Hi All I am trying to extract the values that trail context, userid, username, groupid Sample partial event   { "type": "login","context": "Rsomeserver:8877-T1670321752-P18407-T030-C000025-S38","sequence": 998,"message": { "state": "ok","agent": true,"userid": "User0000000949","loginid": "somelogin101","ownerid": "system","username": "John Smith","cssurl": "[\"/css/somepage.css\",\"/branding/\"]","groupid": "Group0000000945","windows": [ {"name":"something","id":"someid","url":"/someurl//     I started with this approach     "context": "(?<SessionID>[^\"]*)".*?"username"+: "(?<Username>[^\"]*)"   And this seems to compile on regex101 but on rex it's throwing an error    Error in 'SearchParser': Missing a search command before '^'. Error at position '141' of search query 'search index=<removed> ("\"login\"\,\"contex...{snipped} {errorcontext = ?<userid>[^\"]*)"}'.   My aim is to then use this data to join on the  context value with another search, but I'm looking for help on where I'm going wrong with my Rex. As the JSON seems to be truncated, I don't think I can treat it as JSON, so any help with a REX extraction would be greatly appreciated.

I created a landing page for all applications.. but the login information is visible in url.. how can i change that xml.. I don't want to see the login information in url. Attached the code I am using . <panel> <input type="dropdown" token="user_name" searchWhenChanged="true"> <label>User Name</label> <selectFirstChoice>true</selectFirstChoice> <search> <query> | rest /services/authentication/current-context splunk_server=local | fields username | eval username=mvindex(split(username,"@"),0) </query> </search> <fieldForLabel>username</fieldForLabel> <fieldForValue>username</fieldForValue> </input>       <div class="dropdown-content"> <a>$form.user_name$</a> <a href="*" target="_blank">My Profile</a> </div>     Any reply would be highly helpful..     Thanks, Splunk lover

I'm following the example provided here. https://docs.splunk.com/Documentation/Splunk/9.0.2/Workloads/AdmissionRules#Example_admission_rules search_time_range=alltime AND (NOT role=sc_admin) AND (NOT app=splunk_instance_monitoring) However when I look in the monitoring console it shows that it's blocking some things that I believe are built in searches. (we use splunk cloud) Cleanup Models For Predictive Analytics itsi_content_packs_status_update Telemetry - Inputs itsi_event_grouping Telemetry - Volume All of these things have user as "nobody". I tried to add AND (NOT user=nobody) to my workload rule, but tells me. validation failed with error=invalid value of predicate 'user'

Set up LDAP and attempted to set up Single Sign-On using reverse proxy: About Single Sign-On using reverse proxy - Splunk Documentation The settings did not take, so we removed the settings and restarted. Now we get the "This browser is not supported by Splunk" error when we could previously see the login page. 

I have a .csv with this format (this is a mock, just to give you an idea of the pattern) code, message, 1, "Not found", 2, "Internal error", 3, "Success",   My search allow to do a stats count by code, but not by message. What I need to do is return a table with the message and their count.   What I have so far is this query, but it returns a table of code by count, but I need message by count (and all category must be return, even those with count of zero):   the search | append [input lookup the csv file] |stats count by message I tried to play with fields and table, but I don't get the desired result.

Hi from below events how to convert epoch time to a desired time zone want to convert LAST_START="1670326641", LAST_END="1670326670", NEXT_START="1670412600", into desired time zone based on TIMEZONE field

Trying to develop an app that has a the 'cryptography' library as a dependancy. The built in Splunk Python interpreter refuses to be compatible with it (believe something to do with the cpython that it requires). I solved the issue by using a virtual environment within the app which is then called using subprocess.  The main thing I am concerned about it cross compatibility between different operating systems and architectures as this is env is created locally on my machine.  Would it be a better for this virtual environment be created using python on the target machine when the app is used for the first time / after setup page. If so would this pass the Splunk App inspection in order to be compatable with Splunkbase and Splunk Cloud?    

Hello, we would like to compare sources we ask to index and current state in Splunk (compare inputs.conf and current license usage) to see if we have missing data. I found this https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-a-list-of-data-inputs-using-the-REST-API/m-p/389012 to list all inputs however I would like also to get active associated target hosts (clients) found in serverclasses. Thanks.

We have existing UF 8.2.2 in all instance and managed by ansible, when we are trying upgrade to 9.0.1 ansible stuck which accepting license, if I run that command manually on the target host, it is working fine, I think ansible is waiting for response after ran the command on the target hots which has changed with version 9.0.1. task to accept license:     - name: Accept Splunk license and set up init script command: cmd: /opt/splunkforwarder/bin/splunk status --accept-license --answer-yes --no-prompt      

Hello Team, Search Head Connectivity Root Cause(s): The search head lost connection to the following peers:  If there are unstable peers, confirm that the timeout (connectionTimeout and authTokenConnectionTimeout) settings in distsearch.conf are at appropriate values. Unhealthy Instances: instances Generate Diag?More infoIf filing a support case, click here to generate a diag. Last 50 related messages: None could someone please explain exactly what was done to cause the issue?