Add-on for Splunk: from 1.6.0 to 1.6.3 Fortinet FortiGate App for Splunk: from 1.4 to 1.6.0 When we attempt to view the App dashboards, however they are now not displaying any data on any of the panels. Searching for terms 'fortigate_traffic', 'fortigate_system', 'fortigate_auth' etc also show no results. If i go out into the Search & Reporting app and do a basic search on all data coming in from our Fortigate using either "sourcetype=fgt_log" or "index=fgt_logs", I can see that we are ingesting the data from our Fortigate ok, its just not displaying in the app. Any suggestions appreciated.

I am trying to create a playbook where the first step is a manual block an email address  in the restricted users portal in Microsoft O365 then automatically unblock after 90 days. I have no idea where to start especially when the first block is a manual step! Please help.

I'm working to upload some data sets from the splunk tutorial page in order to learn how to use Splunk and am unable to get the datasets fully added and am receiving an error message of: Upload failed with WARN : supplied index 'Web' missing.  I have downloaded the zip files from https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchTutorial/Systemrequirements the Add Data process seems to be working fine up until the review page and when I try to Submit it I receive the above error message. I am fairly new to learning Splunk and any assistance anyone can offer would be greatly appreciated. 

Hello, On the HF of this add-on there is an Inputs configuration.  On the Content Type drop down, there is a choice of four different types for audit.  Screen shot attached. Does anyone have the link to documentation for what the differences are for logging the those audit.selections?

