Hi @pkarpushin ,  Did you find a solution to this issue? I am facing the exactly same issue in my environment. I tried following THIS Splunk doc, but it didn't work.  Let me know if you have any leads on this.  ... View more

Found a way to spot the troublesome csv.  (worked for me, anyway)  requires CLI. The grep looks for special characters in the file. find $SPLUNK_HOME/etc -name "transforms.conf" | xargs grep -l -P -n "[\x80-\xFF]" find $SPLUNK_HOME/etc -name "*.csv" | xargs grep -l -P -n "[\x80-\xFF]"   Another thing that helped track down the issue was run the rest call as a Splunk search, then look at the search.log | rest /services/data/transforms/lookups ... View more

@pkarpushin I have a similar use case but I need the two-level of row expansion, The first expansion is on main row and the second expansion is on the expanded row.  Is this possible? Please assist! ... View more

Try this: |eval d1 = strptime(starttime, "%d-%b-%Y %H:%M:%S") | eval d2 = strptime(endtime, "%d-%b-%Y %H:%M:%S") | eval duration_in_seconds = d1 - d2 Hope this helps ... View more

If so, then you should click Accept here and close the question. Don't forget to UpVote anybody that helped you. ... View more

That's correct - no "fast way". And I agree, doing it one-by-one is rather tedious. Normally, in custom apps, this isn't a big problem as you know what you put in those custom apps. The problem is the search app. It is heavily integrated within splunk and you can't simply deny users access to it, or many other things would break as well. ... View more

Hi @harsmarvania57 Thank you for your answer. Just after I have posted this question I found out that Allowed Indexes are inherited with the roles. So I created new role restricted_user with the same as default user except srchIndexesAllowed param (above in updated question). Unfortunately the issue persists. ... View more

I'm having the same issue, the Inventory -> Devices panels show a Pivot error, It used to show data, mostly empty a couple of previous versions. ... View more

tried running it as the default Windows LocalSystem account, so the permissions I think should be ok. I could also see the Universal Forwarder exe listening on udp 514 with a netstat -a -b. I've given up on this and just gone with using an external syslog server with a Universal Forwarder installed. Thanks for your response. ... View more

did u solve the duplicate values? ... View more

Hi This output you get in splunk is the result of processing snmp traps by DefaultResponseHandler in responsehandlers.py. It does not process traps properly, especially can't handle OID value to produce human readable appearance. Below is my hustom responsehadler which gives slightly better results in splunk. class TRAP_ONLY_HANDLER: def __init__(self,**args): pass def __call__(self, response_object,destination,table=False,from_trap=False,trap_metadata=None,split_bulk_output=False,mibView=None): splunkevent ="" #handle traps if from_trap: for oid, val in response_object: try: (symName, modName), indices = mibvar.oidToMibName(mibView, oid) splunkevent +='%s::%s.%s' % (modName, symName,'.'.join([ v.prettyPrint() for v in indices])) except: # catch *all* exceptions e = sys.exc_info()[1] logging.error("Exception resolving MIB name in the caught trap: %s" % str(e)) splunkevent +='%s = ' % (oid) # Changed part try: str_val = val.prettyPrint() # Get value format (group1) and value (group2) val_matches = re.search(r'_.+:\s+.+:\s+.+:\s+(.+)=(.+)',str_val) # valName (format) probably should be vanished valName = val_matches.group(1) valVal = val_matches.group(2) splunkevent +='(%s) = "%s" ' % (valName, valVal) except: splunkevent +='[still not working] val=[%s] ' % (val.prettyPrint()) splunkevent = trap_metadata + splunkevent print_xml_single_instance_mode(destination, splunkevent) You should have good knowledge of pysnmp to write proper responsehandler. I hope developers will make one someday. ... View more

Didn't work with 7.0.1 at first. After upgrading SH to 7.1.3 worked as a charm. Thanks @arowsell ... View more