Hi @ubommala  If you are using 10.0.1 then you will not be able to use Custom app visualizations in Dashboard Studio as the ability/feature to use Custom Viz in Dashboard Studio was only added in 10.1 (Cloud only) and came to On-Premise in 10.2. That being said, when I tested Sunburst viz in 10.2 Dashboard Studio it didnt work correctly but I am not too familiar with the viz so perhaps I need to make some tweaks to the data. Once you've upgraded to 10.2 you should be able to use custom visualizations in Dashboard Studio 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Opher  Can you confirm the time period you are searching for the data across when you are searching?  Are there any other indexes with data?  When you are one-shotting it will import the data at a point in time but will not continue to monitor those files (if they are changing) but the data should always exist if you search for the time period when you imported it, unless something else is configured incorrectly.  Have you made any changes to the default retention (frozenTimePeriodInSecs) for the index? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @BRFZ  How are you sending the data to your Indexers? Did you make any changes to the ingestion when you started seeing the spike to try and reduce it? My gut feeling would be that something higher up the chain has crashed, ie the forwarder or intermediate forwarder - Are you able to see any _internal logs from the forwarder sending the data (assuming the data is sent via a forwarder)? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @vimalraj  Please can you confirm, are you using Splunk Observability Cloud, or Splunk Cloud? The exporter/configuration required will ultimately depend on where you are sending the data. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ubommala  Are you running Splunk 10.2? The App is currently listed as compatible with 10.1 but not yet updated for 10.2. Its also worth noting that Custom Visualizations in Dashboard Studio is a recent feature and some custom viz apps may not have yet been tested/updated for Dashboard Studio, so whilst they might work in 10.1/10.2 they may only work in Classic XML dashboards. There isnt a way in Splunkbase at the moment to specify if a custom Viz is compatible with both Classic and Dashboard Studio dashboards. I would suggest reaching out to the developer (chris.younger+splunkbase@gmail.com) to see if there is a fix in the pipeline.  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @DarrenJackson  This is unusual as I have found emails such as that to be very effective, however you might find it easier to speak to someone directly - Check out https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us#sales which has a list of phone numbers for each region so that you can speak to the appropriate team for your area. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @verbal_666  Keep an eye on https://advisory.splunk.com/ for any updates regarding this Vuln which will contain details around if/how mitigations should be applied to Splunk.  We are also due a maintenance update to 9.4.x imminently (10.2 was released last week). Its also worth raising a support case with Splunk directly to discuss this as they may be able to provide additional information under your contract/NDA with them. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @richah  Is there any specific reason you dont want to use Firehose? If you are worried about the scalability then Firehose would be the best approach, in my opinion. If you want to stick to Lambda only then you could look at https://www.splunk.com/en_us/blog/platform/stream-amazon-cloudwatch-logs-to-splunk-using-aws-lambda.html which just uses a Lambda with a Subscription Filter.  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @smithy001  I generally wouldnt remove any files from the Splunk installation without first consulting with support as it could have unexpected results - even if you do not think you are using any postgres functionality (I believe its used in Edge Processor for example) it doesnt necessarily mean that Splunk doesnt validate it or use it during startup processes etc.  The release notes/docs were just released for 10.2 (https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/release-notes/10.2/whats-new/welcome-to-splunk-enterprise-10.2) however the binaries havent been released yet, so it could be that a fix for this is to be released in 10.2 (with additional minor version for older 10.x/9.x versions shortly). Its also worth checking out https://advisory.splunk.com/ if you havent already. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

