Isn't hyphen a minor breaker so I'm wondering why the values with hyphen get double quoted when doing summary indexing? This breaks the tstats TERM and PREFIX usage. Assume I have the following datas: _time field1 field2 2022-10-05 22:22:22 what-not whatnot   Will end up into summary event index with: 10/05/2022 22:22:22, field="what-not", field=whatnot   What I have missed when populating my summary index?-)

Right now we have  Splunk Enterprise version 8.0.5.0 Java Update 8 333 Java Se Development Kit 8 Update 291   Due to vulnerabilities, we need to update the Java version. Can we upgrade to the latest version and if not can you please tell me the latest version of Java I can upgrade to?    

I've discovered issue with WebLogic add-on (1.0.0) for Splunk and I am having hard time figuring out how to fix props.conf to parse timestamp correctly. My Splunk instance is in CEST. There is string with timezone after timestamp and CEST/GMT are parsed correctly but UTC is not. Server #1 - Correct     ####<Oct 5, 2022 5:00:21 PM CEST> <Info> ... Parsed timestamp: 10/5/22 5:00:21.000 PM       Server #2 - correct     ####<Oct 5, 2022 3:24:11 PM GMT> <Info> ... Parsed timestamp: 10/5/22 5:24:11.000 PM       Server #3 - incorrect     ####<Oct 5, 2022 4:30:23 PM UTC> <Info> Parsed timestamp: 10/5/22 4:30:23.000 PM Should be: 10/5/22 6:30:23.000 PM         

The new version of an app created using Splunk Add On Builder 4.1.1 on Splunk Enterprise 9.0.1 breaks on upgrade because the older password constant in 'aob_py3/splunktaucclib/rest_handler/credentials.py' was six '*' and the new one is eight '*'. Now is expecting that the password setting in inputs.conf uses the new format. This makes the Input page not load correctly raising error 500. Any ideas on how to solve this problem so the final users can seamlessly upgrade the app and keep the older input configurations? We are trying to work with this solution: https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Addon-Builder-4-package-resetting-password-conf-entries/td-p/584187 But we dont like that we need to patch the credentials.py

So I've read the docs on how to properly format a monitor stanza in Windows.. and am trying to monitor a dir full of csv files. Here's the stanza:     # Windows Log Processor [monitor://C:\Users\user\Desktop\ICTExports\*.csv] disabled = false crcSalt = <SOURCE> ignoreOlderThan = 2d index = it_app_ict sourcetype = csv      I added the crcSalt bit because without it the files in the monitor directory were generating the seekptr errors since the first few lines in all the files are identical. And here's the error in splunkd.log:     10-05-2022 10:25:25.768 -0500 INFO TailingProcessor [3624 MainTailingThread] - Parsing configuration stanza: monitor://C:\Users\user\Desktop\ICTExports\*.csv. 10-05-2022 10:25:25.768 -0500 INFO TailReader [3624 MainTailingThread] - State transitioning from 1 to 0 (initOrResume). 10-05-2022 10:25:25.768 -0500 INFO TailReader [3624 MainTailingThread] - State transitioning from 1 to 0 (initOrResume). 10-05-2022 10:25:25.768 -0500 INFO TailingProcessor [3624 MainTailingThread] - Adding watch on path: C:\Users\user\Desktop\ICTExports.       So it's been ~5 minutes since I last restarted the service and there's no further mention of the monitor path nor any of the .csv's within it. There is one file that falls within the 2d period so Im expecting it to be read. What can I do?   Thanks!

I have noticed that Splunk process on my development search-head shows not available abruptly. And then it becomes available. One of those time, I check the status of Splunk service and below is the output. Not sure, where to check and how to troubleshoot this problem. I was just assigned this problem, so not sure how often it happens but I have wrote a cronjob to check the status every 5 minutes and got an alert that it happened last night around 3am. But as far as I know, there is no pattern to it.    systemctl status splunk  splunk.service - Splunk Enterprise     Loaded: loaded (/etc/systemd/system/splunk.service; enabled; vendor preset: disabled)     Active: deactivating (stop-sigterm) (Result: exit-code) since Mon 2022-10-03 10:45:41 EDT; 41s ago   Main PID: 76827 (code=exited, status=8)     CGroup: /system.slice/splunk.service             └─78229 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_TA_f5-bigip/bin/Splunk_TA_f5_bigip_main.py      Oct 03 10:02:52 splunkdev01.xxx.xxx splunk[76759]: [  OK  ]  Oct 03 10:02:52 splunkdev01.xxx.xxx splunk[76759]: All installed files intact.  Oct 03 10:02:52 splunkdev01.xxx.xxx splunk[76759]: Done  Oct 03 10:02:52 splunkbdev01.xxx.xxx splunk[76759]: All preliminary checks passed.  Oct 03 10:02:52 splunkdev01.xxx.xxx splunk[76759]: Starting splunk server daemon (splunkd)...  Oct 03 10:02:52 splunkdev01.xxx.xxx splunk[76759]: Done  Oct 03 10:04:31 splunkdev01.xxx.xxx sudo[78359]:   splunk : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/netstat -anp  Oct 03 10:04:31 splunkdev01.xxx.xxx sudo[78359]: pam_unix(sudo:session): session opened for user root by (uid=0)  Oct 03 10:04:43 splunkdev01.xxx.xxx systemd[1]: Started Splunk Enterprise.  Oct 03 10:45:41 splunkdev01.xxx.xxx systemd[1]: splunk.service: main process exited, code=exited, status=8/n/a 

