I am using custom js from dashboard ui.xml         <form version="1.1" stylesheet="vulnerability_center.css" script="multiselect_input.js">         you can find my js file           require([ 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function(_,mvc){ function setupMultiInput(instance_id) { var multiselect = mvc.Components.get(instance_id); const without = (array, filtered) => array.filter(n => n != filtered); if (multiselect){ multiselect.on("change", function(){ let current_val = multiselect.val(); let first_choice_value = multiselect.options.choices[0].value; if (current_val.length > 1 && current_val.indexOf(first_choice_value) == 0) { multiselect.val(without(current_val, first_choice_value)); } if (current_val.length > 1 && current_val.includes(first_choice_value) && current_val.indexOf(first_choice_value) != 0) { multiselect.val([first_choice_value]); } }); } }; var all_multi_selects = document.getElementsByClassName("input-multiselect"); for (let j = 0; j < all_multi_selects.length; j++) { setupMultiInput(all_multi_selects[j].id); } } )            

Hi, I have a requirement to alert all users who have pressed "export" from Splunk. I have written the spl for listing users who have exported search results or dashboard panels.     index=_internal export | regex uri_path="(jobs|results|events)\/export$" | table user | dedup user     But this is not catching the dashboard exports. I want to alert users who have exported the complete dashboard in pdf format. Kind help will be appreciated.

Running the Customer Success Toolkit's error report I noticed a warning on lots of Universal Forwarders that doesn't make sense to me: 19.01.23 10:49:53,614 01-19-2023 10:49:53.614 +0100 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts host = Unix Box source = /opt/forwarder/data/var/log/splunk/splunkd.log sourcetype = splunkd 19.01.23 10:33:28,659 01-19-2023 10:33:28.659 +0100 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts host = Windows Box source = C:\Program Files\Splunk\UniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd   Our Universal Forwarders have no distsearch.conf. Any idea why this is reported? And how to turn it off? We already have enough noise in our data. Thanks in advance Volkmar

The position of IP address is getting changed(appearing before or after https) in the logs, in such scenario how regex query can be written to extract source IP address. Please guide me. Below are the sample logs. <14>Jan 19 04:32:59 XXXX  accesslog_SIEM: Info: 1674102779.121 7 - 10.130.130.152 TCP_DENIED_SSL/403 0 POST https://activity.windows.com:443/v3/feeds/me/$batch - v3/feeds/me/$batch "Domainname\user@Domainname" - DROP_WEBCAT_7-BGC.BlockInternetAccess.DP-DOMPVM.Generalusers.ID-NONE-NONE-NONE-NONE-NONE - 61519 activity.windows.com 443 1 IW_comp 5.0 - - - - - - - - - - - - - - - - - IW_comp - "Computers and Internet" "Unknown" "Unknown" - - 0.00 0 - - - - - - - - - - - - - "SGPlatform 2.0" 21040   <14>Jan 19 04:32:59 XXXX accesslog_SIEM: Info: 1674102778.930 114 "https://www.XXX.com/English/home/default.aspx" 10.130.80.223 TCP_CLIENT_REFRESH_MISS_SSL/200 785 GET https://px.ads.linkedin.com:443/collect?v=2&fmt=js&pid=4881225&time=1674102778231&url=https%3A%2F%2Fwww.XXX.com%2FEnglish%2Fhome%2Fdefault.aspx&cookiesTest=true&liSync=true px.ads.linkedin.com collect?v=2&fmt=js&pid=4881225&time=1674102778231&url=https%3A%2F%2Fwww.XXX.com%2FEnglish%2Fhome%2Fdefault.aspx&cookiesTest=true&liSync=true - application/javascript ALLOW_CUSTOMCAT_12-ZAMLUM.FullAccess.AP-AuthByPass.ID-NONE-NONE-NONE-DefaultGroup-NONE - 54083 px.ads.linkedin.com 443 1 C_Allo 4.0 - - - - - - - - - - - - - - - - - IW_snet - "Social Networking" "Unknown" "Unknown" - - 55.09 0 - - - - - - - - - - - - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) browser/2020.2.6 Chrome/87.0.4280.141 Electron/11.3.99 Safari/537.36 PingdomTMS/2020.2" 1162

