Hi, First thing I would do is install it on a local Splunk test instance and configure it there. Then after the configuration copy the whole app across to the Heavy Forwarder. This is the route I normally take in these situations. Else you need to go down the rabbit hole of editing the conf files manually and that might be a big pain. For example the ciscoaciserver_setup.conf: [ciscoaciserversetupsettings] ciscoacihost = ciscoaciport = ciscoaciusername = password = ispasswordauthentication = 1 isremoteuserauthentication = 0 remoteuserdomainname = remoteuserpassword = iscertauthentication = 0 certname= certprivatekeypath= It contains a password that probably is stored encrypted during the setup. This makes it very hard to manually configure it in the cli. ... View more

This will be of use for you: https://conf.splunk.com/files/2017/slides/measuring-hec-performance-for-fun-and-profit.pdf ... View more

Hi, I don't understand your logic? Since it is an epoch it is not a fixed time. The result of an epoch time of -62167252739 is different every second you run it. The Unix epoch (or Unix time or POSIX time or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 ... View more

https://docs.splunk.com/Documentation/Splunk/8.0.1/DistSearch/Transfercaptain ... View more

Could it be blocked because of a proxy? ... View more

Try this: | dbxquery query="Select sys.name as 'CName', count(ucs.RID) [Update], sys.Workgr as 'Domain' From Update_CS ucs JOIN System sys on sys. RID = ucs. RID JOIN UpdateIn ui on ucs.CID = ui.CID Where ucs. RID IN(Select RID from FullCollection where Coll_ID = '1010') AND UCS.CID IN(select TCID from SMS_CIR where FCID = '100200') AND UCS.status in ('0','2') GROUP BY sys.name, sys. Workgr ORDER BY 'CName' ASC" connection="<not_selected>" ... View more

There is no Data input called "Mail Server" in an out of the box installation of Splunk. There must be an app installed that created this input. Right? ... View more

Did you try to reinstall the visualization? ... View more

From Splunk docs: Searchable Data Copies: The number of complete searchable copies of the index that the cluster has. Replicated Data Copies: The number of copies of the index that the cluster has. Each copy must be complete, with no buckets missing. It shows that the moment you have one replicated data copy which becomes one searchable data copy, this data is searchable. You can look for more details about the actual number of copies and buckets using this search: | rest splunk_server_group=dmc_group_cluster_master splunk_server_group=dmc_indexerclustergroup* /services/cluster/master/indexes | fields title, is_searchable, replicated_copies_tracker*, searchable_copies_tracker*, num_buckets, index_size | rename replicated_copies_tracker.*.* as rp**, searchable_copies_tracker.*.* as sb** | eval replicated_data_copies = "" | foreach rp*actual_copies_per_slot [eval replicated_data_copies = replicated_data_copies." ".rp<<MATCHSTR>>actual_copies_per_slot."/".rp<<MATCHSTR>>expected_total_per_slot] | makemv replicated_data_copies | eval searchable_data_copies = "" | foreach sb*actual_copies_per_slot [eval searchable_data_copies = searchable_data_copies." ".sb<<MATCHSTR>>actual_copies_per_slot."/".sb<<MATCHSTR>>expected_total_per_slot] | makemv searchable_data_copies | eval is_searchable = if((is_searchable == 1) or (is_searchable == "1"), "Yes", "No") | eval index_size = round(index_size / 1024 / 1024 / 1024, 2)." GB" | fields title, is_searchable, searchable_data_copies, replicated_data_copies, num_buckets, index_size | search title="***" | search is_searchable="*" | rename title as "Index Name", is_searchable as "Fully Searchable", searchable_data_copies as "Searchable Data Copies", replicated_data_copies as "Replicated Data Copies", num_buckets as Buckets, index_size as "Cumulative Raw Data Size" ... View more

The only other thing you can look at is the kvstore / lookups that might give you and indication who created them. But I cannot see a 1 to 1 relation between those and a created service. ... View more

Good question...hard to answer as they aren't exactly like knowledge objects. What I did find is that when I create a service and then check in Splunk own's internal logging I see a match: index = internal sourcetype=itsiinternal_log component="itsi.services" objecttype=service method=create ... View more

Hello, Can you check if the folder splunkappaddon-builder exists in .../splunk/etc/apps directory? And then check if in your ../splunk/etc/apps/splunkappaddon-builder/default/app.conf the ui is set to is_visible=true ... View more

Did you find this? https://answers.splunk.com/answers/457038/what-does-the-number-of-files-in-the-data-inputs-f.html ... View more

Hi, Not sure exactly what you mean with that you are not able to find it? Add--on Builder is a seperate app that you need to download and install from here: https://splunkbase.splunk.com/app/2962/ The documentation and installation instructions are here: https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/Installation ... View more

Yes, You can modify the /*/splunk/etc/apps/InfoSecAppfor_Splunk/default/data/ui/nav/default.xml In below example I added an extra menu item called Test Menu Item and a dashboard called test dashboard: <nav> <view name="security_posture" default='true' /> <collection label="Continuous Monitoring"> <view name="ids" /> <view name="malware" /> <view name="windows" /> <view name="access" /> <view name="network" /> </collection> <collection label="Test Menu Item"> <view name="test dashboard"/> </collection> <collection label="Advanced Threats"> <view name="access_anomalies" /> <view name="network_anomalies" /> <view name="custom_use_cases" /> </collection> <view name="security_monitoring" /> <collection label="Investigation"> <view name="user_investigation" /> <view name="asset_investigation" /> </collection> <view name="compliance"/> <view name="executive_dashboard"/> <view name="alerts" /> <view name="infosec_stats"/> <collection label="Search"> <view name="search" /> <view name="dashboards" /> <collection label="Experimental Dashboards"> <view name="endpoints" /> <view name="cloud_security" /> </collection> </collection> <collection label="Help"> <a target="_blank" href="https://splunkbase.splunk.com/app/4240/#/details">Installation Instructions</a> <view name="using_infosec_app"/> <view name="resources"/> <a target="_blank" href="https://answers.splunk.com/answers/ask.html?appid=4240">Ask a Question</a> </collection> </nav> ... View more