I'm new to Splunk. I've got a Search that works fine in the Search screen and correctly generates a bar chart. index="production" source="s3://hydrow-android-logs-input-queue-prod/console/*" logWorkoutEndDebugStats releaseStage="production" | rename workoutEndInfo.videoRestartStats.videoStopped as videoStops | stats count by buildNumber, videoStops | eventstats sum(count) as itemTotal by buildNumber | eval percentage=round((count / itemTotal) * 100 , 1 ) | search videoStops = true | chart values(percentage) over buildNumber by videoStops   Error when rendering as chart on a dashboard:     When I Save it to a dashboard or create a new chart on the dashboard and enter the search as the datasource, I get the error below.  if I change the visualization from a chart to a table, then the table renders fine.  There's no indication of why the visualization works fine on the Search page, but not the dashboard.   Any suggestions on how to debug this would be very welcome!    

Hi  Could someone help to let me know how to display fields stating "file is missing" in Splunk DB query output when no output is expected Currently the below query returns- | dbxquery query=" select * from ............................ ;" connection="to_connect" > No results found Expected output- file missing   file missing    file missing (if possible ...different texts in different columns, not sure if eval/fillnull command can be used here)

I was looking at installing https://splunkbase.splunk.com/app/3075/ in Splunkcloud. The documentation here -> https://training.threatconnect.com/learn/article/threatconnect-application-for-splunk-user-guide-kb-... does not specify if it needs to be installed on IDM or can be installed on SH. I went ahead and installed on my ES SH and configured the app, but now the logs are coming into lastchanceindex. Has anyone installed this in splunkcloud and got this working?

Hi In my app there are 2 payment processor, netconnect(backup) and sourcejet(primary), where is netconnect is the backup processor. I have created a report query which pulls the refund data from the logs given below log: <myapp.com.sys.BillingLogger.logResponse(?:?):stage=final; type=payment; service=PaymentCollect; processor=netconnect; method=refund; itemType=F; status=failed; latency=602; payMode=Card; CardType=visa; bookingId=91113274385; error='Decline - Generic Error. No other information provided'> The query used is as below: stage=final type=payment processor=netconnect method=refund status=failed bookingId=* paymentMode=* | stats count by bookingId Output: bookingId Count 91113274385 1 91111234567 1 91114567890 1   Now the issue here is in certain scenario system makes a retry using the backup net connect processor. This happens when the first call for refund to sourcejet failed due to a system error. Netconnect log: <myapp.com.sys.BillingLogger.logResponse(?:?):stage=final; type=payment; service=PaymentCollect; processor=sourcejet; method=refund; itemType=F; status=failed; latency=602; payMode=Card; CardType=visa; bookingId=91113274385; error='Decline - Generic Error. No other information provided'> Sourcejet log: <myapp.com.sys.BillingLogger.logResponse(?:?):stage=final; type=payment; service=PaymentCollect; processor=sourcejet; method=refund; itemType=F; status=failed; latency=602; payMode=Card; CardType=visa; bookingId=91113274385; error='Decline - Generic Error. No other information provided'> If there is a way to eliminate the sourcejet failures using net connect for backup

Anyone have a good method for doing substring matches where field1 is my searched field and field2 is my substring I want to search for? Attempted to use the following logic without any luck and running low on ideas.   | eval comparison = if(like(field1, %field2%), "1", "0")   field1 is a URL and field2 is a base domain, but field2 is input from a lookup, so it's variable but would look something like:   field1="http://www.yahoo.com/mail/inbox" field2="yahoo" OR field1="linkedin.com/company/google/profile" field2="google"   I'm low on ideas after spending my time in docs and forums all day.

I have a simple Maven configuration where I know the following is on the classpath (I can verify it at runtime before Spring Boot starts up in my application class): com.splunk.logging:splunk-library-javalogging:1.6.2 The Maven dependency looks like: <dependency> <groupId>com.splunk.logging</groupId> <artifactId>splunk-library-javalogging</artifactId> <version>1.6.2</version> </dependency>   I made sure that Spring Boot is loaded this way: <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <version>${version.spring.boot}</version> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> <version>2.5.4</version> </dependency>      I created an appender this way: <?xml version="1.0" encoding="UTF-8"?> <Configuration status="info" name="LoggingTesting" packages=""> <Appenders> <SplunkHttp name="SPLUNK_APPENDER_1" url="http://SPLUNK_IP:8088/services/collector/event" token="MY_TOKEN" source="SampleJavaAppender1" messageFormat="text" batch_size_bytes="0" batch_size_count="5" batch_interval="0" connect_timeout="5000" disableCertificateValidation="true"> <PatternLayout pattern="%m"/> </SplunkHttp>   When I launch my application, I get this error: main ERROR Error processing element SplunkHttp ([Appenders: null]): CLASS_NOT_FOUND main ERROR Unable to locate appender "SPLUNK_APPENDER_1" for logger config "root" This was all based on the sample Log4J2 configuration . What am I missing in my configuration?