I have an issue where I have set up a Universal Forwarder on a Windows Azure server to monitor data stored on an Azure file share server.  This is my inputs.conf:   [monitor://\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20*.xml] disabled = 0 index = kana sourcetype = kana_xml crcSalt = <SOURCE>   The issue I have is Splunk thinks the CRC has changed each time the file is written to and re-ingests the whole file. The header of the file does not change, so I'm not sure why this happens. I read some other posts referring to how Azure file share caches data that changes metadata involved in the CRC calculation, but I'm not sure if that is definitely the case. Each file generates approx 6,000 events, but due to the re-ingestion this can amount to over a million events per file. Our license would get eaten up pretty quickly if I left the feed enabled constantly. Another knock on issue to this is when the log fills and a new file is created, Splunk doesn't see the new file and the data feed stops until the Splunk forwarder is restarted. It does however stop ingesting the previous file. Splunk's internal log shows the following details confirming it thinks the file is new:   10-05-2022 11:37:12.556 +0100 DEBUG TailReader [8280 tailreader0] - Defering notification for file=\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml by 3.000ms 10-05-2022 11:37:12.556 +0100 DEBUG TailReader [8280 tailreader0] - Finished reading file='\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 10-05-2022 11:37:12.556 +0100 DEBUG WatchedFile [8280 tailreader0] - Reached EOF: fname=\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml fishstate=key=0x8908643efe7e891f sptr=865145 scrc=0x77aadaaeb3af22ee fnamecrc=0xbd1b79bedeae4211 modtime=1664963939 10-05-2022 11:37:12.556 +0100 DEBUG WatchedFile [8280 tailreader0] - seeking \\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml to off=857837 10-05-2022 11:37:12.524 +0100 DEBUG TailReader [8280 tailreader0] - About to read data (Reusing existing fd for file='\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml'). 10-05-2022 11:37:12.524 +0100 INFO WatchedFile [8280 tailreader0] - Will begin reading at offset=0 for file='\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml'. 10-05-2022 11:37:12.524 +0100 INFO WatchedFile [8280 tailreader0] - Checksum for seekptr didn't match, will re-read entire file='\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml'. 10-05-2022 11:37:12.478 +0100 DEBUG TailReader [8280 tailreader0] - Will attempt to read file: \\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml from existing fd. 10-05-2022 11:37:12.478 +0100 DEBUG TailReader [8280 tailreader0] - Start reading file="\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml" in tailreader0 thread 10-05-2022 11:37:00.394 +0100 INFO Metrics - group=per_source_thruput, series="\\********.file.core.windows.net\kanaresponse\respshare\logs\log20221005_101607.xml", kbps=0.622, eps=0.064, kb=19.295, ev=2, avg_age=1134.000, max_age=2268 10-05-2022 11:36:48.567 +0100 DEBUG TailReader [5484 MainTailingThread] - Enqueued file=\\********.file.core.windows.net\KanaResponse\RespShare\logs\log20221005_101607.xml in tailreader0   If anyone has any ideas how to circumvent this issue, I'd be hugely grateful. I have tried using MonitorNoHandle, but that doesn't work as (a) Splunk wants the network drive location to be mapped to a drive, which we aren't able to do and (b) it requires individual files to be monitored, which we can't do easily as the new file uses the timestamp of when it is created in it's filename. Thanks 

Hey all, Everything works fine but I keep getting a strange error only in Chrome, ERR_SSL_PROTOCOL_ERROR, but not in FireFox or Edge.  All browsers are running the latest versions, no proxies, or enhanced security features (no security plugins). I've gone through the basic troubleshooting steps of clearing cache, reset browser settings, etc.  Still nothing. Any help would be appreciated.  I'm also sneaking another question in here:  I have most devices using Splunk as a syslog device, so aside from sourcetype="linux_messages_syslog" host="name.of.device" (string) What would be a good way to grab data for that specific host/device for a time frame of 12:00:00AM to 4:00:00AM that same day?  Regards, Gabriel  

In Splunk Add-on for Sysmon | Splunkbase (and some other Add-Ons) XML extractions are done via a lot of manual transforms (e.g. [sysmon-version] REGEX = <Version>(\d+)</Version> FORMAT = Version::$1). Why aren't you using KV_MODE = XML? And could you please add the field query_type (Network_Resolution DM) and record_type values for A and AAAA records (which do NOT have a type: .. entry).

I am working on custom command with couple of external modules which I installed in my 'lib' directory pip3 install -r requirements.txt --target=lib After installing my custom command into Splunk (install from file) I keep getting ModuleNotFoundError even all modules live in app 'lib' directory i.e.  ModuleNotFoundError: No module named 'importlib_metadata' What I am doing wrong ? Had no issue before but I was only using 'requests' module so far, now trying a lot more, here is my requirements.txt requests>=2.0.0resilient resilient-lib