It's not widely known until you run into it and the Docs pages is scattered around at times.   You can read more about it here in the section below: https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Extractfieldsfromfileswithstructureddata#Field_extraction_settings_for_forwarded_structured_data_must_be_configured_on_the_forwarder ... View more

I looked around and it doesn't appear to be another TA/app for it. So I assume people create their own TA or app for that - in terms of knowledge object related stuff (dashboards, CIM, lookups, index time configs). If the existing HAProxy TA has inputs stuff, you can use it for that and build your own stuff outside of that. ... View more

Don't know how I overlooked btool - that's also the fastest way to pin down the configs. ... View more

That is kind of odd that the index isn't there when it's there in the GUI. Can you look for an indexes.conf file within the $SPLUNK_HOME/etc/apps directory? Sometimes users click into an app or TA, then go to the indexes settings and create an index there without realizing that the index.conf gets put into that TA/app context. If you find the indexes.conf, move it to etc/system/local and restart Splunk. ... View more

I copied your SPL and it didn't have a space between the endpoint and splunk_server values. Can you try this? | rest splunk_server=<my_hosts> /services/configs/conf-indexes ... View more

Try this:   [azure:eventhub] DATETIME_CONFIG = CURRENT   props.conf snippet: DATETIME_CONFIG = [<filename relative to $SPLUNK_HOME> | CURRENT | NONE] * Specifies which file configures the timestamp extractor, which identifies timestamps from the event text. * This setting may also be set to "NONE" to prevent the timestamp extractor from running or "CURRENT" to assign the current system time to each event. * "CURRENT" sets the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor. * "NONE" leaves the event time set to whatever time was selected by the input layer * For data sent by Splunk forwarders over the Splunk-to-Splunk protocol, the input layer is the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen is the modification timestamp on the file being read. * For other inputs, the time chosen is the current system time when the event is read from the pipe/socket/etc. * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use 'SHOULD_LINEMERGE' and/or the 'BREAK_ONLY_*' , 'MUST_BREAK_*' settings to control event merging. * For more information on 'DATETIME_CONFIG' and datetime.xml, see "Configure advanced timestamp recognition with datetime.xml" in the Splunk Documentation. * Default: /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml). https://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf   ... View more

Are you 100% positive that the "windowseventlog" index exist on your indexer(s) or your all-in-one Splunk server? I would double check your indexes.conf. ... View more

Hey - have you reached out to @jkat54 for help? He's pretty responsive and helpful. You can also reach out to him via the Splunk usergroup in Slack. jkat54 is the creator of the TA you are asking about. https://docs.splunk.com/Documentation/Community/current/community/Chat ... View more

I think this error comes up when you are using a rising column input option and don't put in a value for the initial checkpoint. ... View more

If you know Javascript and want to mess with the source code, the error comes from here: splunk_app_db_connect/appserver/static/build/pages/common.js You may want to fork it to be your own app with the custom config, I don't know much more than that. ... View more

Hey - can you try to compare the inputs.conf from the updated TA vs the old TA? I think you can see all the settings in the inputs spec file in README directory. There may some additional configs that are needed which I think can break the GUI inputs page. You can also just spin up a new server with the same Splunk version and AWS TA version to configure the inputs on that and then check the inputs.conf file to compare it to you existing inputs.conf file. ... View more

Did you configure everything on the AWS side properly? See documentation below for more details: https://docs.splunk.com/Documentation/AddOns/released/AWS/S3 ... View more

I'm not the best at regex but I think what you're going for is this: ^\S+service\/(?<end_points>[^\s]+) Without seeing your more of the data around the URL, it's going to be hard to help you with an accurate regex. ... View more

I'm no DB admin but is there something that can be configured on the DB side to see if it helps with this timeout issue? Sometimes we focus on errors in Splunk logs but there are times it's on the upstream side. ... View more

