I can control the data sent to the fields.  All fields on the deafult search allow you include/exclude in search results.  I Suppose this is the default "drilldown" options.     I tried http://whatever <link>http://whatever <a href="http://whatever"   The default search won't let you click the link, it just lets you filter on that field, is there an override to this?      

Hello fellow Splunkers,   One of our end users was attempting to investigate a Splunk Alert. When they attempted to access the URL contained in the email. They received a permissions denied error. They also received the same alert when manually navigating to the alert under the "Alerts" section and attempt to review the triggered alert. The alert permission are set so anybody can read the alert, but only Power Users and Admins are able to right.   I have reviewed a couple of other Splunk Community post regarding similar permission issues but was unable to locate a solution. Does anyone have an idea what could be causing this?   - Hutch

Worked extensively with Splunk support on this. They believe that the problem is that the app is either fundamentally incompatible with Splunk 9 or the latest Salesforce TA.  Ultimately splunk-app-sfdc is using the collection lookup_sfdc_usernames_kvstore which is not defined in the collections.conf of the app, but in the add-on. It looks like the app is trying to refer to that and is not able to find that lookup.  ERROR KVStoreProvider [29936 SchedulerThread] - Could not create KvStore Lookup failed because collection 'lookup_sfdc_usernames_kvstore' in app 'splunk-app-sfdc' does not exist, or user 'splunk-system-user' does not have read access. Hence my question: Has anyone gotten this to actually work? If so, what is the trick?  Regards. Mike Kirda  

Hello, Can we create either of the breaking criteria for the episodes in Splunk itsi. We do have bidirectional ticketing enabled but if the external ticket is not closed then episode is remained open, so we are need of creating a breaking criteria. Will it impact the bidirectional ticketing if we enable breaking criteria?    

Hey everyone! Has anyone ever experienced jobs running over 100%, sometimes as high as 150%/160% and not completing? It ends up causing the maximum concurrent searches to be reached and makes new jobs not run.   We currently have about 220 correlation searches running and this had not been an issue before.   Any and all feedback is appreciated!

Hi Team, I wanted to wirte query to find the Splunk agent version of specific set of hosts in our environment, I had tired the below link to find out version detail for all UF uisng the below link. https://community.splunk.com/t5/Getting-Data-In/How-can-I-find-a-listing-of-all-universal-forwarders-that-I-have/m-p/324298 But I am unable to segregate to specific set of hosts.  So could anyone let me know how to wirte a query to fetch the version details.   Thanks in Advance. 

[Filter: smut] raja_mta's post body matched "anal", board "apps-add-ons-all". Post Subject: Re: ta:ms:loganalytics:log ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer')) Post Body: 2022-10-31 09:41:14,147 ERROR pid=14783 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py", line 96, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/input_module_log_analytics.py", line 72, in collect_events response = requests.post(uri,json=search_params,headers=headers) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 110, in post return request('post', url, data=data, json=json, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/adapters.py", line 473, in send raise ConnectionError(err, request=request) ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer')) Body text "anal" matched filter pattern "anal". Post by User[id=235550,login=raja_mta] was rejected for the following end-user facing error(s): Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.

Hi,  ive got the below query that im using to try and see when correlation searches have been edited: | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",") | rename "eai:acl.owner" as "Created By" | rename author as "Updated By" | rename updated as "Update time" | fields title, search, description, "Update time", "Updated By", "Created By" The issue that I'm having here is that no matter what i try, I am unable to narrow this down to the last hour for example and it always returns the last couple of months. Any help on this would be great!

Hi all, I have installed the latest Splunk SOAR (5.4) on my instance for testing. The default https port is set to 8443. I have tried to force the port to be on 443 by using the --https-port 443 option during the installation. However, I am not able to configure the port to be on 443 as it states any port from 1 to 1024 requires root access and I can't run it on an unprivileged installation.   Is there any workaround for this to configure the port to go thru 443 instead of 8443?

Hey Splunkers, Can someone please help me with the logic, how can I finetune the search below to detect DNS tunnelling? The one here is too noisy.. or if a better SPL is available that can be used instead.     | tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.query | rename DNS.src as src DNS.query as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.answer | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 100     Thanks!