I'm having trouble working out how to authenticate to the Splunk Cloud ACS API using a local account. The doco suggests you can do this: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Admin/ConfigureIPAllowList I can hit the API successfully with a SAML token, but I need to be able to use a local account to authenticate right now. Can anyone shed some light on how you're meant to auth with a local account? I've tried using the session token provided by the auth/login endpoint, and also Basic auth (user/pass), but neither work.

Hi I've upload a file with chinese name，the content(which is also in chinese character)can display and query normally，but source name in chinese characters display with messy code in web browser. i've changed browsers and changed the CHARSET in prof.conf, both didn't fix it. Dose anyone know how to solve the issue,thks a lot.        

Hello, unfortunately I am having to attempt to do a restore of copies of old db_* and rb_* structures that were basically rsync'd over time to some cold storage. I am noticing that things like ".bucketManifest" don't exist. I am trying to restore it to  a net new indexer cluster with the index configured in indexes.conf. I am happy to do this on a standalone indexer if that's the right way to do this, assuming that this is even possible.   To be clear, i have all of the directories that are prefixed with rb_* and db_*, but nothing else. *EDIT* I actually only have db_*/rawdata/journal.gz and rb_*/rawdata/journal.gz Thanks

Hi, We have a custom search that should alert when a critical host, that we have defined in the search, is missing. The issue we're having is that we haven't been alerted on some of the hosts not having logs because the last time they had any logs was an age ago. When I change earliest=-1d to earliest=-1y the hosts I want appear but the search takes a longer time.  Is there a way to make it so for every host value specified, a stats line is created where I can fillnull the fields as appropriate? Here is the search: | tstats prestats=true count where index="*", (host="host01" OR host="host02" OR host="host_01" OR host="host_02") earliest=-1d latest=now by index, host, _time span=1h | eval period=if(_time>relative_time(now(),"-1d"),"current","last") | chart count over host by period | eval missing=if(last>0 AND (isnull(current) OR current=0), 1, 0) | where missing=1 | sort - current, missing | rename current as still_logging, last as old_logs, missing as is_missing

All, I wanted to take the list of index hosts List that currently being index by splunk and then compare that list to a static List. And then showing what item in the static List is not being index. How would I approach this? 

Hello, My company has a sidebar that is consistent throughout all our other internal applications, and we were trying to get that same sidebar on our Splunk instance as well. We wanted to add a custom sidebar, with links to other pages from there (sort of looks like the bootstrap 5 sidebar https://getbootstrap.com/docs/5.0/examples/sidebars/), within all the apps (home/search/etc). Is there anyway this can be done? When I looked elsewhere for tips on styling the UI, most of them were for styling the dashboards themselves. Is there also a way to include a custom javascript file within that UI as well? I am new to splunk, so maybe I am not looking in the right areas.

Hello, Roxio Secure Burn stores a history of its burn logs to C:\ProgramData\Roxio Log Files I have a report set up in SPLUNK to monitor that location on all computers that have Roxio installed.  source= "c:\\ProgramData\\Roxio Log Files\\*"  Most of the systems show up fine. However several system have files saved in that location on the local system that do not show in the SPLUNK report.  Those systems are visible for other reports, such as failed logons, reboots, etc. But nothing shows up for the report above. The permissions for that location are the same as systems that DO show up in Roxio.  I have adjusted the time to include the past 6 months, year, and all time. Nothing shows in the SPLUNK results, however I can see logs in the actual directory on the system itself.  Any ideas?  

I have a lookup table with CVE listed which I dont want to be in our report so we have made the lookup table and adding it to the search  | table Severity, "EC2 Instance ID", "EC2 Instance Name", "Rules Package", Rule, CreatedAt, Links, title, description, recommendation, numericSeverity | lookup ignore_cve.csv But I am getting an error that " Error in 'lookup' command: Must specify one or more lookup fields." So Do I have add something else after ignore_cve.csv   Kindly help.@lookup

