I'm trying to create a correlation search that uses a macro from a custom application, but when I try to save it, I get the error: There was an error saving the correlation search. Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. Trying to run the search within Enterprise Security returns the same error: Error in 'SearchParser': The search specifies a macro 'custom_macro' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. I have looked in Advanced Search->Search macros, and the custom macro definitely does exist and is spelled correctly, and I have edited the permissions so that is available in all apps and all users have "read" permission. If I run the same search from another app such as Search & Reporting, or another custom application, it executes without any errors and returns data. The only app that cannot run it is Enterprise Security. What might be causing this? ... View more

I've written some Correlation Searches in Enterprise Security and saved them in a custom app: "SA-Custom". I've chosen Notable event as the adaptive response and filled in some amount of detail: Title, Drill-down search, etc. The searches run fine and generate Notable events, but none of the detail I've written comes through to the Incident Response dashboard, and all of my alerts are completely blank except for the title, which is in the format " Access - nameofsearch - Rule", not the title I specified in the Notable Event settings. Is there something missing that's keeping my adaptive response settings from taking effect when the notable event is generated? ... View more

Hi, I am trying to create a credential in Splunk Enterprise Security's credential management feature, but I keep getting the error: Credential updating failed on host: https://127.0.0.1:8089. II think this may be related to the format of the username, which is "user\name". There is no warning against using backslashes, but credentials created without them don't cause this error, and when I attempted to delete it via curl, it threw an error "no user called username", ignoring the backslash. Attempting to escape the backslash didn't work. This is unfortunately the user needed to bypass the proxy, so how can I create this user with a backslash included? ... View more

Hi, I recently migrated a Splunk instance from a Windows environment to a Linux environment. Since the migration, dashboards on the "License Usage" page have been displaying usage values up to ten times larger than are actually being indexed. There have been no license violations, so this data can't be correct. What might be causing this? ... View more

I've configured my own asset list, and now I want to stop asset information from the "demo assets" lookup from showing up in Dashboards, searches, etc. I've disabled the asset in the ES configuration, but it hasn't had any effect. How can I get rid of this junk data? ... View more

Hi, I'm trying to add a new asset list to Splunk Enterprise Security. I can see the lookup in Configuration->Data Enrichment->Identity Management, but it's not showing up when I search for assets: " assets returns only the demonstration assets. I tried to force a merge with *$SPLUNK_HOME/bin/splunk cmd splunkd print-modinput-config identity_manager | $SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/SA-IdentityManagement/bin/identity_manager.py --username=admin *, but this had no effect. The search suggested in the documentation to verify the merge (index=_internal source=*python_modular_input.log "Updated: target lookup table") shows 0 results, but searching these logs for errors returns numerous instances of the error in the title. Sample log: 2016-07-22 09:08:38,411 ERROR pid=80905 tid=asset file=lookup_modinput.py:streaming_merge_task:298 | status="Error processing record" count="1518" record="fields(ip='xx.x.xx.xx', mac='xxxxxx', nt_host='xxxxxxxx', dns='', owner='', priority='', lat='', long='', city='', country='', category='', pci_domain='', is_expected='', should_timesync='', should_update='', requires_av='')" Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/lookup_conversion/lookup_modinput.py", line 288, in streaming_merge_task success = output_handler.process_streaming_record(result) File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/lookup_conversion/output.py", line 147, in process_streaming_record for field, value in [(k, v) for k, v in record.iteritems() if k != self.KEY_FIELD]: AttributeError: 'NoneType' object has no attribute 'iteritems' Does anybody know what this error is referring to, and how I can fix or get around it? Many thanks. ... View more

I have a Heavy Forwarder set to forward load balanced data to two Splunk indexers on 9997. When I enable receiving on the indexers (via Settings -> Forwarding and Receiving -> Configure Receiving), no data is showing up. Examining the splunkd.log on the forwarder and indexers shows the connection is being made with no errors. If I enable a Data Input to listen to port 9997, I can see data showing up in the index, albeit cooked data, which isn't readable - so the data is making it to the Splunk server, but just not showing up when I configure it to receive from another Splunk. What might be causing this? ... View more

A Splunk Universal Forwarder has been using an unusual amount of CPU (between 40% and 50%), specifically by splunk-winevtlog.exe. Checking the splunkd.log shows this error occurring fairly constantly: INFO PipelineComponent - <process> took longer than seems reasonable (xxxxx milliseconds) in callbackRunnerThread. Might indicate hardware or splunk limitations. The offending process varies between "triggerCollection" and "metricsmanager:probeandreport". I can't find a clear indication of what either of these processes does. The server has higher than the minimum recommendations - 4GB RAM and a 2.4 Ghz processor - so it shouldn't be hardware limitations. What other limitations can this error be referring to? ... View more

Hi everyone, I'm trying to write an alert, covering all indexes, that triggers when a specific number (say, 50) of events occur. However, I only want the alert to trigger if all 50 events are in the same index, not, for example, 40 in one index and 10 in another. Is there a way to specify this in the search string, or would I need to have a different alert for each index? ... View more

I'm using the Splunk Add-On for Cisco IPS to pull data from a number of IPS machines, but it seems like none of them are able to hold a connection, and I'm not getting any logs from them. Looking at Splunk's internal logs, it shows that Splunk connects successfully, but then immediately following every connection is an HTTP Error 401: Unauthorized... Wed Sep 16 15:53:56 2015 - INFO - Attempting to connect to sensor: xx.xx.xx.14 Wed Sep 16 15:53:56 2015 - INFO - Successfully connected to: xx.xx.xx.14 Wed Sep 16 15:54:01 2015 - ERROR - Connecting to sensor - xx.xx.xx.14: Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py", line 99, in run sdee.open() File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\pysdee\pySDEE.py", line 187, in open self._request(params) File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\pysdee\pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 127, in urlopen return _opener.open(url, data, timeout) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 410, in open response = meth(req, response) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 523, in http_response 'http', request, response, code, msg, hdrs) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 448, in error return self._call_chain(*args) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 382, in _call_chain result = func(*args) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 531, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 401: Unauthorized Does anyone know what might be causing this problem? ... View more