I am getting the following message when I switch to the Visualization tab after a search: "Your search isn't generating any statistic or visualization results. Here are some possible ways to get results." This is coming from a universal forwarder installed on a Windows server. I was trying to graph the network interface stats. I know I am missing something to allow me to do this.  

I have an Adaptive Response Action (execute_flow in the pic below)  that requires certain identity data about the subject of the notable (mobile phone number).   Not all users have a mobile number set in ES identity. Currently,  I throw a failure event in Python for this condition.   Is it possible to return a warning status instead?  

Hi. I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session. The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL. Here's the fields I currently use: index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins. index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.   Thank you for assisting!

We need a way for our custom add-on to include additional information from an alert into the cim_modactions log it writes when a failure happens.  The custom add-on's purpose is to create tickets in a remote system with fields from the alert results.   Therefore, in the case of a failure to create a ticket in the remote system, it would be really helpful to know details of the alert results which failed to be sent.  We can then alert on cim_modactions in the case of action_staus=failure and be able to respond by resending that alert. (Ideally we would  modify the add on to be resilient and try to send again, however we do also need to know about these failures, because in the case of an outage on the remote side we would need to still konw what had failed to be sent) Ideally we would include the entire contents of the alert result in the cim_modactions index. As nearly as we can tell the "signature" field is often filled with contextual information.  Replacing that value may be an option for us if we can find a sensible way to do so.   I go into some more detail and specificity below.  The cim_modactions index is useful in determining whether a specific action has been successful or not at our client's environment.  We send the output of our Splunk alerts to an external ticketing system through an adding we built using the Splunk Add-on Builder | Splunkbase. For the sake of this question let's call the application we built the "ticketing system TA" and the corresponding sourcetype in cim_modifications, "modular_alerts:ticketing_system".  If we search using "index=cim_modactions sourcetype="modular_alerts:ticketing_system", we return all cim_modactions about the ticketing system We can know if an alert was successfully created in the remote system if we search on: "index=cim_modactions sourcetype="modular_alerts:ticketing_system" action_status=failure We get results like:   2022-10-01 09:25:29,179 ERROR pid=1894149 tid=MainThread file=cim_actions.py:message:431 | sendmodaction - worker="search_head_fqdn" signature="HTTPSConnectionPool(host='ticketing_system_fqdn', port=443): Max retries exceeded with url: /Ticketing/system/path/to/login (Caused by ProxyError('Cannot connect to proxy.', ConnectionResetError(104, 'Connection reset by peer')))" action_name="ticketing_system" search_name="Bad things might be happening" sid="scheduler__nobody_ZHNsYV91c2VfY2FzZXM__RMD5e17ae2c72132ca0f_at_1664615700_985" rid="14" app="app where search lives" user="nobody" digest_mode="0" action_mode="saved" action_status="failure" host = search_head_hostname source = /opt/splunk/var/log/splunk/ticketing_system_ta_modalert.logsourcetype = modular_alerts:ticketing_system     Notice that we get a helpful error about the reason for the failure, the search it happened during and the timestamp. Unfortunately this does not get us down to which alert or alerts failed to be sent.  In each of our searches we have a field which identified which remote application is logging. Let's call it client_application_id. If we could include that number, like client_application_id=#####, that would be a help. Even more helpful would be to include alert_result_text="<complete text of the payload being sent across to the remote system at the time of the failure>" We also noticed that if signature contains anything that looks like an assignment, then that assignment becomes a field.  for example in a few cases we actually do see client_applicaiton_id=#####, but these are few and not in the case of failures.  In these cases there is also   signature="client_application_id=#####" Any direction on solving this specific question or even a suggestion on an alternate approach would be much appreciated.  

Dear Splunk community, I'm new to Splunk, so excuse my incompetence... What I'm trying to do is enriching my web access log with app name and team name from a csv lookup file. The CSV file "ingress_map.csv" looks like this:   ingress,app,team https://mycompany.com/abc,foo-bar,a-team https://app.mycompany.com,good-app,b-team https://app.mycompany.com/abc,better-app,c-team https://app.mycompany.com/abc/xyz,best-app,d-team     The url field of my web access log will seldom match exactly one of the ingresses, is it possible to have a lookup that finds the best matching ingress and adds the fields app and team to the log line? Or is there a better way of solving this problem?   Regards Terje Gravvold

I have a bar chart stacked graph with time on X-axis and Success, failure count stacked on Y axis. when i click on the success count, it needs to display the table with success transaction details. same for failure count as well.  As of now i am passing the earliest and latest time from the bar chart with the below condition. <eval token="e">$click.value$</eval> <eval token="le">relative_time($click.value$, "+60m")</eval> I have 2 panel described as Show_Success and Show_failure. Can someone help me how to set the token to pass the value for the panel to show depends on the click for success or failure. 

I am trying to extract field from the "textPayload" value which is log message and it has "status" as key.  I want to make my search by extracting "status" as a field and apply for creating alerts.  Here is the regex i generated and working in regex101 >> \\"status\\":\\"(?<status>[^\"]+) Here is our sample log ================================================================================ {"insertId":"l9ple6wfkvbdfasfdsfdwyoo","labels":{"compute.googleapis.com/resource_name":"gke-default-node-poo-4e912bb9-vrl1","k8s-pod/app":"some-service,"k8s-pod/environment":"dev","k8s-pod/part-of":"some-service","k8s-pod/pod-template-hash":"79cb686fcf","k8s-pod/security_istio_io/tlsMode":"istio","k8s-pod/service_istio_io/canonical-name":"some-service","k8s-pod/service_istio_io/canonical-revision":"v1","k8s-pod/stage":"dev","k8s-pod/version":"v1"},"logName":"projects/abc-dev/logs/stdout","receiveTimestamp":"2022-09-30T15:00:05.2690572Z","resource":{"labels":{"cluster_name":"-gke-dev","container_name":"some-service-v1","location":"us-east4","namespace_name":"dev","pod_name":"some-service-v1-79cb686fcf-x2frb","project_id":"gke-dev"},"type":"k8s_container"},"severity":"INFO","textPayload":"2022-09-30 15:00:00.952 INFO 1 --- [nio-8080-exec-8] c.a.a.a.controller.BrokerController : {\"classification\" "NORMAL\",\"action\" "ALERT\",\"host\" "asome-service-v1-79cb686fcf-x2frb\",\"ipAddr\" "10.143.104.169\",\"status\" "SUCCESS\",\"time\" "2022-09-30T15:00:00.952Z\",\"msg\" "getToken - Start\"}","timestamp":"2022-09-30T15:00:00.95264915Z"}

ERROR HttpListener [97417 TcpChannelThread] - Exception while processing request from x.x.x.x:63596 for /en-US/splunkd/__raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search%20i&useTypeahead=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1664562934323: std::bad_alloc Any help please     

Hi I got error message after upgrading splunk enterprise from version 8.1 to version 8.2.7 in all my splunk dashboard, it shows warning with message : cannot expand lookup field 'hostname' due to a reference cycle in the lookup configuration can you tell me how to fix this issue?   thank you