Hello! I can't set up my SVG because it's not recognizing my query as valid. I validated my svg on validator.w3.org/check I think the issue is with my query, but it results in one column with the ids, and one column with a number SPL:     <blah blah blah initial search> | eval shield-one_to_ten=if(percent>0, 1, 0), shield-ten_to_twenty=if(percent>=0.1, 1, 0), shield-twenty_to_thirty=if(percent>=0.2, 1, 0), shield-thirty_to_forty=if(percent>=0.3, 1, 0), shield-forty_to_fifty=if(percent>=0.4, 1, 0), shield-fifty_to_sixty=if(percent>=0.5, 1, 0), shield-sixty_to_seventy=if(percent>=0.6, 1, 0), shield-seventy_to_eighty=if(percent>=0.7, 1, 0), shield-eighty_to_ninety=if(percent>=0.8, 1, 0), shield-ninety_to_hundo=if(percent>=0.9, 1, 0) | fields shield-one_to_ten, shield-ten_to_twenty, shield-twenty_to_thirty, shield-thirty_to_forty, shield-forty_to_fifty, shield-fifty_to_sixty, shield-sixty_to_seventy, shield-seventy_to_eighty, shield-eighty_to_ninety, shield-ninety_to_hundo | transpose column_name="id" | rename "row 1" AS "count"     which results in which matches the id names in my svg:     <svg id="shield" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 897 1114" shape-rendering="geometricPrecision" text-rendering="geometricPrecision"><defs><filter id="shield-ninety_to_hundo-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-ninety_to_hundo-filter-opacity-0" result="result"><feFuncA id="shield-ninety_to_hundo-filter-opacity-0-A" type="table" tableValues="0 0.95"/></feComponentTransfer></filter><filter id="shield-eighty_to_ninety-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-eighty_to_ninety-filter-opacity-0" result="result"><feFuncA id="shield-eighty_to_ninety-filter-opacity-0-A" type="table" tableValues="0 0.9"/></feComponentTransfer></filter><filter id="shield-seventy_to_eighty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-seventy_to_eighty-filter-opacity-0" result="result"><feFuncA id="shield-seventy_to_eighty-filter-opacity-0-A" type="table" tableValues="0 0.85"/></feComponentTransfer></filter><filter id="shield-sixty_to_seventy-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-sixty_to_seventy-filter-opacity-0" result="result"><feFuncA id="shield-sixty_to_seventy-filter-opacity-0-A" type="table" tableValues="0 0.8"/></feComponentTransfer></filter><filter id="shield-fifty_to_sixty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-fifty_to_sixty-filter-opacity-0" result="result"><feFuncA id="shield-fifty_to_sixty-filter-opacity-0-A" type="table" tableValues="0 0.75"/></feComponentTransfer></filter><filter id="shield-fourty_to_fifty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-fourty_to_fifty-filter-opacity-0" result="result"><feFuncA id="shield-fourty_to_fifty-filter-opacity-0-A" type="table" tableValues="0 0.7"/></feComponentTransfer></filter><filter id="shield-thirty_to_fourty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-thirty_to_fourty-filter-opacity-0" result="result"><feFuncA id="shield-thirty_to_fourty-filter-opacity-0-A" type="table" tableValues="0 0.65"/></feComponentTransfer></filter><filter id="shield-twenty_to_thirty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-twenty_to_thirty-filter-opacity-0" result="result"><feFuncA id="shield-twenty_to_thirty-filter-opacity-0-A" type="table" tableValues="0 0.6"/></feComponentTransfer></filter><filter id="shield-ten_to_twenty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-ten_to_twenty-filter-opacity-0" result="result"><feFuncA id="shield-ten_to_twenty-filter-opacity-0-A" type="table" tableValues="0 0.55"/></feComponentTransfer></filter><filter id="shield-one_to_ten-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-one_to_ten-filter-opacity-0" result="result"><feFuncA id="shield-one_to_ten-filter-opacity-0-A" type="table" tableValues="0 0.5"/></feComponentTransfer></filter></defs><path id="shield-ninety_to_hundo" d="M403.15385,39.86098C403.15385,39.86098,402.48718,40.46214,401.15385,41.66444C399.82052,42.26559,391.15385,46.17308,375.15385,53.38691C360.48718,60.60074,351.82052,64.50823,349.15385,65.10938C347.15385,66.31168,339.82052,69.61802,327.15385,75.02839C313.82052,80.43876,296.82052,87.35201,276.15385,95.76814C255.48718,103.58312,233.15385,111.3981,209.15385,119.21308C192.48063,124.22464,175.16391,128.94608,157.20368,133.37738L652.89442,133.37738C650.08098,132.60354,647.16746,131.7896,644.15385,130.93554C620.82052,124.32286,605.82052,120.1148,599.15385,118.31134C591.82052,116.50788,579.82052,112.29981,563.15385,105.68714C545.82052,99.07447,528.48718,92.16122,511.15385,84.94739C493.15385,77.73356,474.48718,69.91858,455.15385,61.50245C435.15385,53.08632,422.48718,47.37537,417.15385,44.36961L409.15385,39.86097L403.15385,39.86097L403.15385,39.86098Z" transform="matrix(1.163815 0 0 1 -22.90216 23.13903)" filter="url(#shield-ninety_to_hundo-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-eighty_to_ninety" d="M740,115.16155C728.66667,113.35809,711.33333,109.15002,688,102.53735L210.76683,102.53735C199.75935,105.3544,188.50374,108.05959,177,110.6529C150.33333,116.66442,127,121.47364,107,125.08055C87.66667,127.48516,65.66667,130.79149,41,134.99956L3,141.31166L2,141.31166L1,142.21339L1,186.39808L2.16394,206.86445L896.60263,206.86445C896.86754,202.10046,897,199.4864,897,199.02228C897,197.81997,897,187.60038,897,186.39808L898,186.39808L898,141.31166L897,141.31166L895,139.5082L894,139.5082C893.33333,139.5082,882,137.70474,860,134.09783C838,131.69322,815.33333,128.38689,792,124.17882C768.66667,119.97076,751.33333,116.965,740,115.16154L740,115.16155Z" transform="matrix(1 0 0 1 -1 55.97906)" filter="url(#shield-eighty_to_ninety-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-seventy_to_eighty" d="M897.09355,204.42209L0.09355,204.42209L0.09355,207.14939L2.09355,242.31679C2.93397,257.09451,4.17169,276.76838,5.80671,301.3384L7.78706,301.3384C7.71233,300.24738,7.63819,299.16361,7.56464,298.08709L889.62247,298.08709C889.55561,299.17789,889.48893,300.26166,889.42245,301.3384L891.36427,301.3384C894.51712,248.56297,896.09355,221.3747,896.09355,219.77356C896.09355,218.57125,896.09355,208.35166,896.09355,207.14936L897.09355,207.14936L897.09355,204.42209Z" transform="matrix(1 0 0 1 -0.09355 60.5097)" filter="url(#shield-seventy_to_eighty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-sixty_to_seventy" d="M9,317.40839C8.49895,310.17944,8.0205,303.22893,7.56464,296.55687L889.62247,296.55687C886.21876,352.08469,883.30811,389.38367,880.89052,408.45379L880.63628,408.45379C880.63628,408.45379,880.63628,408.45379,880.63628,408.45379L16.36373,408.45379C16.36373,408.45379,16.36373,408.45379,16.36373,408.45379L15.90733,408.45379C14.55985,394.75357,12.2574,364.40511,9,317.40839Z" transform="matrix(1 0 0 1 -0.093555 64.29416)" filter="url(#shield-sixty_to_seventy-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-fifty_to_sixty" d="M891.40641,402.6281C891.59233,401.45453,891.78149,400.16115,891.9739,398.74795L27.70135,398.74795C30.24546,411.9551,32.48048,423.76865,34.4064,434.18859C36.4064,445.00933,41.4064,464.2462,49.4064,491.8992C49.77931,493.44602,50.15222,494.97779,50.52513,496.49451L869.58145,496.49451C873.07533,483.84591,876.35031,471.4934,879.40639,459.43696C884.73972,438.39664,888.73972,419.46034,891.40639,402.62808L891.40641,402.6281Z" transform="matrix(1 0 0 1 -11.337625 76)" filter="url(#shield-fifty_to_sixty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-fourty_to_fifty" d="M860.58347,529.85845C853.9168,552.70223,846.25014,574.34371,837.58347,594.78289C837.03482,596.03875,836.48751,597.28738,835.94153,598.52878L81.97014,598.52878C77.13218,587.2482,72.66996,576.08056,68.58347,565.02586C61.9168,546.99129,55.25014,524.14751,48.58347,496.49451L870.02181,496.49451C867.04009,507.39347,863.89398,518.51478,860.58347,529.85845Z" transform="matrix(1 0 0 1 -10.80264 78)" filter="url(#shield-fourty_to_fifty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-thirty_to_fourty" d="M812.71154,648.80715C804.71154,664.43711,796.71154,678.86476,788.71154,692.09011C786.55816,695.81182,784.54969,699.22865,782.68612,702.34058L135.38342,702.34058C127.43105,689.5131,120.54042,678.2813,114.71153,668.64517C108.04486,655.41982,100.3782,639.18871,91.71153,619.95184C88.36976,612.76613,85.17668,605.6251,82.13227,598.52876L836.03467,598.52876C827.96867,616.86601,820.1943,633.62547,812.71154,648.80715Z" transform="matrix(1 0 0 1 -10.58347 80.00002)" filter="url(#shield-thirty_to_fourty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-twenty_to_thirty" d="M821.22193,863.28898C824.62574,858.68501,829.47778,851.03392,835.77806,840.33568L183.20086,840.33568C186.95596,846.40586,190.96299,852.85465,195.22194,859.68206C207.22194,878.31778,213.55527,887.63564,214.22194,887.63564C214.88861,887.63564,215.88861,889.13852,217.22194,892.14428C218.55527,894.54889,221.55527,898.75696,226.22194,904.76848C230.22194,910.78,232.88861,914.38692,234.22194,915.58922C236.22194,916.79152,241.88861,924.00535,251.22194,937.2307C253.46683,939.88757,255.62314,942.43793,257.69086,944.88179L761.20792,944.88179C764.18562,941.02488,767.52363,936.67105,771.22194,931.82033C787.22194,911.9823,798.55527,896.9535,805.22194,886.73391C813.22194,875.91317,818.55527,868.09819,821.22194,863.28897L821.22193,863.28898Z" transform="matrix(1 0 0 1 -60.98946 -55.99508)" filter="url(#shield-twenty_to_thirty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-ten_to_twenty" d="M683,923.50572C679.66667,927.11263,677.66667,928.91609,677,928.91609C676.33333,928.91609,674.66667,930.41897,672,933.42473C669.33333,935.82934,667,937.93337,665,939.73683C662.33333,942.14144,661,943.64432,661,944.24547C660.33333,944.84662,656,949.05469,648,956.86967C640,964.68465,634.66667,969.79444,632,972.19905C630,974.60366,628,976.40712,626,977.60942C624,978.81172,622,980.61518,620,983.01979C617.33333,985.4244,615.33333,986.92728,614,987.52843C612,988.12958,611,988.73073,611,989.33189C610.48468,989.79657,608.5752,991.33881,605.27156,993.95861L289.99178,993.95861C272.2308,979.01828,257.56688,965.75358,246,954.16449C234,942.14145,224,932.52301,216,925.30918C210.40494,918.75039,203.40118,910.49791,194.9887,900.55172L701.33535,900.55172C691.72932,913.02202,685.61753,920.67336,683,923.50572Z" transform="matrix(1 0 0 1 0.337975 -9.66501)" filter="url(#shield-ten_to_twenty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-one_to_ten" d="M602,1002.44724C596.66667,1006.65531,584.33333,1016.57432,565,1032.20427C545.66667,1046.63192,526,1059.85727,506,1071.88032C485.33333,1083.90336,470,1091.71834,460,1095.32526C450.66667,1098.93217,442.66667,1098.93217,436,1095.32526C428.66667,1092.92065,416,1086.30798,398,1075.48724C379.33333,1065.8688,366.66667,1058.65498,360,1053.84576C352.66667,1049.03654,349,1046.33136,349,1045.7302C348.33333,1045.12905,345,1042.42386,339,1037.61464C332.33333,1032.80542,327.66667,1029.49908,325,1027.69563C322.33333,1025.89217,311.33333,1017.17547,292,1001.54551C291.32616,1000.98129,290.65667,1000.41942,289.99151,999.85991L605.27184,999.85991C604.30151,1000.62939,603.21089,1001.49183,602,1002.44724Z" transform="matrix(1 0 0 1 0.868325 -13.56631)" filter="url(#shield-one_to_ten-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><g id="shield-g1"/></svg>     Is it my query or the svg file that needs help? Thanks

