I am indexing email data that Splunk reads from an inbox folder (via TA-mailclient). Those emails contain a csv file that comes as file attachment to the email.  Below is an example where the field name of the attachment is file_content and the field value is below:     Stopped by Reputation Filtering,Stopped as Invalid Recipients,Spam Detected,Virus Detected,Stopped by Content Filter,Total Threat Messages,Clean Messages,Total Attempted Messages 9.28068485506,0.0,45.1350500141,0.00114191624597,1.53311465023,55.9499914356,44.0500085644,-- 251946,0,1225297,31,41620,1518894,1195841,2714735       I want to be able to manipulate the results to look like below: Stopped by Reputation Filtering Stopped as Invalid Recipients Spam Detected Virus Detected Stopped by Content Filter Total Threat Messages Clean Messages Total Attempted Messages 9.280684855 0 45.13505001 0.001141916 1.53311465 55.94999144 44.05000856 -- 251946 0 1225297 31 41620 1518894 1195841 2714735   Can someone please advise how to achieve this ? ... View more

As the title suggests, I want to index data from Splunk user email account's inbox folder. Splunk version - 8.2.4 Have already checked out TA-mailclient and IMAP Mailbox addons but none of them work and are unsupported In the first add-on, no matter how many times I change the attribute disabled to 0 in inputs.conf, it goes back to 1 after a restart. In the second addon, after using the troubleshooting command, I get the following error   File "/opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py", line 104 self.port = 993 ^ TabError: inconsistent use of tabs and spaces in indentation     Hence, can someone please advise how best to achieve this ? ... View more

I have configured  this addon as per the instructions and no matter how many times I set disabled=0, after restarting Splunk, it automatically goes back to disabled=1. Can anyone please advise how to fix this ? ... View more

There are two apps, a custom app and search app which are inaccessible to users despite them having read permission to view the app. These apps exist on a Search Head Cluster. Can someone please advise how to fix this ? ... View more

As the title says, I have a list of subnets and I would like to create a search which would show traffic (using Palo logs) passing through those subnets. It should still show those subnets that had no traffic. I am using below query but it doesn't return results of those subnets with 0 traffic. If anyone can help with a better version of this query with a lookup and possibly using datamodels, that would be great. index=palo sourcetype=pan:log |eval stan=case(cidrmatch("10.0.0.0/24",src),"stanA"),(cidrmatch("10.0.1.0/24",src),"stanB"),(cidrmatch("10.0.2.0/24",src),"stanC") |stats count by stan   ... View more

If I run the following command on an indexer after stopping Splunk and my session on the terminal times out after few hours but before the process finishes, does the repair process continues to run or will it stop ? If it continues to run, will the result be saved in some log file? if yes, which one ?     splunk fsck repair --all-buckets-all-indexes       ... View more

Getting numerous such errors on the Indexer Clustering: Service Activity page   Failed to trigger replication (err='Cannot replicate remote storage enabled warm bucket, bid=index_name~680~3587E22A-71BF-4194-XXX-C1115EECE until it's uploaded')    Is this normal ? if not, please suggest how to fix this. Thanks. ... View more

Getting the following message in splunkd logs ERROR CMRemotePrimaryManager - Failed to evict delete for bid=index_name~XXXX.XXXX.XXXX as part of onPrimary initialization task, delete files might not be synced Please help fix this issue. Thanks ... View more

As per the Smartstore docs, tstatsHomePath must remain unset but I noticed the /default/indexes.conf on 8.1.5 version, the value of tstatsHomePath attribute is already set as shown in screenshot below: I have also noticed /opt/splunk/var/lib/splunk/index_name/datamodel_summary having numerous large files. Not sure if its to do with the tstatsHomePath attribute being set. Should I add the following in /local/indexes.conf ? tstatsHomePath =   ... View more

I recently migrated non-smartstore indexes to Smartstore as per the doc - https://docs.splunk.com/Documentation/Splunk/8.2.4/Indexer/MigratetoSmartStore However, on some of the indexers I noticed the local drive had high disk usage by Splunk, upon investigation noticed /opt/splunk/var/lib/splunk/index_name/datamodel_summary/ of various indexes is holding datamodel summary data that caused the high disk usage. Considering summary replication is unnecessary for Smartstore, I dont believe the directory need to exist anymore. In this case, should empty these /datamodel_summary/ directories ? ... View more

After first time installation of cyberchef app on a search head via deployment server, the custom search command works properly. However, on subsequent use we are seeing the following error and search not working. "Error loading required module Cyberchef: SyntaxError: Unexpected token import" App version 1.0.3 Can anyone please help fix this issue ? ... View more