I am writing a simple TA to read a text file and turn it into a list of JSON events. I am getting a WARN message for each event from the TcpOutputProc process, such as the one below: 02-21-2025 01:06:04.001 -0500 WARN TcpOutputProc [2061704 indexerPipe] - Pipeline data does not have indexKey. I removed the rest of the message containing details. It seems that I am missing something simple. I would greatly appreciate some insights/pointers towards debugging this issue. The TA code is here in GitHub: https://github.com/ww9rivers/TA-json-modinput Many thanks in advance! ... View more

I see this "extracted_eventtype" field in many saved searches and dashboard inline searches. However, I cannot find where it is generated. In the DUO events I do see "event_type" and "eventtype" fields. But not "extracted_eventtype". Dashboards with that field show "No results found." because that field is nowhere to be found in DUO events. Any thoughts / pointers would be very much appreciated! ... View more

From the documentation, I believe that the Task Server should start after I set up the JAVA_HOME, but it has been failing to start, with only a message "Failed to restart task server." I am running an instance of Splunk version 8.1.5. When installing DBx 3.17.2, I installed OpenJDK 8, DBx started that it required Java 11. So I installed java-11-openjdk version 11.0.23.0.9.  Task Server JVM Options were automatically set to "-Ddw.server.applicationConnectors[0].port=9998". Is there anything else missing?   Is there a way to debug this issue? I looked into the internal logs from this host but have not been able to find anything that stands out.   Thanks for any insights and thoughts. ... View more

Based on documentation, and posts (Who do saved scheduled searches run as? and  Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should run with permissions that the owner of the search has. However, I have two saved searches that do not work that way. Specifically, the searches use indexes that I (the owner) has access to but other user roles do not. The difference that I can think of is that my searches are in a Splunk Cloud instance, and my users authenticate using SAML against a IdP on premise. Any insights would be much appreciated! ... View more

Our networking team needs to get ASN from public IP addresses. We found the TA-asngen add-on. I put it through splunk-inspect and fixed the failures, added a MaxMind license key in the default/asngen.conf, installed it in our Splunk Cloud instance. When I try to run the `asngen` command, it gives out this error message:   Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 55 : maxmind license_key is required     Just wonder if anyone has tried the TA in the cloud. Any thoughts would be much appreciated. ... View more

Splunk seems to have a problem with authenticating a SAML user account using a token. The purpose of using token authentication is to allow an external application to run a search and get the results. A sample script is posted on GitHub as a code gist — the script simply starts a search but does not wait for the results. The problem is that when token authentication is used with a SAML account, it only works when that SAML user is logged in on the Splunk web GUI and while the interactive session is (still) valid. The problem is shown in the internal log:   07-03-2023 19:35:53.931 +0000 ERROR Saml [795668 AttrQueryRequestExecutorWorker-0] - No status code found in SamlResponse, Not a valid status. 07-03-2023 19:35:53.901 +0000 ERROR Saml [795669 AttrQueryRequestExecutorWorker-1] - No status code found in SamlResponse, Not a valid status.   The theory on the failure is: The token authentication works with (within) Splunk; But Splunk needs to perform RBAC after authentication. So it does AQR after the authentication; However, when there is no valid, live SAML session, the AQR fails. (AQR = Attribute Query Request) -- in this case, to get the user's group memberships to map to Splunk roles. I wonder if anyone has been able to get token authentication to work for a SAML account? [Edit]: On the other hand, is it simply impossible to use token authentication with a SAML user account? ... View more

Got these errors while installing acs-cli in WSL/Ubuntu:   ==> Installing acs from splunk/tap ==> Installing dependencies for splunk/tap/acs: linux-headers@5.15, glibc, gmp, isl, mpfr, libmpc, lz4, xz, zlib, zstd, binutils and gcc ==> Installing splunk/tap/acs dependency: linux-headers@5.15 ==> Pouring linux-headers@5.15--5.15.57.x86_64_linux.bottle.1.tar.gz cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_connmark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_dscp.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_mark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_rateest.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_tcpmss.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ecn.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ttl.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv6/ip6t_hl.h': File exists Error: Failure while executing; `cp -pR /tmp/d20221130-6079-1ef476r/linux-headers@5.15/. /home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15` exited with 1. Here's the output: cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_connmark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_dscp.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_mark.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_rateest.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_tcpmss.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ecn.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ttl.h': File exists cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv6/ip6t_hl.h': File exists This happened after the "brew install acs" command has gone through 13 downloads of libraries etc. Any help would be much appreciated.   ... View more

This seems to be a bit strange: We are running Enterprise version 8.1.5 in a search head cluster. A custom app is created for our security team to manage their dashboards, etc. The strange thing is, some of the dashboards cannot be deleted -- there is just no delete (or move) option: I've checked on all the individual nodes in the cluster, they are all in the local/ folder in the app. This is on-prem Splunk Enterprise, so I can manually delete them from all the nodes as an admin. But I would like to understand what I am missing here. I did search for answers here and found this one post. But that is in the Splunk Cloud. So I am not sure if my issue is a bug like that in the posting or not. Thanks for any thoughts / discussions. Happy holidays! ... View more