If I add “interval” to my data input like this in inputs.conf, the modular input script will run every 300 sec as expected: [bhe-splunk-app] python.version = python3 disabled = 1 interval = 300 [bhe-splunk-app://input] index = bhe-splunk-app description = "Streams data from BHE instance" But the interval parameter does not show on the data input page in Splunk, so I can’t modify it from the Splunk UI. When I add the parameter to the inputs.conf.spec file like this: [bhe-splunk-app://<name>] *Streams data from BHE instance interval = <number> description = "Streams data from BHE instance" “interval” appear on the data input page, and I can modify it, but it is no longer working – the modular input script is no longer executed repeatedly on the interval. How do I add interval so that it can be modified from the data input page and still works?

Hi All, We have .Net based Application that need to be monitored. From couple of Call Graph we found that several slow transaction is from Class Method System.Threading.Monitor.ObjWait. But, i have no clue what we should do with this class method. Do you guys have any idea about this Class Method and how to troubleshoot and handle this ? Thanks, Ruli

Hi guys, I needed to know that if is there any way to remove host field from the search results. Since we don't need the host field in our search results. We are using splunk cloud and we need to configure the splunk heavy forwarder to do so can someone please help with this

Hello Community, We are configuring TA-ms-teams-alert-action to let the customer publish Splunk alerts in their MS Teams channel. The alert config is as follows: When we try opening Webhook URL in browser for testing it says:  Invalid webhook request - GET not supported While debugging TA-ms-teams-alert-action the logs say: 2022-12-12 13:17:05,698 DEBUG pid=106480 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="json data for final rest call:={ "@type": "MessageCard", "@context": "http://schema.org/extensions", "themeColor": "0076D7", "summary": "Alert", "sections": [ { "activityTitle": "Alert", "activitySubtitle": "", "activityImage": "https://myimage.png", "facts": [ { "name": "host", "value": "hostname1" }, { "name": "sourcetype", "value": "splunkd" } ], "markdown": false } ], "potentialAction": [ { "@type": "OpenUri", "name": "View in Splunk", "targets": [ { "os": "default", "uri": "https://splunk.mydomain.com/app/TA-ms-teams-alert-action/@go?sid=scheduler__username123_1233456" } ] } ] }" action_name="ms_teams_publish_to_channel" search_name="test_alert" sid="scheduler__2username123_1233456" rid="0" app="TA-ms-teams-alert-action" user="username123" action_mode="saved" Does anyone know how to troubleshoot this case? Best regards, Justyna

Hi I would like to group events in a timeline as a count until a different event occurs   Example:   So basically achieve the following: A user account was locked out   (count 13) A process has exited (count 1) A new process has been created (count 1) Permissions on an object were changed (count 2) A process has exited (count 1) And so on ......    

Looking for Splunk query to filter out event if "Attachment" field having extension .txt or .html or .jpg or .png if only above mentioned file extension available in "Attachment" field then only it should filter out. apart from that if any other file extension available with above mentioned then wee need to consider that event. Below mentioned is attachment field values in some of event.   red enclosed event should be filtered out as "Attachment" field have only ".txt",".html" and ".png". other two event have ".txt",".html",".docx" and ".txt",".ics" these two should not filterout.

I need to calculate the size of a clustered index, and I used this API for it: /services/cluster/manager/indexes (https://docs.splunk.com/Documentation/Splunk/9.0.2/RESTREF/RESTcluster#:~:text=content%3E%0A%20%20%3C/entry%3E%0A%3C/feed%3E-,cluster/manager/indexes,-https%3A//%3Chost%3E%3A%3CmPort) But the index_size returned in the response is different (much less) from the total I get, if I use the dbinspect command on a particular index, and add size for the db_<buckets>. i.e. originating buckets. Is the index_size supposed to denote something else? If so, it is not clearly mentioned in the API documentation.

i want to make a dashboard of last 3 month of avg cpu load and max cpu load For example: dec= 320 dec=10 dec=40 dec=90 nov= 347 nov=150 nov=60 oct= 300 oct=320 and so on for dec 320+10+40+90/31 same for nov and oct So for that , need to calculate last 3 months count and last month count in same query. Please suggest.

I need to index only the lines which has .pl in the source file into splunk(highlighted below data). Regex expression is working as expected(tested in rex tool) . Now i am using below props and transform.conf to index the only required data captured in regex expression but my data is not getting index or it indexes completed log file. Please assit where am i going wrong props.conf [phone_access] TRANSFORMS-set= phone_access_extraction transforms.conf [phone_access_extraction] REGEX = ^(\d{1,2}\.\d\.\d\.\d - - \[\w+\/\w+\/\w+:\d+:\d+:\d+ -\d+\] .\w+ \/\w+.+\.pl.+) DEST_KEY = queue FORMAT = indexQueue Log file: 11.7.1.0 - - [27/Nov/2022:00:00:00 -0600] "GET /cgi-bin/phonedata.pl?pq=a1%3oGHK9416&names=a1%7Ca2&&attrs=a1a2&delim=%09 HTTP/1.1" 302 - 11.7.1.0 - - [27/Nov/2022:00:00:04 -0600] "-" 408 - 11.7.1.0 - - [27/Nov/2022:00:00:21 -0600] "-" 408 - 11.7.1.0 - - [27/Nov/2022:00:00:22 -0600] "GET / HTTP/1.1" 20 14497 11.7.1.0 - - [27/Nov/2022:00:00:23 -0600] "GET /mobile.html HTTP/1.1" 200 1001 11.7.1.0 - - [27/Nov/2022:00:00:24 -0600] "GET /PhoneOrgiChart/ HTTP/1.1" 302 - 11.7.1.0 - - [27/Nov/2022:00:01:15 -0600] "GET /cgibiWn/xml.pl?vk236e HTTP/1.1" 20 11.7.1.0 - - [27/Nov/2022:00:01:15 -0600] "GET /cgi-bFin/xml.pl?hv163t HTTP/1.1" 20

hi All, can someone help on the splunk search eval condition based on below scenario using fields  Actualstarttime and job_start_by   if job_start_by<= Actualstarttime return "GREEN / STARTED ON TIME" else: return "AMBER / STARTED LATE" else: if now <= Actualstarttime return "EARLY / NO DATA" else: return "RED / START SLA BREACH" if now > Actualstarttime return "RED / END SLA BREACH" else: return "BLUE / RUNNING"

Hi, I am looking for a Splunk addon that will allow us to ingest RSS feed to our Splunk instance. I downloaded and installed this app "https://splunkbase.splunk.com/app/5844" but I cannot see where to setup. I know there are other RSS add-on but we preferred add-on that was build by Splunk.

Hello, Splunk lovers! I have some questions What i want: 1. i want to make a table from search history, where time presets were queried by all_time or long diaposone 2. i want find other searches, what have command "outputlookup" please, help thank you! 

I am now trying to plot my geostats on custom map tile server when designing dashboard.  I found problem when I kept zooming. The map suddenly became blank when the zoom level reached 10. But what I want is to have a zoom range at 9-16. However, I can have a detailed zoom if I use the visualization after doing a search. This discrepancy really confuses me. Is there any suggestion if I can extend the zoom range in map on dashboard?? 

Hi Team,   I have created a notable in the Splunk ES and i received a notable and i analyzed the notable and i can see 130 events in the raw logs. But after sometime if i analyse the same notable i can see that there is increase in the  count of events . Can i know what the issue is regarding the increase in the event count. Thanks & Regards, Umesh