Hi all.  I'm trying to create a table from AWS WAF logs.  There is a section of the log that is called ruleGroupList{} and it is a list containing multiple dictionaries.  Sometimes there is field called "excludedRules" that is null.  When it is not null, it is a list containing a dictionary with a field called ruleId.    ruleGroupList: [ [-]      { [-]        excludedRules: null        nonTerminatingMatchingRules: [ [+]        ]        ruleGroupId: AWS#AWSManagedRulesBotControlRuleSet        terminatingRule: null      }      { [-]        excludedRules: [ [-]          { [-]            exclusionType: EXCLUDED_AS_COUNT            ruleId: SizeRestrictions_BODY          }        ]        nonTerminatingMatchingRules: [ [+]        ]        ruleGroupId: AWS#AWSManagedRulesCommonRuleSet        terminatingRule: null      } In this case, I want to: list the ruleGroupList{}.ruleGroupId and the ruleGroupList{}.excludedRules{}.ruleId in a table, when ruleGroupList{}.excludedRules is not NULL.  If it is NULL, then I don't want to display the values for that dictionary.  There are 7 dictionaries in this ruleGroupList{} (as long as I don't change my WAF settings in AWS). This is my search: <search> | | spath input=ruleGroupList{} path=excludedRules | rename ruleGroupList{}.ruleGroupId as ruleGroup, ruleGroupList{}.excludedRules{}.ruleId as ruleGroupId, ruleGroupList{}.excludedRules as testNullExcludedRules | eval x=case(!isnull(testNullExcludedRules),mvzip(ruleGroup,ruleGroupId),isnull(testNullExcludedRules),x) | mvexpand x | eval x = split(x,",") | eval ruleGroupId=case(!isnull(testNullExcludedRules),mvindex(x,1)) | eval ruleGroup=case(!isnull(testNullExcludedRules),mvindex(x,0)) | table _time,ruleGroup,ruleGroupId This gives me the ruleGroupId correctly, but it always lists the first instance of the ruleGroup: I can't figure out how to ignore the ruleGroup when it's corresponding excludedRules is NULL. thanks for any help! Kevin

