Same issue here, even on 7.2.6 now! ... View more

How do we fix this in the jobs page? /en-US/app/SplunkEnterpriseSecuritySuite/job_manager ... View more

Anyone know if this has been fixed yet? ... View more

I have the same issue. The problem is there is no field called "nodename" in the datamodel. I can not find in the TA anywhere that defines this field, thus it will never match. Thus a lot of the dashboards don't work. ~/Splunk_TA_paloalto └──╼ grep -ri nodename *| grep -v .js bin/splunk_ta_paloalto/cloudconnectlib/splunktalib/modinput.py: if doc.nodeName == "input": bin/splunk_ta_paloalto/solnlib/net_utils.py: # [Errno 8] nodename nor servname provided, or not known lookups/threat_list.csv:36853,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0764" lookups/threat_list.csv:36707,"Advantech WebAccess Browser ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0985" lookups/threat_list.csv:38655,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability","code-execution",medium,"CVE-2014-0764" ... View more

Yes.. the end-time is always moving so when it runs it uses the "now" as the end-time, and subtracts the days. As long as you keep it lower than 7 it should complete successfully. ... View more

@MuS ♦ Thanks for the info! Funny thing.. I actually did it a little simpler, albeit with a sledgehammer. (PS I'm using the Splunk Add-on for Microsoft Office 365) I edited this file "splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py" Changed the timedelta to 1 day 🙂 119c119 < start_time = end_time - timedelta(days=7) --- > start_time = end_time - timedelta(days=1) Now at least it only asks Azure for 24 hrs worth of data at a time 🙂 You could probably get away with 6 days if you wanted to check back that far. ... View more

Looks like now we need to have the ability to tell the add-on to only go back X days, otherwise it never completes and just keeps pulling in the same weeks worth of data. I've turned off my inputs until this is figured out 😞 ... View more

I just found this post on another thread. Makes sense because my pulls bomb out exactly 1 week back Looks like the limitation is in the O365 Management API that the Splunk app relies on: https://msdn.microsoft.com/office-365/office-365-management-activity-api-reference "Content older than 7 days cannot be retrieved." ... View more

What's the status on this? ... View more

Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal. ... View more

Thanks for commenting on this, I had forgotten I had opened it. Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal. ... View more

But how do we PULL events? I can't open up my Splunk instance to Amazon. ... View more

You need to put the [dropadlog] stanza BEFORE your [adlog] one, otherwise it will drop everything regardless of the tag. See "Keep specific events and discard the rest" on http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad ... View more