Solution worked for me ... View more

I tried the command you provided but it gave an error while completing the installation. Here is the error I got: Creating unit file... Failed to auto-set default user. Failed to create the unit file. Please do it manually later. Please, how do I fix this? Thanks! ... View more

This Worked for me as well.  No need to give admin_all_objects permission! Splunk V. 8.2.5 ... View more

Has something changed in 8.2.3 that would have broken this functionality? We had this working up until a recent splunk upgrade and then it suddenly stopped:  I've confirmed that we are using the options above as well as the following sandbox options: <iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="/app/lookup_editor/lookup_edit?lookup=$watchlist$&amp;namespace=MyAppTest&amp;type=csv&amp;owner=nobody" width="100%" height="400" border="0" frameborder="0"/> Now it just says loading.... ... View more

@PickleRick I was not aware of this. Thanks for pointing it out. ... View more

Yes I tried that as well.. One curious thing....I see few of the example working fine like -https://intellectualpoint.com ...but when tried for https://tableau.com that did not work and I see same errror ... View more

Thank you for this - this worked for me! ... View more

Unistall App punchcard_app ... View more

I have the same problem - but with fresh installs, when is no passwords set up. We only started having the problem since upgrading to Splunk 8. I was able to workaround it by placing an account/password file manually in the inputs dir. It wasn't a valid hash but it was enough to get the GUI to load and then I could change the password to a correct one. This workaround was straightforward as I already had a working version on splunk 7. However it doesn't work for installing something for the first time on V8 as I don't know what a valid account/password file looks like. ... View more

Yes, AD has a "magic string" (1.2.840.113556.1.4.1941) that I go into more detail on this answer https://community.splunk.com/t5/All-Apps-and-Add-ons/How-can-I-flatten-nested-Active-Directory-group-members-for/m-p/422464/highlight/true#M51519 But here is a working search for a single user that would give the output you mentioned: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf" | eval type="Direct" | rename memberOf AS Group | mvexpand Group | append [| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn" | rename dn AS Group | table Group | eval type = "Nested" ] | filldown cn | stats values(type) AS type BY Group cn | rename cn AS User | eval type = if(match(type,"Direct"),"Direct",type) | table User Group type   ... View more

Thanks worshamn, you set me on the right track, I had initially tried distributing the nlp app to my cluster nodes via the master node, but of course that went into etc/slave_apps. I since copied the nlp app the the indexers under etc/apps and the app has started working and stopped complaining. The difference between my 2 search heads the working one and the new one that was looking for this app on the indexers is the old one is Splunk 7.1.3 and the new one is 7.3 So for those who are interested there is definitely a difference from 7.3 in the way search works, whether it stays local or not, as my 2 servers have no difference in the config only Splunk version. So it appears this problem occurred as of 7.3 ... View more

Glad I could be of help. 🙂 ... View more

AD does have a "magic string" (1.2.840.113556.1.4.1941) you can add to get this. Using your example the SPL would look like so: index="my_index" [| ldapsearch domain="mydomain" search="(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=MY Group Name,ou=delegated,ou=groups,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="sAMAccountName" | table sAMAccountName | rename sAMAccountName as User] ...rest of search This also works in reverse say you want to get all groups including the nested groups for a user like so: | ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn" That will give you all groups a user belongs to, but a bit tougher to single out just the nested groups: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf" | append [| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn" | rename dn AS memberOfNested | table memberOfNested | eval cn = "username" ] | filldown memberOf | eval nested = if(match(memberOf,memberOfNested),null(),memberOfNested) | fields - memberOfNested | stats values(*) AS * BY cn The AD documentation can be seen here: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx Pay careful attention to Note 10: The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above). ... View more

Will do! thanks ... View more

I don't have the exact answer but have some ideas for you to try. Depending on how authentication is setup on this Splunk server, if you did have a locally created account then username and password would certainly work but that error sounds more like that the certificate is self-signed and that your Python client doesn't recognize the CA that signed it. You could try temporarily bypass verification https://stackoverflow.com/questions/27835619/urllib-and-ssl-certificate-verify-failed-error. I would recommend trying this out first in postman like this article shows https://answers.splunk.com/answers/692463/how-to-access-splunk-api-in-postman.html (note that you put the search in the body as raw and as is). Lastly, another option is use the Splunk Python SDK instead (http://dev.splunk.com/python) which abstracts many things like this for you. ... View more

Having the same issue. seeing a few error msgs URLError: raise URLError(err) what do these mean ... View more

Thank you so much for your answer @worshamn ! Are you aware of a date when we will have a multilingual version in vader? I don't know how to do text analysis in French in Splunk or if there is an effective and easy workaround to be at my level of competence.... Thank you for answering my questions anyway! ... View more

Hi worshmn, I tried that. still same. No improvements. ... View more

Please accept the answer that helped you . ... View more

Yes - the UI - Setup page for splunk-add-on-jira-alerts) includes text (password) boxes for the "JIRA password", but their use is failing to effect a change. The "release" we are running for the app is a git clone of 50ca4bb4c957cd75279ecec1d8681f3a2756c20e with a change date of 23rd March 2018. There doesn't seem to be a newer release - 0.9.0 is the latest with a release date of 2015. I'm meeting with the person who set all this up tomorrow. If he can't shed some light on this I'll raise a support ticket with Splunk. Thanks for your help. ... View more

I pushed out a new release into the repo: https://github.com/AlaskaSSO/TA-meraki/releases/tag/v1.1.2 If it looks good I'll push it up to the splunk app store. ... View more

I dont see any link for the windows add-on version 4.8.4 download ? If you know, can you share the download link please ? ... View more

7.1.2 update works for me too. 🙂 ... View more

hey try this run anywhere search | makeresults | eval request="/browse/EPS /browse/ISPTEXAS-27534 /browse/fsfsf-27534 /browse/abc /browse/edg /browse/abc-def" | makemv request | mvexpand request | where NOT like(request,"%-%") In your environment, you should write index=con_jira [| gentimes start=-1 | eval source="/opt/atlassian/current/logs/access_log." + strftime(now(), "%F") | return source] "GET /browse" | eval headers=split(_raw," ") | eval method=mvindex(headers,5) | eval request=mvindex(headers,6) | table request | where NOT like(request,"%-%") let me know if this helps! ... View more