Hi All, I'm trying to integrate Akami logs with Splunk through siem-integrator, but I'm having problems. I've already installed Java (JRE), JDK too, but it still has errors as shown in splunkd.log. I'm using the addon: https://splunkbase.splunk.com/app/4310/ Has anyone in the community already been through this, or do they have an idea of what it could be? Splunk Enterprise Version:8.2.2 Akamai-siem-splunk-connector: 1.4.9 java version "1.8.0_311" Java(TM) SE Runtime Environment (build 1.8.0_311-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.311-b11, mixed mode)   splunkd.log 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Message : Connection refused (Connection refused), Exception : java.lang.RuntimeException: Connection refused (Connection refused) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpService.send(HttpService.java:462) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.Service.send(Service.java:1295) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.getValuesFromKVStore(Main.java:802) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.streamEvents(Main.java:449) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:74) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:48) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.main(Main.java:116) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Caused by: java.net.ConnectException: Connection refused (Connection refused)     Thank you very much. James \°/

Hello, I'm a bit new to Splunk, so I'm still learning. I have created two fields, an opscounter, and a deopcounter. The opscounter keeps count of how many times the field's value, or in this case, the value equates to a username is promoted to admin. If a user is promoted to admin, their count goes up on the opscounter; however, if they are demoted, the deopscounter goes up as well. As you can see in the opscounter image below, user1 was made an admin, and in the opscounter the count of 1, but in the deopscounter, you can see that user1 has a count of one, meaning they were demoted. If they are promoted again, their opscounter value will go to two. If a new user is added, they will automatically be added to the field same if they are demoted, but they will have the same value in both fields. I would like to create a dashboard that displays a list of current admins.   Knowing that is there a way to put every value that is in these fields in an if statement? My thought process is if user1 from opscounter is greater than user1 from deopcounter, display that user. I would like to figure out a way to make this work. If not, I'm open to suggestions on how to get the same results in a dashboard but through a different method. Any help is appreciated!

Hello everyone, I've seen a number of older posts about automating dashboard exporting with Splunk's API. However, those methods don't seem to apply to the new Dashboard Studio. Does anyone know how exporting can be automated for Dashboard Studio dashboards? Thanks in advance.

I am getting the error "SSL certificate verification failed. Please add a valid SSL Certificate or Change VERIFY_SSL flag to False" when attempting to add a new account in the configuration for the Cybervision add on. I am interested in setting the verify_ssl to false, but am having a difficult time finding the location to change this. Does anyone know the path/file that I can make this change on?