Need some help with deploying and merging an app. We have a deployment server that store apps in following folders:~/etc/deployment-apps/all This is where we have all app going out to all server.~/etc/deployment-apps/spesial This is custom config for one server. in the all folder we have an app like this: test.app/default/app.conf with the following content; [ui] is_visible = false in the spesial folder we have an app like this: test.app/local/app.conf with the following content [ui] is_visible = true Serverclass.conf looks like this: # Send all app to all servers [serverClass:send.to.all.servers] repositoryLocation = $SPLUNK_HOME/deployment-apps/all restartSplunkd = true restartIfNeeded = true issueReload = true whitelist.0 = * [serverClass:send.to.all.servers:app:*] # Send this apps only to server Mars1 [serverClass:send.to.mars1.servers] repositoryLocation = $SPLUNK_HOME/deployment-apps/spesial restartSplunkd = true restartIfNeeded = true issueReload = true whitelist.0 = Mars1 [serverClass:send.to.mars1.servers:app:*] Problem is that only one test.app are sent out. I would like that both are sent out and merged inn to one app with both the local and default folder (local will take presidiene) If I remove one of the apps, the other will be sendt out but not both. How can I accomplish this (without using external script etc)? Have read trough the serverclass.conf file without seeing any easy way to solve this.

I am using a single value in a dashboard, it is only showing a date, but I cannot get the date to format the way want it on the dashboard. My search string is: index=conmon earliest=11/23/2022:00:00:00 dedup LASTMODIFIED eval tst = strftime(strptime(LASTMODIFIED, %Y-%m-%d), %Y-%m-%d) fields tst want 11-23-2022 , but continue to get 2022-11-23T13:35:53-05:00 The search on its own brings back the value correctly, but not on the dashboard. Any help would b greatly appreciated. Bill K

Hello Splunk Community. I am trying to use Splunk to search for the serial number of the installed hard drive(s). When I run a search for a particular computer, is there a field that gets populated that will have the hard drive serial numbers? To complicate the issue, I'm looking at servers as well as workstations, most of which have multiple hard drives installed. Is there a better way to get the information? We are using Splunk Enterprise v8.2.2

We are running a SHC with Splunk Enterprise OnPrem 9.0.1 and noticed that the concurrent searches in one of the nodes is way higher than the rest (3 times aprox.) even though the scheduler delegation shows its delegating evenly across the nodes. Most of the scheduled searches are from an app that runs dbx queries to keep updated some lookups, these are scheduled to run a few times a week but appear to be running constantly in the scheduler. These concurrent searches run constantly even after a restart of the node. It doesnt happen in a single instance with the same apps, so we think it is a clustering issue. How can we troubleshoot/debug this behaviour?

I enabled the schedule PDF delivery for my dashboard, and it generated the PDF attachment, but in that attachment its now showing the labels for bar chart on axis ----------------------------------------------- but i need the values like this, but iam not getting values in the attachment Please post the working snippet

we are upgrading our splunk agents to new version 9.0.2 but we are not sure how we can upgrade agents on citrix or system image server, can someone please help with steps or scripts. we have script to upgrade the version, i just need the info for system image servers. any help would be appreciate.

Im seeing errors whereby powershell inputs just stop for some random reason. The only error I get is the following failed with exception=The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Exception calling "Clear" with "0" argument(s): "Index was outside the bounds of the array." A simple restart of the SplunkForwardingService on the system makes it work again so theres nothing wrong with the script. Anyone got any ideas why its doing this? its not just one script or one particular system. Its 2 scripts across 2 different scripts. Same error though

Hi Team! I was under the impression (mistakenly most likely) that if we did not own Splunk SOAR (which we don't) that there would still be a limited amount of SOAR functionality available in Preview 2 (or will it be available with the final product?). When I go to Automation > Run Action, I don't seem to be able to run or enable any actions here. Thoughts?

Hello, we are trying to configure the receiving of AppFlow data from Citrix Netscaler, using the Splunk Add-on for Citrix Netscaler and Splunk Stream. Everything seems to work, except that not all fields are visible on the search head. We can see "netflow_elements" but probably not "recognized". How can we manage this? Any suggestion? Thanks!

Hello, we have a Tiers application with 4 nodes corresponding to Tomcat applications. We restart these applications every evening at 22:00. For 2 of 4 nodes, metrics correspond to JMX.ActiveSession is no longer collected after startup until around 10:00 the day after. It is fixed without any action but comes again the day after. 4 Nodes are managed the same with chef deployment. Here are versions of the components : Server Agent #22.5.0.33845 v22.5.0 GA compatible with 4.4.1.0 rd9770530415f19f4c5154a80772b833db8dd7cee release/22.5.0 AppDynamics Controller build 22.10.1-611 Here is a screenshot extracted from Metrics Browser : Thanks for your suggestion and analysis of the potential root-cause.

Hi, I use Splunk Enterprise Security with Threat Intelligence framework. Splunk creates many notables 'Threat Activity Detected' but I'd like to add/remove/edit source types. I have only events with field "orig_sourcetype="apache:access" now. For example I tried add events from firewalls and compare source with suspicious IPs. How can I configure these fields "orig_sourcetype" in Threat Intelligence data model ?

Hello all! I am brand new to Splunk and have learned quite a bit so far from this forum, so thank you! With that being said, I am currently trying to import event logs from another system to scan on my local instance of Splunk. I've tried moving the EVTX files into my winevt directory, but that didn't work. I'm getting very frustrated and any help would be appreciated. -BabySplunk

Hi, Trying to learn SPLUNK and I have troubles with timestamp, My XML CODE is like this : <LOG><DATUM>26112022</DATUM><Vrijeme>224516</Vrijeme><CC>6894542532143100</CC><Iznos>46144.46</Iznos></LOG> I got the date (DATUM) and now im trying to get the time, but my problem is I can't go to next line props file looks like this SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]*)<\w{2,}> TIME_PREFIX = <DATUM> TIME_FORMAT = %d%m%Y</DATUM>\n<Vrijeme>%H%M%S MAX_TIMESTAMP_LOOKAHEAD = 100 instead of "\n" i tried %n, [\r\n\s], and leave it blank, but nothing works, any tips?