Hi Celeste, The blogpost you are basing your script on is quite old (2011), and in the current python SDK i'm using there is no splunk.entity module. Which SDK version are you using? Here is how I manage to retrieve credentials using Python SDK version 1.6.2: service = client.Service(token=sessionKey) # service.storage_passwords.create('test','damien','SPLUNK ANSWERS') print service.storage_passwords.list(**{"search": "SPLUNK ANSWERS"})[0].content For this example the output is as following: {'username': 'damien', 'encr_password': '$1$gfY5DWk=', 'realm': 'SPLUNK ANSWERS', 'clear_password': 'test', 'password': '********'} Hope that helps! ... View more

That looks like the session key passed is not valid. Could you print everything Splunk is passing to stdin? ... View more

Hi ashiqm, Unfortunately I don't work with the Java SDK. Apparently there is no existing setter method for sample_ratio, so you would have to write your own. May be worth it to re-ask your question specifying you are using Java SDK so Java SDK users get visibility on your question. ... View more

I thought it would be okay if you only worry about the visual aspect, you can even hide the legend if you find it confusing! Eventually someone will post a solution using javascript later. Good luck and happy Splunking! ... View more

I think the way you did it is already very smart 🙂 Eventually you could use rename instead of eval! ... View more

Hi, I wanted to do the same thing once and came up with the following solution: (host=wjb4stl260 OR host=wjb4stl261 OR host=wjb4stl262 OR host=wjb4stl263 OR host=wjb4stl365 OR host=wjb4stl366 OR host=wjb4stl367 OR host=wjb4stl368 OR host=CJB4STL365 OR host=CJB4STL366 OR host=WJB4STL62 OR host=WJB4STL67 OR host=WJB4STL68 OR host=WJB4STL69 OR host=WJB4STL72 OR host=WJB4STL73 OR host=CJB4STL60 OR host=CJB4STL61) (MountedOn="/tmp" OR MountedOn="/apps_01") | dedup host, MountedOn | chart max(UsePct) as max_use_pct by host, MountedOn | eval status=case( max_use_pct <= 30, "green", max_use_pct > 30 AND max_use_pct <= 70, "yellow", max_use_pct > 70, "red") | chart values(max_use_pct ) by host, status Then select stacked mode in the visualisation format. You can then assign colours to the bars using the "green", "yellow" and "red" fields (that you can rename to anything more relevant if you want, like "low/medium/high disk usage for example") using charting.fieldColors for example. ... View more

Settings > Lookups > Lookup Table Files then click Permissions hyperlink for the specific lookup, uncheck Everyone for the Read Column and check for the role(s) you want to assign read permissions. ... View more

It worked for me 😞 Can you try add the SPL lines one by one see where you start losing results? ... View more

The URL you indicated start with "http", shouldn't it be "https"? ... View more

Hi katzr, When you say All of my lookup are global permissions Are you talking about the object context (shared in all Apps) or saying read permissions are set to everyone? Because if you do create a new role, I think you could assign Read permissions to it for specific lookups only. ... View more

Hi ejwade, You can send specific events to the nullQueue to discard them at the indexer/heavy forwarder level. In your case it would look like: props.conf [source::<bro_logs_source>] TRANSFORMS-null= set null transfroms.conf [setnull] REGEX = <your_regex> (for you something that deals with internal A record) DEST_KEY = queue FORMAT = nullQueue You can have a read through the "Filter event data and send to queues" section at http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad. Hope that's helpful! ... View more

DEST_KEY for index should be _MetaData:Index : The index where the event should be stored. (Notice the underscore prefix) (http://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Transformsconf) ... View more

Have you already been through the relevant docs at http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/Emailnotification If so, can you explain what are you struggling with? ... View more

How about this: Add the following to your existing search | transpose | eval isdate=if(match(column,"\d{4}-\d{2}"),1,0) | eval month=strftime(now()+320000, "%Y-%m") | where column=month OR isdate=0 | fields - isdate month | transpose column_name=column header_field=column | fields - column Note: I've added +32000 to now() to be and December and try it, to be removed after! ... View more

I'm assuming you are talking about displaying the values in a dashboard where you can select the month. The easiest way would be to have a dropdown input for the months with a token $month$. For example for "December 2017", the token value would be "2017-12". Your dashboard search query would end with | fields ID Name $month|s$ to keep only the column which represents December 2017. You would have to assign token values for each month manually. You can find examples on how to use dropdown in a dashboard here: https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/Buildandeditforms You can also install the Splunk Dashboard app on your local instance and look for dropdown examples: https://splunkbase.splunk.com/app/1603/ ... View more

I think it would be difficult if not impossible to achieve per event. fieldsummary command gives info about fields for all the events returned by the event search. ... View more

Are you willing to create a new field for each event that would hold the value of the field (for example "not_matching") that does not match? ... View more

You can find how to monitor WinHostMon at http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowshostinformation See type attribute to set which service to monitor. Example: # Queries computer information. [WinHostMon://computer] type = Computer interval = 300 # Queries OS information. # 'interval' set to a negative number tells Splunk Enterprise to # run the input once only. [WinHostMon://os] type = operatingSystem interval = -1 For WMI please check http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowseventlogdata. Example: [WMI:AppAndSys] server = foo, bar interval = 10 event_log_file = Application, System, Directory Service disabled = 0 ... View more

The error logs seems to indicate a problem with parsing of the UCC Config JSON file at endpoint "account_list" Going through the add-on code, it seems to come from a problem with parsing of the "o365_schema.account_monitor_config.json" file under /bin/splunktamscs/o365_schema.account_monitor_config.json More specifically, with the account_list section and refresh_token value. You can try looking for a missing coma or missing quotes around "json" for example. The default content for that config file is (fresh download of version 2.0.3): { "_product": "Splunk_TA_microsoft-office365", "_rest_namespace": "splunk_ta_ms_o365", "_rest_prefix": "ta_o365_server_", "_protocol_version": "1.0", "_version": "1.0.0.0", "cert_setting": { "endpoint": "certificate" }, "api_setting": { "endpoint": "#configs/conf-splunk_ta_ms_o365_api_settings", "field_types": { "*": { "api_url": "json", "data": "json" } } }, "ucc_system_setting": { "endpoint": "#configs/conf-splunk_ta_ms_o365_server_ucc_system_setting", "field_types": { "o365_refresh_token": { "apis": "json", "url": "json" } } }, "global_setting": { "endpoint": "settings", "field_types": { "proxy": { "enable": "bool", "dns_passthrough": "bool" } } }, "account_list": { "endpoint": "accounts", "field_types": { "*": { "access_tokens": "json", "access_tokens_encrypted": "json", "refresh_token": "json" } } }, "management_api_input_list": { "endpoint": "management_api_inputs" } } Hopefully that will help if not, can you try provide more errors/warnings if any. ... View more

Yea, i forgot to mention duration would be stored under duration field, that's great you found it! Thanks for accepting my answer and happy Splunking! ... View more