Hello Splunkers, Has anyone on-boarded Oracle cloud recently, Please share your experience and help with the right Add-on to be used as the one available on Splunk base says not supported anymore. Thanks in advance, regards, Moh

When I search using the Python SDK, I don't seem to see any fields, other than the very basic ones like host, source, sourcetype... in the results. Is there a way to get the search to return all the same pre-extracted fields I get when using the splunk search GUI ? like fields automatically extracted by Splunk, such as those that come in field1=value1 ...etc? Thanks, Mohamed.

Hello, I am using the splunk-utils SDK to try and search Splunk 9.0.4 from an external app. I am able to submit an initial search with a bearer token and can see my local instance receiving it and returning a search SID. However, when I try to retrieve the results with getData, I get an error saying "Invalid Version: undefined"     // https://splunkui.splunk.com/Packages/splunk-utils/Search const n = await getData( sid, "results", { output_mode: "json_cols" }, { splunkdPath: serverURL, app: "myapp", owner: "nobody"}, headers )     Tracing the node_modules, I can see that the getData in search.js is trying to figure out the version, but I am not following how.  This seems to be the line that is determining if v2 should be used:     // Use V2 endpoints only where available // https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#Semantic_API_versioning var V2_ENDPOINTS = ['results', 'results_preview', 'events']; var endpointVersion = V2_ENDPOINTS.includes(endpoint) && gteSplunkVersion(_config.versionLabel, '9.0.2', '9.0.2209') ? '/v2' : '';     I have been looking at this example from @ryanoconnor and @nhaq but am not seeing how the right API version is being determined. https://github.com/splunk/react_search_example/blob/main/src/App.js Any ideas how to update my call to tell my getData what version to use?  I am assuming this is unhappy about a missing version but maybe it's something else... Full Error:     index.js:1 TypeError: Invalid Version: undefined at new SemVer (semver.js:19:1) at patch (patch.js:2:1) at gteSplunkVersion (search.js:53:1) at getData (search.js:326:1) at loadResults (splunksearch.js:80:1) at retrieveJob (splunksearch.js:56:1)      

Regarding Windows Print Monitoring, what do each of the "operation" field values mean, i.e., add, set, baseline? For example, in the event below, what does "operation=set" mean? 04/21/2014 13:51:59.486 operation=set type=Printer ComputerName=ops-sys-001 printer=HP LaserJet M3035 mfp PCL6 share= port=IPAddress driver=HP LaserJet M3035 mfp PCL6 comment=None location= separate_file= print_processor=hpzppwn7 data_type="RAW" parameters= status="normal" attributes=979 priority=6 default_priority=2 jobs=8 average_PagePerMinute=73  

Hello Splunk, I am using website monitoring app to monitor multiple sites and I want to get availability for individual sites and add it to Status Overview Dashboard. Any help is appreciated. Thanks in advance!

Hello Splunkers, I have a field called state_sinfo which have values like (up,up*,up$,up^,continue,continue$,continued,continied$,down,down%,down#,drop,drop*,drop$) I want to categorize certain values of state_sinfo as like below available (up,up*,up$,up^,continue,continue$,continued,continied$) not_available(down,down%,down#) down(drop,drop*,drop$) Then I want to calculate the sum  of all categories by time Lastly I want to calculate the  percentage  | eval "% available" = round( available / ( available + drop ) * 100 , 2) | eval "% drained" = round( drop / (available + drop ) * 100 , 2) Sample event   slu_ne_state{instance="192.1x.x.x.",job="exporters",node="xyz",partition="gryr",state_sinfo="down",state_sinfo_simple="maint"} 1.000000 1676402381347 Thanks In advance 

I need to provide audit details on our ES Content Library. Using rest, I can identify searches that have been updated and when they were updated, but the rest call only reports on the owner of the search, not the person who made the change. | rest splunk_server=local /servicesNS/-/-/saved/searches | fields title search eai:acl.owner eai:acl.app alert_type updated cron_schedule auto_summarize.suspend_period dispatch.earliest_time dispatch.latest_time id | convert timeformat="%Y-%m-%dT%H:%M:%S+00:00" mktime(updated) | where updated >= relative_time(now(), "-4h") Looking at conf.log I can see when a search was written: index="_internal" source="/opt/splunk/var/log/splunk/conf.log" earliest=-30h WRITE_STANZA | stats values(data.optype_desc) values(data.payload.children.action.correlationsearch.label.value) values(data.payload.children.search.value) Neither of these searches tell me who was the individual writing the search. Any other ideas as to how I can accomplish this? Thank you.