Hi, My Company (Länsförsäkringar AB) in Sweden use Splunk and my Team use Universal Forwarder Agent. I wonder if there is possibillity to Subscribe to get Info-mail as soon New Version of Universal Forwarder Agent is released? (Windows version) Regards //Slobodan Mitrasinovic, +46 768 592717

Why do I get the following messages in splunkd.log after installing Splunk Universal Forwarder in a GCP instance? 12-16-2022 10:49:12.021 +0000 WARN AwsSDK [1903 ExecProcessor] - ClientConfiguration Retry Strategy will use the default max attempts. 12-16-2022 10:49:12.021 +0000 WARN AwsSDK [1903 ExecProcessor] - ClientConfiguration Retry Strategy will use the default max attempts. 12-16-2022 10:49:12.023 +0000 ERROR AwsSDK [1903 ExecProcessor] - EC2MetadataClient Http request to retrieve credentials failed with error code 404 12-16-2022 10:49:12.023 +0000 ERROR AwsSDK [1903 ExecProcessor] - EC2MetadataClient Can not retrive resource from http://169.254.169.254/latest/meta-data/placement/availability-zone  

Hello,   i'm experiencing an issue with the splunk TA for O365 and in particular with the Sharepoint Management Activity Logs. The issue is this: 1) 10:00 AM i activate the input 2) 10:01 AM Splunk starts to collect 10:00 AM events 3) 10:05 AM Splunk continues to collect Sharepoint logs but going behind in time! (9:59 AM, 9:58 AM and so on) 4) 11:00 AM Splunk is still collecting logs in the past but the temporary token expires and the input is closed and reopened 5) 11:00 AM Splunk reopen the input 6) 11:01 AM Splunk starts to collect 11:00 AM events 7) JUMP to step 3 but 1 hour later   May you know how to not ask splunk to go behind and starts to collect in time?   Regards   Marco

I Got "WARNING web interface does not seem to be available" message when I started Splunk. Although I got the above message I can login to Splunk via webpage and run search as expected. Is there anything I need to do to avoid this message.

Hi all, I am having issues hiding some label tags on a bar chart in dashboard studio; Would like to hide the "app", "ABAP" and the x axis 0-100   I've been reading https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/Comparison - bar chart options and implemented most things I see relevant below without any success.   Thanks, Dan   Search: | makeresults count=33 | eval app="ABAP" | eval type="Green" | append [ makeresults count=24 | eval app="ABAP" | eval type="Red" ] | chart count by app, type | table app Red Green   Code:     "viz_A8xGX4KY": { "type": "splunk.bar", "dataSources": { "primary": "ds_rxzvxyTs_ds_D0zk0prm" }, "title": "", "options": { "stackMode": "stacked100", "seriesColorsByField": { "Green": "#52D017", "Red": "#E41B17" }, "legendDisplay": "off", "backgroundColor": "#152238", "xAxisTitleText": "", "axisTitleY.text": "", "axisTitleY2.text": "", "axisTitleX.visibility": "collapsed", "axisTitleY.visibility": "collapsed", "axisTitleY2.visibility": "collapsed", "axisY.scale": "", "axisY2.scale": "", "chart.showDataLabels": "none", "chart.overlayFields": "", "gridLinesY.showMajorLines": false, "gridLinesX.showMajorLines": false, "axisY.minimumNumber": "none" } }      

Hi All, Hope you are doing good!!  Basically we want to integrate trend micro vision one solution in our splunk. So before doing it I just wants to verify myself whether I know correct or not.   1. We need to install vision one application from splunk base. 2. After installation the app we need open that app and then click on configuration. 3. Then need to put url n authentication token. 4. Need to choose the log file type Then we will start receiving the data? Kindly let me know if my understanding is correct or not..   If my above understand is correct I want to know 1 things  How to create UC because we are using some 3D party software to onboard data now how we can write query and all, sorry im sounding armature but this is my first time..    Thanks Debjit  

Hi, I have an annoying alert that is firing whenever 2 orphaned searches run on their cron schedule. I have reassigned orphaned searches in that past without issue but these two searches I cannot find in the all configs to reassign.    I can find the orphaned searches with the following query          | rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0 | search orphan=1 disabled=0 is_scheduled=1 | eval status = if(disabled = 0, "enabled", "disabled") | fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions | rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing           When I go to settings > All configurations, set the search to All apps and owners, I cannot find the searches.... When I go to settings > All configs > Reassign KO > Orphaned, select to search all, (although there are loads of orphaned objects)  I cannot find these 2 searches causing the alerts. When I look on the shc cluster nodes in the /opt/splunk/etc/apps/<app_name>, I cannot find them either.....   However the MC health check says the orphaned objects are on all 3 of the shc nodes. I should also mention when I try to reassign other visible objects for these specific owners, it throws an error... "Could not find object..." Any advice greatly appreciated. Thank you    

Hi Community, we've setup the Splunk Add-On for ServiceNow to send Splunk events/alerts to our ServiceNow platform. While using OAuth 2.0 for the integration, we're facing a particular problem where no events are sent to ServiceNow and we get this error : Failed to create ticket. Return code is 401 (Unauthorized). Failure potentially caused by  expired access token The problem seems to be related to our Refresh Token Lifespan. Our security prerequesite is that Token should be refreshed every 60 minutes and is set that way in ServiceNow Application Registry. The default value is 100 days in ServiceNow which seems very high. In the service now documentation it mentions this : Configure the value of the Refresh Token Lifespan parameter as high as possible so that it does not expire. Once the refresh token expires, you have to reconfigure the account. Source Any idea why we're having this problem and the reason why we have to leave the value high? My understanding is that if the token expires, the add-on should be able to go get a new access token. Thanks!

I was looking at rsync to move some frozen buckets to another location.  One concern,  if rsync picks up new frozen data still being written  and removes the source file before splunk finishes. I could add find and mtime but this really slows down rsync. Concerns?  

Hello, I am inputting a file into Splunk showing the computers system information extracted from the command prompt. The data file I am inputting input Splunk looks like the first photo below, where I want the fields to be set as the values in the first column (circled in red) and their field values equal to their corresponding output value.   YETTT, when adding it to Splunk, it breaks down the system information file into three events (instead of 1), see image below. How do I merge these three events into one (match the text file uploaded) and set the fields equal to the systems characteristics seen in the first column (circled in blue)?