We have a new Splunk Cloud environment We are using AWS TA Add On to ingest files from S3 The files have extension of ".csv" but they are not really CSV, they are TSV (tab separated values). The Add-On has built-in functionality to inspect CSV files and tried to convert them to json, therefore it fails to ingest them correctly. Is there any way to turn-off the CSV parsing ability of the S3 input? Source: https://docs.splunk.com/Documentation/AddOns/released/AWS/S3 "The Generic S3 custom data types input processes .csv files according to their suffixes"

Hi Everyone, I have one requirement. Below is my search query to show "no.of users logged in" for every 1 hour. index=ABC sourcetype=xyz "PROFILE_LOGIN" |rex "PROFILE:(?<UserName>\w+)\-" |bin _time span=1h |stats dc(UserName) as No_Of_Users_Logged_In by _time I am getting like below: _time No_Of_Users_Logged_In 2022-11-28 10:00 1 2022-11-28 11:00 2 I want when I click in the first row/timestamp/ No_Of_Users_Logged_In, it should show the raw logs of the events where the logged-in usernames are present in that particular time (if the time stamp is 10:00, then it should show raw events from 10:00 to 11:00). These events should open in new search . Also, can you guide me how to view these in panel below the table using drilldown. It should be only show when we click on the values. (It’s an additional request to know the possibility) Please guide and help me. xml code snippet : <row> <panel> <title>Number of Users Logged In</title> <table> <search> <query>index=ABC sourcetype=xyz "PROFILE_LOGIN" |rex "PROFILE:(?<UserName>\w+)\-" |bin _time span=1h |stats dc(UserName) as No_Of_Users_Logged_In by _time</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">6</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> </table> </panel> </row>

Hi All, Good day. need help on search query to get below scenario. as we have few jobs we need data to calculate sla breach if job was not starting on Actual_start_time and also breach if job is not ended in some threshold of time example 30 seconds.

Hello, Our company is using Splunk Entreprise 8.2.9 with application configuration/retention in GitLab. We have few concerns when it comes to add-ons configuration and Apps configuration that store credentials (username/passwords) in their files (inputs.ini or password.conf) As of now we are using the Web UI to locally configure the addons that will store the configurated credentials in the local directory of the addon in a password.conf file showing ******* for the credentials. The problem of such scenario is when it comes to add-on upgrade the credential file is not read and we have to start again the configuration of the addon. In order to avoid such time waste we'd like to store in a dedicated app the configuration of the addon or to have the needed credentials stored in Apps. Main concern is all our Splunk configuration is stored in GitLab. To avoid data breach we have to encrypt those creds. Is it possible to store encrypted values for credentials in GitLab that Splunk will be able to read easily for example by using pass4symkey or salt ? Or any other encrypted method

I am trying to expand couple of fields (locationId, matchRank) using mvexpand. But it only works for shorter duration upto 7days. I want to do this for upto 30 days. My matched_locations json array can have atmost 10 items in it with the presence of both locationId and an associated matchRank in it. We can identify the number of items in matched_locations  by msg.logMessage.numReturnedMatches field. I have thousands of such events. Below is the query which is working for shorter duration of time, but timing out for longer duration. ############################################################# index=app_pcf AND cf_app_name="credit-analytics-api" AND message_type=OUT AND msg.logger=c.m.c.d.MatchesApiDelegateImpl | search "msg.logMessage.numReturnedMatches">0 | eval all_fields = mvzip('msg.logMessage.matched_locations{}.locationId','msg.logMessage.matched_locations{}.matchRank') | mvexpand all_fields | makemv delim="," all_fields | eval LocationId=mvindex(all_fields, 0) | eval rank=mvindex(all_fields,1) | fields LocationId, rank | table LocationId, rank ############################################################# Below is the sample splunk data for one such event. ########################################################### cf_app_name: myApp cf_org_name: myOrg cf_space_name: mySpace job: diego_cell message_type: OUT msg: { application: myApp correlationid: 0.af277368.1669261134.5eb2322 httpmethod: GET level: INFO logMessage: { apiName: Matches apiStatus: Success clientId: oh_HSuoA6jKe0b75gjOIL32gtt1NsygFiutBdALv5b45fe4b error: NA matched_locations: [ { city: PHOENIX countryCode: USA locationId: bef26c03-dc5d-4f16-a3ff-957beea80482 matchRank: 1 merchantName: BIG D FLOORCOVERING SUPPLIES postalCode: 85009-1716 state: AZ streetAddress: 2802 W VIRGINIA AVE } { city: PHOENIX countryCode: USA locationId: ec9b385d-6283-46f4-8c9e-dbbe41e48fcc matchRank: 2 merchantName: BIG D FLOOR COVERING 4 postalCode: 85009 state: AZ streetAddress: 4110 W WASHINGTON ST STE 100 } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } ] numReturnedMatches: 10 } logger: c.m.c.d.MatchesApiDelegateImpl } origin: rep source_instance: 1 source_type: APP/PROC/WEB timestamp: 1669261139716063000 } ###########################################################

Got these errors while installing acs-cli in WSL/Ubuntu:   ==> Installing acs from splunk/tap ==> Installing dependencies for splunk/tap/acs: linux-headers@5.15, glibc, gmp, isl, mpfr, libmpc, lz4, xz, zlib, zstd, binutils and gcc ==> Installing splunk/tap/acs dependency: linux-headers@5.15 ==> Pouring linux-headers@5.15--5.15.57.x86_64_linux.bottle.1.tar.gz cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_connmark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_dscp.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_mark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_rateest.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_tcpmss.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ecn.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ttl.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv6/ip6t_hl.h': File exists Error: Failure while executing; `cp -pR /tmp/d20221130-6079-1ef476r/linux-headers@5.15/. /home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15` exited with 1. Here's the output: cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_connmark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_dscp.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_mark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_rateest.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_tcpmss.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ecn.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ttl.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv6/ip6t_hl.h': File exists This happened after the "brew install acs" command has gone through 13 downloads of libraries etc. Any help would be much appreciated.  

Hi All, we upgraded our Splunk Enterprise to the latest 9.0.2 and noticed something odd in the About page. Why does the products say "Retention" ?  What does it mean?  Have never come across like this before    

We upgraded the Splunk Universal Forwarders on our web servers from 8.0.5 to 9.0.1 back in late October and since then we've seen a dramatic increase in CPU Utilization by the Splunkd.exe process on each server. Each instance is tracking a fairly large amount of files - typically 3k or so per day and in a folder that can contain up to 10k files. I've found reducing the amount of 'old' files in the folder helps, but the CPU load is still dramatically above what it was with version 8.0.5.

Hello, I have use cases to find the Delta between 2 sets of events. We get events once a day, our objective is to find the delta between current events (event received today) and the events we received yesterday and create a report based on that delta (events). Any recommendation would be highly appreciated. Thank you so much.