Hello Everyone,  I'm new to regex, can you please support to extract URL name only until .com or .net only. This regex GET\s\w+:(?<URL>[^"]+), capturing whole thing, but I would require to capture only until .com and .net.   Also please support to get the fields http_method, status below is the sample log line. <14>Jan 19 04:32:59 XXXXXX accesslog_SIEM: Info: 1674102779.113 336 - 10.X.X.X TCP_MISS/200 271 GET http://us-hnl-anx-r001.router.teamviewer.com/din.aspx?s=00000000&id=909083993&client=DynGate&p=10000001 us-hnl-anx-r001.router.teamviewer.com din.aspx?s=00000000&id=909083993&client=DynGate&p=10000001 - application/octet-stream DEFAULT_CASE_12-DOMPVM.WebControl.AP-DOMPVM.WebControl.ID-NONE-NONE-NONE-DefaultGroup-NONE - 53843 us-hnl-anx-r001.router.teamviewer.com 80 1 IW_meet 5.0 0 - "0" 0 0 1 - - - - - 0 0 - - - - IW_meet - "Online Meetings" "TeamViewer" "Presentation / Conferencing" - - 6.45 0 - - 0 "Unknown" - 0 "Unknown" - - - - - - "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" 191 <14>Jan 19 04:32:59 XXXXX accesslog_SIEM: Info: 1674102779.121 7 - 10.130.130.152 TCP_DENIED_SSL/403 0 POST https://activity.windows.com:443/v3/feeds/me/$batch - v3/feeds/me/$batch "INDIADomain\username@INDIADomain" - DROP_WEBCAT_7-BGC.BlockInternetAccess.DP-DOMPVM.Generalusers.ID-NONE-NONE-NONE-NONE-NONE - 61519 activity.windows.com 443 1 IW_comp 5.0 - - - - - - - - - - - - - - - - - IW_comp - "Computers and Internet" "Unknown" "Unknown" - - 0.00 0 - - - - - - - - - - - - - "SGPlatform 2.0" 21040

I have a timechart which I would like to chart in dashboard studio. | eval Len=length(_raw) | timechart sum(Len) AS Size count AS Count BY index Counts and Sizes should go on separate axes, obviously, but I don't understand how to get them there! I had some limited success with y2fields, but couldn't use the same format with yFields and I just don't understand "> y | getField()" controls for fields in tile options. Advice and assistance sppreciated!  

I am using the Webtools add-on to do some work with a API endpoints.  The curl commands works fantastically.  However, when attempting to use the urlencode command, I keep getting errors.   I get the following error message: command="urlencode", '<' not supported between instances of 'OrderedDict' and 'OrderedDict' I have installed the latest version of TA-webtools, 3.0.2.  Splunk version 8.2.7. Please see the attached image. Any help on resolving this issue would be extremely appreciated. Thanks. Regards, TheFrunkster

Hi Guys, I have UF installed on my windows machine, abruptly last month logs got stopped. I check in splunkd log file and saw the error TcpOutputFd [800 TcpOutEloop] - Connection to host=xx.xxx.xxx.xxx:9997 failed Also after restarting, it resumes sending logs to Splunk for some days but again it will stop and gives the same error. Not sure how to fix this issue and proceed.

Hoping this is going to be a relatively simple one. Can you nullQueue metrics indexes?  For example, if I am using the  new *nix TA, all performance monitoring is collected with scheduled scripts and stored in metrics indexes.  Can we nullQueue a specific sourceType at the indexer like we would an event index?   Thanks!

Hello, I noticed that some "Security and Compliance" alerts log usernames and others do not. For instance, the alert name "File Uploaded to Document Library For The First Time" clearly logs the user who performed the action. However, the alert, "A Potentially Malicious URL Was Clicked" does not log the user who clicked on this information. I tried to extracts new fields and again, I observed that this particular alert does not contain the username. For obvious reasons, I would like to have that information on hand whenever an alert such as this one comes through. I looked in the MS Security Portal, and that does have the username. It just does not get to Splunk, and therefore, cannot be apart of the alert. Is there any way to resolve this? To be clear I would like all of these alerts to have a username associated with each. Thanks.

Hello, I would like to know your inputs on the below. I have a request where on a splunk dashboard we need to create a button which should invoke a response play in PagerDuty, We are trying to implement it and stuck with the approach. Please help me with your thoughts.  

Splunk Enterprise OnPrem 9.0.1. We are troubleshooting an issue where some alerts are beign triggered incorrectly, and found a correlation between this odd triggers and _internal events with sourcetype = splunkd_remote_searches. The events are described as: 01-18-2023 14:03:00.178 -0300 INFO StreamedSearch - Streamed search connection closed: search_id=remote_<node>_subsearch_searchparsetmp_ ... What does searchparsetmp mean in the context of the subsearch? Also whats is the difference with remote_<node>_subsearch_scheduler_ ... also describing similar events on _internal?