Hello, we have problem with useACK, there are known bugs with our UF 7.3.4 : https://docs.splunk.com/Documentation/Splunk/7.3.4/ReleaseNotes/KnownIssues : SPL-171178, SPL-167307, SPL-202078 Disabling indexer ack from forwarder is not acceptable in our case so which solution is best? Schedule regular restarts? Downgrade? Thanks for your contributions.  

Hello,  Whenever I tried to create a notable event by "Configure -> Incident Management -> New Notable Event", the website seems to crash, giving a weird error     I wanted to create a notable event so that my Incident Review is not blank

Hey splunkers,  How can I correlate rules in Splunk from 2 data sources?  The events for example: OKTA - privilege granted index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant" + Windows - Event Auditing disabled index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed" I want to correlate first Okta event and then the Windows event with the same field (for example Username) in 10 min.    

I am running SPLUNK version 8.0.10 with Lookup Editor version 3.4.6.  Noted that I have a problem in my CSV's wherein if I scroll using my mouse to the bottom of a long list (say 300 lines), the scroll bar jumps back to the top of the CSV.  I have to literally click on the side scroll bar and drag to the bottom to perform any edits (particularly if I want to add a new line).   I have seen there have been other bugs with 3.4.6 and the only version that is "supported" under 8.0 is 3.4.6.  3.5.0 which is available for download only supports 8.1+.    

hi. I have a txt file include many strings, and  many logs from my web server that indexed. I want to find the logs that at least match with one of the string in txt file. how to search and query for this goal? thanks. for example: txt file: mosConfig.absolute.path and logs: http://localhost/index.php?option=com_sef&Itemid=&mosConfig.absolute.path=[shell.txt?] and output: http://localhost/index.php?option=com_sef&Itemid=&mosConfig.absolute.path=[shell.txt?]

Hello Gurus! I am sure some people may have run in to this.   I am using extract command to parse fields from multi line unstructured event, but the data values are encapsulated by single quotes. Here is the example : ====EVENT 1======== 2021-09-08 00:00:00 ABC status - performance event     name : 'James Bond'     address : 'USA'     age : '100'     occupation : 'spy' performance event END ================== So the the following event, I am using transforms to  transforms.conf [performance_data] DELIMS = "\r\n", ":" So above transforms partially works.  The problem is the values has single quote ' encapsulated. Like this Field name "name"  with value "'James Bond'".   single quote included.  How can I get rid of the single quote?

I have logs in the format of json where message is the key and message contains the value mentioned below   message:  <ErrorMessage>E-delivery failed<ErrorMessage> When i am searching like below in the splunk, able to search the events index="*" source="*" "E-delivery failed" If i want to display the count of E-delivery failed string, the results are not fetching as the value under message tag is xml. Query used is: index="*" source="*" | eval type=case(like(message, "%E-delivery failed%"),"e delivery failed")|stats count as Results by type With the above query not able to get any results. Please help me with the query.   Result should be: type                                  count e delivery failed             10  

I found that the count with the 'Other' slice in the pie graph visualization available in splunk is not actually the count of events. From documentation I found that it is the count of 'Slices' with less contribution.  Is there any way to print the count of events with the 'Other' slice? Checked documentations and forums. Couldnt find any anything.

I am having a Timeline visualization where Date wise, engine wise status is displayed for an analytic, whether the execution is success or failure. Currently it is represented in the form of bubbles but then need to represent the status in the form of vertical lines. If there is a way could anyone help me on this?

Hi, I am having a Timeline visualization where Date wise, engine wise status is displayed for an analytic, whether the execution is success or failure. Now I need to display a table on clicking an event in the visualization by passing analytic name, execution date time and engine number. Could you please help me with creating a drill down table for this? Thanks