I don't see anything about changing it back to false, so it seems like a permanent configuration.   storageEngineMigration = <boolean> * Whether or not you can migrate the KV Store storage engine on this instance. * Migrating the storage engine means changing the engine from 'mmap' to the newer 'wiredTiger'. * If you set this to "true", the instance lets you migrate the engine, depending on the following scenarios: * If this instance is standalone, you can migrate the engine during an upgrade by enabling this setting with a "true" value as part of the upgrade process and answering affirmatively when that process prompts you, or after an upgrade by using the 'splunk migrate kvstore-storage-engine' CLI command. * If it is a part of a search head cluster, you can perform the migration using the '/services/shcluster/captain/kvmigrate/start' REST endpoint. * If you set this to "false", you cannot migrate the storage engine. * Default: false https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Serverconf ... View more

Do you see any additional error logs in the Splunk logs? Are you able to search firewall logs to see if anything is getting blocked?  It seems to be some kind of connection issues from the looks of it. I'd get some help from the network team if they have one to pin down the issue. If you want to know what URLs are being queried in the "Browse for more apps" page, check the link below. https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Serverconf#Remote_applications_configuration_.28e.g._SplunkBase.29 Check if there are any blocked messages for the dest IPs below: nslookup apps.splunk.com Server: <test> Address: <test>#53 Non-authoritative answer: Name: apps.splunk.com Address: 52.35.142.155 Name: apps.splunk.com Address: 54.202.124.249 Name: apps.splunk.com Address: 52.43.137.128   ... View more

Looks to be a known issue on Splunk v8.2.2 and I believe you can ignore it or apply the workaround provided below. Do you see any errors when you go to the manage apps configuration page? It usually tells you which TA/app has newer versions on Splunkbase. 2013-05-25 SPL-68010 The error thrown when your Splunk instance cannot connect to splunkbase/.../checkforupdate is not an ERROR, should be lowered to INFO. Workaround: Set server.conf [applicationsManager] allowInternetAccess = false   https://docs.splunk.com/Documentation/Splunk/8.2.4/ReleaseNotes/KnownIssues ... View more

Can you try to increase the "query_timeout" setting on the specific input you're running? It defaults to 30 seconds so you may need to increase this value and see what works for you. db_inputs.conf query_timeout = <integer> # optional # the max execution time of a SQL, the default is 30 seconds.  You'll see this setting in the GUI too in the inputs configuration part. ... View more

Adding on to what @SanjayReddy was saying on the props.conf configurations, best practice is to include the minimum configurations below. I'm assuming your events starts off with the date format, (Feb 17 10:25:09), so here is an example of the big 6/8 configs depending what Splunk host is sending or ingesting the data; put the props on the HF/IDX for parsing. I think you're sending the logs via syslog since I notice two timestamps and I'm going to use the timestamps inside the double quotes for the event time. props.conf   # Assuming your time prefix is the first set that starts with double quotes TIME_PREFIX = ^[^"]+ MAX_TIMESTAMP_LOOKAHEAD = 20 # Assuming your hours is in 24 hour notation (%T) TIME_FORMAT = %F %T SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2} TRUNCATE = 10000 # Use the following attributes to handle better load balancing from UF. # Please note the EVENT_BREAKER properties are applicable for Splunk Universal # Forwarder instances only. Valid with forwarders > 6.5.0 EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}       ... View more

I think you already played around with "initCrcLength" config in inputs.conf which just tells Splunk how far into the file to compare the hash. It's just going to re-ingest the whole file no matter what you do with CSV files and you end up with duplicated data with the way you wrote your script (modifying specific values in the CSV file). I think a better way is to create a new CSV file whenever there is a change and modify your inputs.conf accordingly to ingest the files.  I might not have the best answer so wait around for more suggestions.   References: https://wiki.splunk.com/Community:HowSplunkReadsInputFiles https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf ... View more

Does the service account used for this data ingest has read access to the "LoginEvent" object on the Salesforce side? ... View more