Hi, I am using the phantom ova to run my Phantom instance. I have just managed to run my playbooks when I previously tested it 8 hours ago. However upon creating a new simple playbook and running the previously created playbook, I get the following error: Error updating playbook.<br/>cannot mmap an empty file   Hence I am unable to save any progress on any playbooks now. I had tried search online for solutions but am unable to do so. I had come across an article (i forgot the link) that had stated the commands /opt/phantom/bin/stop_phantom.sh and /opt/phantom/bin/start_phantom.sh to restart the phantom ova instance however it is not having any effect. I attempted to restart the phantom service a few times, and restarted the vm a few times, but it does not seem to work. I then attempted to delete the VM from disk and reimport it, and the playbooks work fine until after a while and the cycle repeats itself... While reimporting the vm "works", it is troublesome to reconfigure my current settings on the reimported instance every time I encounter this error. Is there a better solution to this?   As seen from the image, this 2nd playbook is a simple one, and the first playbook one I could run is also similar. Both playbooks have been configured and saved before I saved the virtualbox vm state as I switched to other matters, and when I resume the vm, I'll get this error. Please help, thank you very much!

I'm able to change the font size for the entire  dashboard not for the single table, my dashboard consist of multiple panel(tables), if I'm trying to increase the font size of text for single table it is getting changed for complete panel, I want to change the font size of my main panel which should be bigger than the remaining.

I have been using the Universal  forwarder splunkforwarder-7.2.6-c0bf0f679ce9-Linux-x86_64 for quite a while without issues. I now wanted to upgrade to the latest one, 9.0.2 so I downloaded it and ran it just like I did with the old version. However, when starting it,  ${SPLUNK_HOME}/bin/splunk start --accept-license --answer-yes --no-prompt   It seems to crash with   Error calling execve(): No such file or directory Error launching command: Invalid argument   I then tried the latest 8.x.x version, 8.2.9 and that worked perfectly fine.   What has changed between version 8 and 9? Any new requirements I am not aware of?

Hello, can anyone tell me why this configuration isn’t working? I would like to change index name from main to hue, I’m getting data from db_connect from HF. I would like to change the index name on main indexer.   transforms.conf [set_index_hue] SOURCE_KEY = MetaData:Source REGEX = ^source::(stream\:Splunk_Postgres)$ DEST_KEY = _MetaData:Index FORMAT = hue   props.conf   [stream:postgres] TRANSFORMS-stream-postgres = set_index_hue   Best regards M.

The changes of the data source are not immediately reflected and some old information remains for several minutes. How the content updates works? cron ? or Or is each data source combined and returned with each inputlookup reference?  Or this depend on the environment use.. Clustering? e.g. whether synchronization between search heads takes time and a time lag exists in the reflection of the results.

I am using Splunk Distribution of OpenTelemetry Collector in kubernetes. Current solution is working just fine. But after I added section for the smartagent/jmx receiver with groovy script inside, healthcheck starts to show "Server not available" status.  Groovy script works, logs includes several 2022-11-07T11:12:14.730Z error subproc/core.go:114 Get result, and sent:0 {"kind": "receiver", "name": "smartagent/jmx", "pipeline": "metrics", "monitorID": "smartagentjmx", "monitorType": "jmx", "runnerPID": 42} (I just added stderr to script) There are not any other warn/errors in logs. Kubernetes just kills pod cause healthcheck.  My jmx config: smartagent/jmx: type: jmx host: 0.0.0.0 port: 9999 intervalSeconds: 2 groovyScript: | def printErr = System.err.&println ss = util.queryJMX("com.hazelcast:name=MAP_NAME,instance=*,type=IMap").first() dims = [env_name: "NAME"] output.sendDatapoint(util.makeGauge("hazelcast.map.size", ss.size, dims)) printErr("Get result, and sent:" + ss.size) Tell me where and how to dig? 

Good afternoon! I send a message like this: curl --location --request POST 'http://test.test.org:8088/services/collector/raw' --header 'Authorization: Splunk 0202-0404-4949-9c-27' --header 'Content-Type: text/plain' --data-raw '{ "messageId": "ED280816-E404-444A-A2D9-FFD2D171F323", "messageType": "RABIS-HeartBeat", "eventTime": "2022-10-13T18:08:00", }' The message arrives in splunk, but I don't see the field: "eventTime": "2022-10-13T18:08:00" I have shown an example in the screenshot. Please let me know which time format I need to use.

We have  indexer cluster deployment. We recently added additional memory to all the indexers. In splunk monitoring console the new diskspace details are not updated. In the rest URI path '/services/server/status/partitions-space' the correct diskspace details are not updated. We are using below SPL to fetch diskspace details in monitoring console dashboard:   | rest splunk_server=* /services/server/status/partitions-space | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point | rename mount_point as "Mount Point", fs_type as "File System Type", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)"

As my original subject led to some weird error message about message flooding - here it is again: Subject: Invalid key in stanza - splunk_instrumentation - savedseaches.conf v8.2.9 Version 8.2.9 (Linux, tgz-version) brings the "Invalid key in stanza" error in line 451 of `/opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf` - file. This wasn't the case in v.8.27. It turns out that the named file differs in one character between the two versions: A space added after the "\" (for line continuation) in v8.2.9. After removing that single space the `splunk restart` command run through without errors.

Hello, I have installed an App, and the data in APP is written to "MAIN" index. When I am search for DATA from the APP, it works fine. Below is the my search query index="main" source=jira However, when I search for the same data from Search App, the data is not visible, and hence when I try to create a dashboard, it is not functional. How can I make data searchable from Search App and from the App. Please advise. -- Thanks in Advance. Siddarth

Hi Team,   i  tried created a dashboard with tab view.  used linklist to create a tabs. i would like to load the panels only when linked tab is clicked.  could some one please suggest me on how to achieve that .   <form theme="dark"> <label>search_depends</label> <description>test</description> <init> <unset token="dont_run"></unset> <set token="run"></set> </init> <fieldset submitButton="false"> <input type="link" token="tok_tabs"> <label>tabs</label> <choice value="panel1">panel1</choice> <choice value="panel2">panel2</choice> <default>DataAnalysis</default> <change> <condition value="panel1"> <set token="panel1">true</set> <unset token="panel2"></unset> </condition> <condition value="panel2"> <set token="panel2">true</set> <unset token="panel1"></unset> </condition> </change> </input> </fieldset> <row depends="$panel1$"> <panel> <single> <title>load only panel1</title> <search depends="$run$" id="dont_run"> <query>|makeresults|eval data="Can you see me?!"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="underLabel"># tickets closed last month</option> </single> </panel> </row> <row depends="$panel2$"> <panel> <single> <title>load only panel2</title> <search depends="$dont_run$" id="run"> <query>|makeresults|eval data="Can you see me?!"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="underLabel"># tickets closed last month</option> </single> </panel> </row> </form>