Retried with curl and the domain\\username format and got curl to work - but the repsponse is initially a 401 and then retries and is successful - the request goes through a load balancer 1st enroute to the webserver. > curl http://mywebsite/healthcheck.aspx -v --ntlm -u DOMAIN\\username Enter host password for user 'DOMAIN\username': * Trying 1.1.1.1 ... * TCP_NODELAY set * Connected to myhost (1.1.1.1) port 80 (#0) * Server auth using NTLM with user 'DOMAIN\username' > GET /healthcheck.aspx HTTP/1.1 > Host: myhost > Authorization: NTLM XXX > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 401 Unauthorized < Content-Type: text/html; charset=us-ascii < Server: Microsoft-HTTPAPI/2.0 < WWW-Authenticate: NTLM XXX < Date: Thu, 03 Jul 2025 01:07:05 GMT < Content-Length: 341 < * Ignoring the response-body * Connection #0 to host myhost left intact * Issue another request to this URL: 'http://myhost/healthcheck.aspx' * Found bundle for host myhost: 0x55a8787a6a60 [can pipeline] * Re-using existing connection! (#0) with host myhost * Connected to myhost (1.1.1.1) port 80 (#0) * Server auth using NTLM with user 'DOMAIN\username' > GET /healthcheck.aspx HTTP/1.1 > Host: myhost > Authorization: NTLM XXX > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Cache-Control: private < Content-Type: text/html; charset=utf-8 < Server: Microsoft-IIS/10.0 < X-AspNet-Version: 4.0.30319 < Persistent-Auth: true < X-Powered-By: ASP.NET < Date: Thu, 03 Jul 2025 01:07:05 GMT < Content-Length: 557 < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">   <html> <head> <title>Health Check</title> </head> ... View more

[Solution] @Niro  You can get the desired result by modifying transforms.conf as follows: 1. /opt/splunk/etc/apps/myapp/local/transforms.conf [pan_src_user] INGEST_EVAL = src_ip=replace(_raw, ".*src_ip=([0-9.]+).*","\1"), src_user_idx=json_extract(lookup("user_ip_mapping.csv",json_object("src_ip", src_ip),json_array(src_user_idx)),"src_user")   Result: ... View more

Yes, you should edit your Entity Search by implementing a new Info field like "location" which is filled ie by rex. ... View more

There's no need to edit props or transforms for Ingest Actions as they can be configured easily using the UI.  In fact, use of the UI is recommended to avoid errors in the ruleset config.  If you need to edit the config files for Splunk Cloud, do so in a custom app and upload the app to your Splunk Cloud search head. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Data/DataIngest#Deploy_a_ruleset_on_an_indexer_cluster   ... View more

Hi @Esky73 , thank you for your insights. Can you provide details on the custom alert action that runs a batch job restart? Is the script being run from Splunk to Control M server? or the script is present on the Control M server, and Splunk have a way to trigger it externally? ... View more

I know this is a while ago now, but maybe helpful to others...try using the "hidden" dimension `_timeseries`.  This is a JSON string that is an amalgamation of all of the dimensions for each datapoint. Take care, the results may be (very) high arity and splunkd doesn't (yet?) have very strong protections for itself (in terms of RAM used while searching) when using this code path, so it is (IMHO) easy to crush your indexer tier's memory and cause lots of thrashing.   ... View more

Hi @Esky73 , some add-ons aren't free and request to sign in an external site. The strange thing is that if you follow the Details there's another link to download this add-on and also the title is a little different, but it's downloadable. Ciao. Giuseppe ... View more

will do, thanks ... View more

Not quite sure what you are looking for? VMware has different components - but you will find a range of pre configured KPI's you can adapt to your requirements for ESX, Virtual Machines, Storage etc in the ITSI Content pack for Vmware  ... View more

thanks a lot @Esky73  ... View more

1. The thread is relatively old so you might not get many responses. It's usually better to post a new question (linking to old thread for reference) than to dig up a several-years-old thread. 2. The .xsl file is meant to be applied on the Vault side - installed to ENE, not used on Splunk's side. https://docs.splunk.com/Documentation/AddOns/released/CyberArk/Setup ... View more

Came looking for an answer to this as well - seems there has been an idea for this for some time now .. https://ideas.splunk.com/ideas/EID-I-717  ... View more

Thanks Esky! ... View more

I think you are looking for a stepped line graph? You could do something like this (I changed the second instance of 6/11 to 7/11 to show the changes separately, I also added another 12/11 to show the impact of having two values for the same date where one is negative and the other positive.) | makeresults format=csv data="date,change 25/10/2023,6000 31/10/2023,0 6/11/2023,2500 7/11/2023,500 12/11/2023,-7800 12/11/2023,800 16/11/2023,500" | eval _time=strptime(date,"%d/%m/%Y") | streamstats sum(change) as total | autoregress total | eval row=mvrange(0,2) | mvexpand row | eval total=if(row=0,total_p1,total) | table _time total Note that this chart only works well with _time for the x-axis, other scales not so well.   ... View more

Excellent work! Thanks! There is also idea to keep those as searchable on conf archive https://ideas.splunk.com/ideas/PORTALSID-I-141    ... View more

Hey @naisanza,  I installed the splunk on the Ubuntu (WSL) and encountered the same issue and i have tried the option you have provided and it worked.. Thank you very much.  ... View more

This guy Splunks ... View more

Were you ever able to find a solution to this? ... View more

Hi @Esky73, the action you are describing is called normalization and it's usually done to normalize logs to CIM compliance. At first I hint to see if there's an Add-on that already made normalization for your logs, if there isn't I hint to use calculated fields, e.g. something like this: | eval action=case(action="Block","blocked",action="block","blocked",action="not sent","blocked",action="tagged","delivered", action="delivered","delivered", action="logged","delivered") About the multivalue, see if it's possible to extract fields in a different way or use "like" in the above condition. Ciao. Giuseppe ... View more

Hi, I have created a timeline of URLs hit over a given session. Here is my chart:     and here is the respective XML code:     However, I need to add the time and dates on the top of the timeline as such:   How can I do this? Many thanks, Patrick ... View more

Hopefully you figured it out long ago. Below to help others who end up here. Use the Service KPI endpoint to retrieve the ad hoc search query. Field name is kpis.search. Example below. | rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/service report_as=text filter="{\"enabled\":1}" fields="_key,title,kpis._key,kpis.title,kpis.base_search_id,kpis.base_search,kpis.alert_period,kpis.unit,kpis.aggregate_statop,kpis.entity_statop,kpis.threshold_field,kpis.entity_breakdown_id_fields,kpis.is_entity_breakdown,kpis.search" API Reference https://docs.splunk.com/Documentation/ITSI/4.12.0/RESTAPI/ITSIRESTAPIschema#Service_KPI ... View more

@bsanjeevaI'm afraid I don't know if/how this can be configured via Splunk's UI. ... View more

issue not yet resolved in my case ,  i am trying to connect the mongoDB to the splunk , i am also getting the same error, i tried by changing the query but no use. ... View more