Can anyone please help me to create the regex expression for the below log.  > {\\n \\\"process\\\": \\\"get_input\\\",\\n \\\"totalProcessed\\\": \\\"0\\\",\\n \\\"SuccessfullyProcessed\\\": \\\"0\\\",\\n \\\"FailedToProcess\\\": \\\"0\\\",\\n \\\"FileName\\\": \\\"\\\"\\n} I created the regex for this as below, but for the 'FileName' I am getting '\n'.   > | rex field=_raw "process\W+(?<process>[\w\s]+)" | rex field=_raw "totalProcessed\W+(?<totalProcessed>[\w\s]+)"| rex field=_raw "SuccessfullyProcessed\W+(?<SuccessfullyProcessed>[\w\s]+)" | rex field=_raw "FileName\W+(?<FileName>[\w\s]+)" | rex field=_raw "FailedToProcess\W+(?<FailedToProcess>[\w\s]+)" It seems some modification/rebuild the regex is needed.  Please help me on this.    Thanks in advance.

Hi to all, is wanted or is a bug that dashboard made with dashboard studio are not visible in the navigation menu? This is the cose inside default.xml:   <collection label="DStudio"> <collection label="HFWD"> <view source="unclassified" name="hfwd_data_collection" /> </collection> </collection>   Instead to see my dashboard made with dashboard studio i see all other dashboards. Thanks for help

Hello,  We are using Splunk Cloud and frequently we get updates of our instance, it's fine so we are always up-to-date. The issue is that we have no warning before it happens and the update sometimes has some impacts that we only discover later. Questions: -How to know when an update will happen? -How can we get an history of updates of our instances. This search gives me the last restart of the instance and the version, but it doesn't necessary mean that the update was done at that time. | rest /services/server/info | eval LastStartupTime=strftime(startup_time, "%Y/%m/%d %H:%M:%S") | table LastStartupTime , version   Thanks for your help

Need help hardening Splunk with the following brothers / sisters Thank u in advance. Where do I enable Indexer Acknowledgement. To ensure delivery of data from FWs to Indexers. When enabled the FW will send any data not acknowledged as received by the Indexer. Where do I enable Event & data block signing? To meet regulatory requirement. How do I ensure if Audit events & archives are cryptographically signed. To help detect any modifications or tampering of underlying data. I appreciate your help in advance    

When I create a role and assign it to a user in Splunk Enterprise, I have successfully tested that the user can only see events/data from the indexes specifically selected for that role.   However, when logged in as that user, in Splunk Enterprise Security, when accessing the "Security Posture" dashboard, for example, it appears the role restrictions given in Splunk Enterprise do not carry over to enterprise security.  On the Security Posture dashboard, the user I want to limit access of data to can see everything.  This is because there are no restrictions in place on the "es_notable_events" source in ES, for example.  I would like to put a restriction in place so the logged in user can only see notable events from the indexes the user is restricted to in Splunk Enterprise, hence the only data the user can see in the specifically selected indexes, and nothing more. A restricted user and a Splunk admin has the same visibility to all data on the Security Posture dashboard (and all other applicable dashboards and displays as well). Is there a way to limit visibility in Enterprise Security (notable events and such) to only data from the indexes the restricted user has access to in Splunk Enterprise?   It seems that the role restrictions put in place in Splunk Enterprise do not carry over easily to Enterprise Security.  I can create a bunch of customized dashboards and reports with queries filtering on hostname and/or IP range only, but this is a lot of work for something where an option may just need to be set, or an extra parameter added to the role somewhere.   Maybe Splunk can make this more easy to manage in a future release of Enterprise Security?

Please show mw how & where do I find the SSL encryption "enabled or not" for If SSL encryption communication enabled between Splunk Search heads, Indexers, FWS If SSL encryption enabled from browser to Splunk Web (on SHs) If SSL enabled between FWs to Indexers   I really appreciate your help in advance. Thanks