I have the following XML   <input type="multiselect" token="exclude_user" searchWhenChanged="true"> <label>Exclude User</label> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> <fieldForLabel>user</fieldForLabel> <fieldForValue>user</fieldForValue> <search base="filtered"> <query>| stats values(User) as user | mvexpand user | dedup user</query> </search> <choice value="SYSTEM">SYSTEM</choice> <choice value="-">NONE</choice> <default>SYSTEM</default> <initialValue>SYSTEM</initialValue> </input>   The filter is setup as an exclusion filter using a post processing search in conjunction with the base search, such as: | search NOT User IN ($exclude_user$) The multiselect works, until the value of "NONE" is selected which inputs the values of | search NOT User IN (" ") into the post processing search. Text below the filter displays, "Duplicate values causing conflict".  This doesn't prevent the search from completing, and the results I receive are what I expect to be returned. It would be ideal for the message below the multiselect filter to not be displayed.  Anyone have a suggestion on how I can get rid of it? I have tried the following: Adding | dedup User to the post processing search. Changing the fieldForLabel value to " " and NONE Not sure what to try next.  Thanks in advanced.

Hi Splunkers. I have noticed a strange behavior from Splunk, I have a correlation search that I have created a while ago, ensured to select "Notable" under the Adaptive Responsive section so that it creates a notable, also tested that when I run the search manually it produced results. BUT it does not generate notables in the Incident Review dashboard! So I went and searched index=notable and found 4 events for this correlation search in the last 30 days! Then I checked the same index for another correlation search that DOES generate notables in the Incident Review dashboard (4 notables in the last 30 days) and indeed I found 4 events in the notable index! I also used the "Correlation Search Audit" app (https://splunkbase.splunk.com/app/4144) and Indeed this app shows that this correlation search has been triggered 4 times in the last 30 days!  The search does not have any lookups (In case you asked about the permissions of the lookups). The search does use the Web data model (and it has Global permissions). I'm using the admin user so I have sufficient privileges. I'm using: Splunk Enterprise version: 8.1.0 Enterprise Security version: 6.2.0 OS: Red Hat Enterprise Linux Server 7.7 (Maipo) Any Idea why this is happening? 

Hello there. Posting just for reference. It seems there is some misconfguration issue between splunkbase and the Splunk default config. The default config says: # /opt/splunk/bin/splunk btool server list applicationsManagement | grep updateHost updateHost = https://apps.splunk.com # /opt/splunk/bin/splunk btool server list applicationsManagement | grep Check sslAltNameToCheck = splunkbase.splunk.com, apps.splunk.com, cdn.apps.splunk.com sslCommonNameToCheck = apps.splunk.com, cdn.apps.splunk.com However, the servers respond with: # curl -v https://apps.splunk.com 2>&1 | grep subject: * subject: C=US; ST=California; L=San Francisco; O=Splunk Inc.; CN=splunkbase.splunk.com Whereas 8.2.5 (don't have any other 8.2 at hand to check) seems to work despite those settings, 9.0.3 enforces the settings strictly and says ERROR X509 [25665 TcpChannelThread] - X509 certificate (CN=splunkbase.splunk.com,O=Splunk Inc.,L=San Francisco,ST=California,C=US) common name (splunkbase.splunk.com) did not match any allowed names (apps.splunk.com,cdn.apps.splunk.com)   Walkaround: Overwrite the setting in server.conf with [applicationsManagement] sslCommonNameToCheck = splunkbase.splunk.com,apps.splunk.com,cdn.apps.splunk.com  

Hello, The Splunk add-on builder won't load, it has the header, but the rest is blank. (9.0.3 enterprise + 4.1.1 app) - Reinstall not helps -Nothing in splunkd.log, add-on builder logs - I found this event in web_service.log, but I don't know what should I do with it: File "/opt/splunk/etc/apps/splunk_app_addon-builder/bin/splunk_app_add_on_builder/solnlib/utils.py", line 169, in extract_http_scheme_host_port raise ValueError(http_url + " is not in http(s)://hostname:port format") ValueError: splunk."mydomain"."ext" is not in http(s)://hostname:port format note: I changed the real hostname. Everything else is ok, all other apps are works fine. I reach the server on  https://splunk."mydomain"."ext":8000  . splunk."mydomain"."ext" format set in server. conf as serverName and in web. conf for mgmtHostPort (with :"port") Any ideas?   Thanks in advance,    

I am new to slunk, I have to create one dashboard and compare current day with same day of last week based on request ids count.           index="test" s_name="test-app*" earliest=-0d@d latest=now | bucket span=1h _time | stats dc(message.req_id) as tcount by _time | eval ReportKey="today" | append [search index="test" s_name="test-app*" earliest=-7d@d latest=-6d@d | bucket span=1h _time | stats dc(message.req_id) as week by _time | eval ReportKey="lweek"] | timechart span=1h sum(week) as Lweek, sum(tcount) as Today by ReportKey           I want to create over lapping dashboard, like  Thanks in advance  

We have recently upgraded an indexer from 8.2.6 to 9.0.2 (running on Windows) and since then we have been plagued by an intermittent issue where the indexer stops indexing new data, but otherwise functions fine. The indexing rate is 0, but it still returns search results. Restarting the Splunk service is all that is required and it starts indexing again. The problem seem very similar to this post, but I can't see that any of the known issues quoted relate to 9.0.2. It should be already fixed with the "server side fix" alluded to by one of the people replying to that post. When the problem happens, we see these errors in the splunkd log of the indexer: Sorry for the screen shots. Best I could do. Any clues as to what is going on here?    

I created a small power shell script to collect all Ec2 windows hostnames and Ip addresses. I simulated the existing scripts and locations  already in the system.   I did have success with linux with shell.  No data is returning.   Is there a recipe out there or advice to get results to appear ?

Hello i am new I have combined data from cyclogs,adserver logs and firewall logs how can i search for data that happens +- 5mins from a message event? for example, I have narrowed my search of data down with the message "search Message="Started FTP Client" but i need to know what happens +-5mins form this event as i would like to see the dest_Ip address in the firewall data and User login data from ADserver  i imagine they would be the same time stamp or very close    Thank you