Splunk app inspect reports the "check_for_supported_tls" failure with the description as  -  If you are using requests.post to talk to your own infra with non-public PKI, make sure you bundle your own CA certs as part of your app and pass the path into requests.post as an arg. I am using verify: false in the request.post() method and getting the above error in the app inspect tool.

I have Splunk UF 7.0.3 that I want to send logs from to Splunk Cloud.  However, the UF doesn't support httpout so I am using an intermediate forwarder.  Can someone give me the input and output files of the intermediate forwarder and the output file to send to the intermediate forwarder?   

Searches Delayed Root Cause(s): The percentage of non high priority searches delayed (22%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=147626. Total delayed Searches=32735 How we can permanently solve this issue

Hi all, I am trying to find a way to use Rest API like search endpoint for splunk but my problem is my company use Okta application to login to splunk. So I can't have username or password for splunk so is there any ways to bypass this auth ?

(Novice) Is there a way to identify uniquely the information that is being sent to a single indexer from multiple forwarders in separate environments?  Each environment is a mirror of the other.  They all have the same IPs and hostnames; including the forwarders. Maybe there is a tag the forwarder can apply or something that makes them unique?

I am observing intermittent issues parsing IIS data.  Splunk is configured for index time parsing of IIS events on the universal forwarders (INDEXED_EXCTRACTIONS).  The extraction works fine for most events, but a small percentage (less than 1%) fail parsing. I am detecting the events that fail parsing with the following SPL index=[IIS INDEXES] sourcetype=iis NOT c_ip=* I have noticed an error in the splunkd.log on the universal forwarders that accounts for some of these issues. 04-06-2022 20:08:42.602 -0500 WARN CsvLineBreaker - Parser warning: Encountered unescaped quotation mark in field while parsing. This may cause inaccurate field extractions or corrupt/merged events. - data_source="e:\iis-logs\W3SVC1\u_ex220407.log", data_host="XXXXX", data_sourcetype="iis" In these cases, it appears that not only does index time field parsing fail but event breaking fails resulting many events getting lumped into a single event.  This may not be avoidable and we’re at least able to point to a cause for these issues but many more are unexplained. For most of the events that fail parsing the result is a single line event which appears to be formatted correctly but has no indexed fields.  I was originally having an issue with these events reporting in the future as well but adding a time zone to props.conf seems to have at least resolved that issue. I have upgraded through several versions (8.1.2, 8.2.3, 8.2.7.1) on the Universal forwarders and have seen this issue across all these versions. If you have and ideas on what might be causing failures in index time parsing issues for IIS data I would love to hear them.

Working on a SplunkCloud environment - we always keep things tidy by re-assigning ownership of KOs to either Nobody or the correct user with correct role. But why can't we do this for Calculated Fields?

Hi guys, I'm trying to show a table where in one colums there will be some icons based on the cell value. I used the examples provvided from the Splunk dashboard example App.  the problem I'm experiencing is that if i load the dashboard the table is rendered with the string , but if i switch to edit mode then the table is rendered correctly with the icons.  Reloading the page will render the table without icons and anytime i go trough the edit mode the table renders with icons.       <dashboard version="1.1" stylesheet="css/test.css" script="js/test.js"> <label>test</label> <row> <panel> <table id="table1"> <search> <query>| inputcsv thermal_structure.csv | eval range = case(status=="ok","low",status=="warning","elevated",status=="no","severe") | table zone,range</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard> /* Custom Icons */ td.icon { text-align: center; } td.icon i { font-size: 25px; text-shadow: 1px 1px #aaa; } td.icon .severe { color: red; } td.icon .elevated { color: orangered; } td.icon .low { color: #006400; } /* Row Coloring */ #highlight tr td { background-color: #c1ffc3 !important; } #highlight tr.range-elevated td { background-color: #ffc57a !important; } #highlight tr.range-severe td { background-color: #d59392 !important; } #highlight .table td { border-top: 1px solid #fff; } #highlight td.range-severe, td.range-elevated { font-weight: bold; } .icon-inline i { font-size: 18px; margin-left: 5px; } .icon-inline i.icon-alert-circle { color: #ef392c; } .icon-inline i.icon-alert { color: #ff9c1a; } .icon-inline i.icon-check { color: #5fff5e; } /* Dark Theme */ td.icon i.dark { text-shadow: none; } /* Row Coloring */ #highlight tr.dark td { background-color: #5BA383 !important; } #highlight tr.range-elevated.dark td { background-color: #EC9960 !important; } #highlight tr.range-severe.dark td { background-color: #AF575A !important; } #highlight .table .dark td { border-top: 1px solid #000000; color: #F2F4F5; } requirejs([ '../app/simple_xml_examples/libs/underscore-1.6.0-umd-min', '../app/simple_xml_examples/theme_utils', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, themeUtils, mvc, TableView) { // Translations from rangemap results to CSS class var ICONS = { severe: 'alert-circle', elevated: 'alert', low: 'check-circle' }; var RangeMapIconRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { // Only use the cell renderer for the range field return cell.field === 'range'; }, render: function($td, cell) { var icon = 'question'; var isDarkTheme = themeUtils.getCurrentTheme() === 'dark'; // Fetch the icon for the value // eslint-disable-next-line no-prototype-builtins if (ICONS.hasOwnProperty(cell.value)) { icon = ICONS[cell.value]; } // Create the icon element and add it to the table cell $td.addClass('icon').html(_.template('<i class="icon-<%-icon%> <%- range %> <%- isDarkTheme %>" title="<%- range %>"></i>', { icon: icon, range: cell.value, isDarkTheme: isDarkTheme ? 'dark' : '' })); } }); mvc.Components.get('table1').getVisualization(function(tableView) { // Register custom cell renderer, the table will re-render automatically tableView.addCellRenderer(new RangeMapIconRenderer()); }); });        

I have a problem with my credentials "Splunk.com" when I attempt to install the app "Splunk add-ons for Microsoft Windows". The message error says that the credentials are incorrect, but I probed the credentials in my browser, and yes are correct. I reset my password to the web site splunk.com, but still, I can't logon to install the app in Splunk.   Can you help me with this problem, please?    

Splunk app inspect reports the "check_for_supported_tls" failure with the description as  -  If you are using requests.post to talk to your own infra with non-public PKI, make sure you bundle your own CA certs as part of your app and pass the path into requests.post as an arg. I am using verify: false in the request.post() method and getting the above error in the app inspect tool.