Hi, I am having difficulty in extracting key=value pairs from one of the auto extracted field. The problem is that, this field may contain just a text value but also could contain multiple key=value pairs in it, so whenever there are multiple key=value pairs in the event then I am not getting the desired results. Following are some of  my _raw events  - 2021-08-10T11:35:00.505 ip=10.1.10.10 id=1 event="passed" model="t1" conn="connmsg=\"controller.conn_download::message.clean\", file=\"/home/folder1/filename_8555c5s.ext\", time=\"21:22:02\", day=\"08/24/2021\""  2021-08-10T11:35:00.508 ip=10.1.10.10 id=1 event="running" model="t1" conn="connmsg=\"model.log::option.event.view.log_view_conn, connname=\"model.log::option.event.view.log_view_conn_name\", user=\"xyz\", remote_conn=10.23.55.54, auth_conn=\"Base\"" 2021-08-10T11:35:00.515 ip=10.1.10.10 id=1 event="failed" model="t1" conn="Failed to connect to the file for \"file_name\"" 2021-08-10T11:35:00.890 ip=10.1.10.10 id=1 event="extracting" model="t1" conn="connmsg=\"model.log::option.event.view.logout.message\", user=, job_id=65, report_name=",  path=\"{\"type\":1,\"appIds\":\"\",\"path\":\"2021-08-10T11:35:00+00:00_2021-08-10T12:35:00+00:00\\/ip_initiate\\/10.1.120.11\\/http_code\\/200\",\"restrict\":null}\"" 2021-08-10T11:36:00.090 ip=10.1.10.10 id=1 event="extracting" model="t1" conn="connmsg=\"model.log::option.event.view.audit.message, user=\"qic\\abc_pqr\, reason_msg=\"component.auth::message:unknown_user\", path=/abc/flows/timespan/2021-08-10T11:35:00+00:00_2021-08-10T12:35:00+00:00/ip_initiate/10.101.10.20/data.ext" 2021-08-10T11:36:00.380 ip=10.1.10.10 id=1 event="triggered" model="t1" conn="Rule 'Conn Web Service' was triggered by Indicator:'Conn Web Service'" 2021-08-10T11:36:00.880 ip=10.1.10.10 id=1 event="triggered" model="t1" conn="connmsg=\"model.log::option.event.report.finished\", user=, job_id=65, report_name=",  path=\"{\"type\":1,\"namespace\":\"flows\",\"appIds\":\"10,11,12\",\"path_bar\":\"[\\\"ip_initiate=10.1.120.11\\\"]\",\"2021-08-10T11:35:00+00:00_2021-08-10T12:35:00+00:00\\/ip_initiate\\/10.1.120.11\\/http_code\\/200\",\"restrict\":null}\"" The field which I am facing issue is "conn" field and I want data to be extracted in conn field in somewhat below manner -   conn \"controller.conn_download::message.clean\" model.log::option.event.view.log_view_conn Failed to connect to the file for \"file_name\" \"model.log::option.event.view.logout.message\" \"model.log::option.event.view.audit.message\" "Rule 'Conn Web Service' was triggered by Indicator:'Conn Web Service'" but currently its just extracting the next value coming after conn= ,so basically current data in my conn field based on the above raw events looks like - conn connmsg=\ connmsg=\ Failed to connect to the file for \"file_name\" connmsg=\ connmsg=\ Rule 'Conn Web Service' was triggered by Indicator:'Conn Web Service' The "conn" field might contain even more key value pairs , so also wanted to know if there is some dynamic way to capture if any new key value pair pops in conn field other than those specified ? Also along with that, the other key value pairs in conn field is sometimes getting auto extracted and sometime it isn't. I am trying to write Search time field extraction using props and transforms but no luck so far in getting what I want, can someone please help ? Thanks in Advance.

Tried opening the "Okta Identity Cloud Add-on for Splunk" from UI to check the configuration and settings, but it keeps showing that it's loading, but it doesn't actually load. I checked the "ta_okta_identity_cloud_for_splunk_okta_identity_cloud.log" file from CLI and here is what it returned. >>>>>tail -f ta_okta_identity_cloud_for_splunk_okta_identity_cloud.log<<<<< File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/api.py", line 53, in request return session.request(method=method, url=url, **kwargs) File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 468, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 576, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/adapters.py", line 447, in send raise SSLError(e, request=request) SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:741) 2021-09-09 11:55:38,725 INFO pid=25100 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2021-09-09 11:55:38,733 ERROR pid=25100 tid=MainThread file=splunk_rest_client.py:request:144 | Failed to issue http request=GET to url=https://127.0.0.1:8089/servicesNS/nobody/TA-Okta_Identity_Cloud_for_Splunk/TA_Okta_Identity_Cloud_for_Splunk_account?output_mode=json&--cred--=1&count=0, error=Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/splunk_rest_client.py", line 140, in request verify=verify, proxies=proxies, cert=cert, **kwargs) File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/api.py", line 53, in request return session.request(method=method, url=url, **kwargs) File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 468, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 576, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/adapters.py", line 447, in send raise SSLError(e, request=request) SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:741)