@maheshnc - Search for internal logs to understand and troubleshoot the issue further. index=_internal NOT source=*_access* "<title of the alert>"   And see what logs tell you.   I hope this helps!!! Kindly upvote!!! ... View more

@smakwana - I don't think the given information is enough to understand the issue, given the complexity and variety in AWS inputs. Please provide more details. * Are you using SQS-based S3 input? * What are your input settings? * Is your SQS configured correctly? * etc ... View more

@hl - This document describe many detection that would apply to Palo Alto data or Firewall data in general. https://research.splunk.com/detections/categories/network/   I hope this helps!!! Kindly upvote if it does!!! ... View more

@sankar_admin - This document below should help. But in general, you have two options: SOAR on Cloud and SOAR On-prem. https://help.splunk.com/en/splunk-soar   Regarding compatibility matrixs with other ventors there are many SOAR Connectors available on Splunkbase. - https://splunkbase.splunk.com/apps?page=1&sortBy=popular&product=soar    I hope this helps!!! Kindly upvote if it does!!! ... View more

@Bosv0id - Basically, this feature helps automatically resolve the on Jira as well when the issue seems to be resolved from the alert side. So, you need to have logic in your alert query which gives you following fields/information Auto close key value pair Whether the issue is there or resolved (concept is well described in this App - https://splunkbase.splunk.com/app/7016) When this key value pair is found in the result, it means it is a resolved alert and not a trigger alert  Auto close issue number field name In case of a Jira ticket to be resolved, you need to provide the Jira ticket number to be resolved. This needs to be present in the results as a field. This field would be empty in case the issue is triggered (not resolved) Auto close status transition value What is the close status of Jira in your project Auto-close comment If you want to add a comment while closing the ticket.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@yachtbum - This is true in some environments. I notice so many of these warnings. Not sure exact root cause. Although you cannot currently configure the reconnect retry timeout in Splunk.  But you can configure the normal connection timeout setting in outputs.conf on the forwarder if that is what you need for your environment.   I hope this helps!!! Kindly upvote if it does!! ... View more

@addOnGuy - I don't know if its very clear from your description what exactly that you are building.   But here is the document for helper functions - https://docs.splunk.com/Documentation/AddonBuilder/4.5.0/UserGuide/PythonHelperFunctions   If you are building Custom Alert Action with Add-on Builder then this should help - https://docs.splunk.com/Documentation/AddonBuilder/4.5.0/UserGuide/CreateAlertActions    I hope this helps!! ... View more

@splunker2k24 - You can use this App. App not supported meaning that App is not supported by Splunk Support. But App is still valid and developed by "Splunk Works". And this App is one of the widely used App so you should be good with it.   I hope this helps!!!  ... View more

@salohiddin - You need higher precedence starting with Alphabetical order for Global Precendece of Splunk. * Doc Reference - https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofindtheconfigurationfiles    So, create the App named AAA_disable_windows_security_input App and put the inputs.conf in the local folder and deploy.   I hope this helps!!! ... View more

@Alan_Chan - Here is what got to understand: * You are using SOAR on 8443 port. * You are trying to connect SOAR from Splunk ES as per this - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/introduction-to-splunk-soar-on-premises/pair-splunk-soar-on-premises-with-splunk-enterprise-security-on-premises   If this is the case and if: * you are entering the IP & credentials correct * and there is no connectivity issue.   Then it is most likely SSL certificate validation issue. And your error also suggests the same thing.   You can follow the document to fix it - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/manage-splunk-soar-on-premises-certificate-store/update-or-renew-ssl-certificates-for-nginx-rabbitmq-or-consul#f311597b_e8dd_40f2_9844_a62f90ffc64c__Updating_the_SSL_certificates * Please kindly understand SSL certificates well before you apply this on Production to avoid any issues.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@mwmw  - Does @tej57 answered your question?? If that does, kindly please accept the answer by clicking on "Accept as Answer". ... View more

@sarit_s6 - That one requires Javascript to be written to remove "All" option. Reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-quot-All-quot-from-Multiselect-Input-in-Dashboard/m-p/301375   OR you can opt for complex XML editing suggested in this reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-ALL-from-multi-select-input-once-any-value-is-selected/m-p/711199   I hope this helps!!! Kindly upvote if it does!!! ... View more

@Macedovin - Great that you join the Splunk community here. And I'm glad that you were able to resolve the issue you had and even updated that details here.   It would be amazing if you can answer your own question here with the details that you added in your question instead currently (UPDATE). So that future Splunk community users can clearly see your question & answer and can get help from it. Once you add your answer, also please mart it as "Accepted".   Community Moderator, Vatsal ... View more

@Alan_Chan - Are you sure your Splunk port is 8443??   ... View more

@vader13 - You did not included the reference which mention supported and not supported. Also, I'm not sure what you are referring to with HTTPOUT.   ... View more

@msatish - As mentioned by @dionrivera you can use SC4S CEF for parsing.   But if you want to parse the already ingested CEF formatted data in Splunk then you can use this App's custom search command to do that. https://splunkbase.splunk.com/app/7701   ... View more

@msatish- Yes you can always define your own sourcetype & your own custom index that you want any data to fall into.   But as @livehybrid is asking you can need to figure-out how you are collecting the data & which format of the logs so you can figure-out from which config file & where you can apply the new sourcetype & index. And you also need to put props.conf configuration (Parsing, Timestamp extraction, Field Extraction, etc.) for your custom sourcetype.   And make sure index is created on your indexers before you start pushing the data into your custom index.   I hope this helps!!! ... View more

Then I think definitely it something related to Log4j configuration or on Spark/Java side in which I have 0 experience, so I'm sorry I won't be able to help you, but I hope someone else in the community will be able to help. ... View more

@livehybrid- This curl tool sounds useful. And @Zoe_  you just need to add | outputlookup <your-lookup-name> at the end of @livehybrid 's query. ... View more

@livehybrid  json_array_to_mv - that's sounds interesting.  🙂 ... View more