Thanks. I have similar error on other add-on, which was fixed by adding following to /etc/hosts on corresponding Splunk instance host: ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 Maybe this case can also be fixed similarly. Anyway, we switched to test the new add-on https://splunkbase.splunk.com/app/4055/ instead per support's advice. Thanks for all responded. ... View more

Thanks. Found that it's done by a transform in the CIM add-on $SPLUNKE_HOME/etc/apps/Splunk_SA_CIM/default/props.conf. Thanks a lot. ... View more

Thanks and agree. But when expanding the event fields on web interfrace, we can see that the "action" attribute is set to "success", not "login attempt". ... View more

Hi, thanks for your help. I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events... ... View more

thanks a lot. ... View more

Hi, not yet. We're waiting for updated version of the add-on... Thanks. ... View more

Thanks for the suggestions, that match with what we need. Will give them a try. Thanks a lot. ... View more

Hi thanks. We also use this method for Splunk instance with few apps installed, but looking for ways to hide apps menu on per user/role basis. Fyi. Thanks. ... View more

Noted and thanks. Will try it out. ... View more

It should be on heavy forwarder or indexer Got it. Will this overrides host part for all data with sourcetype=syslog? Chances are we hope to use host_segments for syslog data on some UF, while keep using host in log content for some other UF. Sorry to bother again. Thanks a lot. ... View more

stupid me. sorry for the newbie mistake... Just put following in props.conf but seems no effect. [source::/ssd///cyrus.log] TRANSFORMS = TRANSFORMS-host = splunk btools props list shows the setting is correct. Would you help? Thanks again. ... View more

tried but seems not working - still gets hostname from log content. My inputs.conf looks like following: [monitor:///ssd///cyrus.log] ignoreOlderThan=1d disabled = false TRANSFORMS = TRANSFORMS-host = host_segment = 3 index = test sourcetype = cyrus Did I miss anything? Thanks and rgds ... View more

Got it. Thanks a lot. ... View more

Update: We tried on another Splunk 7.0 installation without IPv6 support. The same error didn't occur. ... View more

Update: We tried on another Splunk 7.0 installation without IPv6 support. The same error didn't occur. ... View more

Hi, Thanks for the reply. The input file looks like following, which was created by the Add-On's GUI: ----------------- cut here ---------------- [MS_AAD_signins://Azure_AD_Signins] interval = 5 start_date = 2018-05-01 00:00:00 tenant_domain = mytenant.onmicrosoft.com [MS_AAD_audit://Azure_AD_Audit] interval = 5 start_date = 2018-05-01 00:00:00 tenant_domain = mytenant.onmicrosoft.com ----------------- cut here ---------------- Regarding the Sign-On URL, we just follow instruction at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-prerequisites-azure-portal, to put https://localhost there: c. In the Sign-on URL textbox, type https://localhost. I wonder if "localhost" resolves to ::1 as our heavy forwarder runs dual IPv4 and IPv6 stack. Thanks a lot. Regards, ... View more