Hi @lmarcel  Do any of the searches populate at all in the Wireless dashboard? Can you try running a search for `eventtype=cisco_ios product=WLC` to see if you get any results? From what I can see the product=WLC is populated by 'isnotnull(filename) AND isnotnull(filename_line)'  Can you also confirm - are you running (Cisco Catalyst Add-on for Splunk)   https://splunkbase.splunk.com/app/7538  ? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @danielbb  Is the timestamp that is used coming from the report itself? Are you able to confirm that the report is available to Splunk at the timestamp shown - I've seen very similar behaviour with report type APIs where the report is 'generated' at say 00:00 but only processed and available for retrieval at a later time. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @justinrichter  The easiest way to achieve this is to set an index-time field on each host that applies to all sourcetypes, such as: # props.conf [default] TRANSFORMS-setSourceMeta = setSourceMeta or RULESET-setSourceMeta = setSourceMeta # transforms [setSourceMeta] #Update field/value name accordingly. INGEST_EVAL = travelledVia=ThisHostName   With Edge Processor you can apply a similar approach by using eval to set an index-time field which will be stored for each event. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Dav  Just to confirm, you are entering your Splunk.com credentials when prompted? (The one you used to login to the community pages). This should be the username, not email. If so, are you able to check if there are any outbound connectivity limitations from your deployment?  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @akkermansie  Have you set a 'Log File Prefix' in your Generic S3 input?  I suspect its unrelated to your issue but version 8.1.0 is now available for the AWS Add-on so you may also want to consider upgrading. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @bpenny  The issue here is that you have put " quotes around the regular expression in your EXTRACT statement, the quotes are not required. Ive tested ingesting a local json file with the EXTRACT setting without the quotes and it extracts successfully. Please could you try updating to remove the quotes?   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @dpollardcouk  I know we have discussed this offline but for the benefit of others... Splunk used to, but no longer, supply an SELinux policy (https://download.splunk.com/products/security/splunk-selinux-0-0.9.0.el8.noarch.tgz) but the latest I can find this for is 9.2.2 for RHEL8 and even this and historical versions have been removed (https://web.archive.org/web/20250710043555/https://docs.splunk.com/Documentation/Splunk/9.2.2/CommonCriteria/InstallSELinux)  Ultimately it is against best practice and I believe non-supported to run Splunk with SELinux in enforcement and is expected that exceptions can be made for Splunk... Regarding CIS Benchmark Level 2 Hardening - I would expect that if an exception can be made for Splunk that additional controls could be put in place to mitigate the risks introduced by SELinux not being enforced and that this could be used for mitigation and approval with the organisation mandating the CIS Benchmark requirements. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing   ... View more

Hi @danielbb  What is it you're wanting to see? Whilst some Add-Ons which collect/parse data have specific 'App' equivalents which have dashboards to view the data, this isnt necessarily the same for all.  Depending on what you're wanting to see visualised there may be existing apps containing the relevant dashboards but if not the Add-Ons you mentioned should provide the required parsing to enable you/your users to create dashboards according to your requirements. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @dfarr  What architecture is your Splunk deployment? If it is a single instance then you might be able to use the 'split-buckets' command in the Splunk CLI to split out the legacy data into a new index, and then set the retention to a low value so that they roll/archive out. This would rely on there being a source/sourcetype or host only present in the legacy data. For more info on this check out https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/10.0/manage-indexes/remove-indexes-and-indexed-data#concept-274851c5-16ce-4def-884d-c007131b46bf--en 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @wodrog  Would something like this work for you? This uses a hidden search/table to generate the earliest/latest for the previous day based on the input and then uses that in the earliest/latest for the search.   { "title": "Answers-SearchPreviousDay", "description": "", "inputs": { "input_zIorjrMc": { "options": { "defaultValue": "-24h@h,now", "token": "tr_global" }, "title": "Main Time Selector", "type": "input.timerange" } }, "defaults": { "dataSources": { "ds.o11y": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } }, "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" } } } } }, "visualizations": { "viz_5ZrDUHwo": { "containerOptions": {}, "dataSources": { "primary": "ds_zdaUZXdL" }, "eventHandlers": [ { "options": { "tokens": [ { "key": "row.info_min_time.value", "token": "eventid" } ] }, "type": "drilldown.setToken" } ], "options": { "stackMode": "stacked" }, "showLastUpdated": false, "showProgressBar": false, "title": "This shows for time selected in picker", "type": "splunk.column" }, "viz_BcDlqy4I": { "options": { "markdown": "Earliest = $globalTimeSpl:result.earliest$ \nLatest = $globalTimeSpl:result.latest$" }, "type": "splunk.markdown" }, "viz_NgmH6lHI": { "containerOptions": {}, "dataSources": { "primary": "ds_BlYVOfBA" }, "eventHandlers": [ { "options": { "tokens": [ { "key": "row.info_min_time.value", "token": "eventid" } ] }, "type": "drilldown.setToken" } ], "options": { "stackMode": "stacked" }, "showLastUpdated": false, "showProgressBar": false, "title": "This shows for time selected - 24 hours", "type": "splunk.column" }, "viz_zUx2Zt29": { "dataSources": { "primary": "ds_ZKBDXZy2_ds_BlYVOfBA" }, "type": "splunk.table" } }, "dataSources": { "ds_BlYVOfBA": { "name": "global", "options": { "query": "| tstats count where index=main earliest=$globalTimeSpl:result.earliest$ latest=$globalTimeSpl:result.latest$ by _time, host span=15m\n| timechart span=15m sum(count) as count by host", "queryParameters": { "earliest": "$tr_global.earliest$", "latest": "$tr_global.latest$" } }, "type": "ds.search" }, "ds_ZKBDXZy2_ds_BlYVOfBA": { "name": "globalTimeSpl", "options": { "enableSmartSources": true, "query": "| makeresults \n| addinfo\n| eval earliest=info_min_time-86400\n| eval latest=info_max_time-86400", "queryParameters": { "earliest": "$tr_global.earliest$", "latest": "$tr_global.latest$" } }, "type": "ds.search" }, "ds_aOEeGNWG": { "name": "Search_1", "options": { "query": "| tstats count WHERE index=_internal by host" }, "type": "ds.search" }, "ds_ccCiW2S8": { "name": "tstat", "options": { "query": "| tstats count where index=_internal by _time span=1h", "queryParameters": { "earliest": "$tr_global.earliest$", "latest": "$tr_global.latest$" } }, "type": "ds.search" }, "ds_gRgnjURi": { "name": "Search_3", "options": { "query": "| tstats count where index=_internal by source, host" }, "type": "ds.search" }, "ds_rt307Czb": { "name": "timeSPL", "options": { "enableSmartSources": true, "query": "| makeresults \n| addinfo", "queryParameters": { "earliest": "-60m@m", "latest": "now" } }, "type": "ds.search" }, "ds_thns3Lsu": { "name": "Search_2", "options": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$", "o11yDSType": "serviceMap", "services": [ "paymentservice" ] }, "type": "ds.o11y" }, "ds_zdaUZXdL": { "name": "CurrentPickerTime", "options": { "query": "| tstats count where index=main by _time, host span=15m\n| timechart span=15m sum(count) as count by host", "queryParameters": { "earliest": "$tr_global.earliest$", "latest": "$tr_global.latest$" } }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_zIorjrMc" ], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_NgmH6lHI", "position": { "h": 270, "w": 1390, "x": 10, "y": 350 }, "type": "block" }, { "item": "viz_BcDlqy4I", "position": { "h": 50, "w": 300, "x": 20, "y": 10 }, "type": "block" }, { "item": "viz_zUx2Zt29", "position": { "h": 100, "w": 680, "x": 1470, "y": 10 }, "type": "block" }, { "item": "viz_5ZrDUHwo", "position": { "h": 270, "w": 1390, "x": 10, "y": 60 }, "type": "block" } ], "type": "absolute" } }, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } }, "applicationProperties": { "collapseNavigation": true, "hideEdit": false, "hideExport": false, "hideOpenInSearch": false } } 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Solitus31  Do you have category.SHCSlave=DEBUG anywhere in a .cfg (e.g. log.cfg) in $SPLUNK_HOME/etc ? Do you have any components/categories set to DEBUG in $SPLUNK_HOME/etc/log*.cfg files which are between the SHC members? If possible can you please post the entire log event. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @mhebert  Firstly, yes its normaly that a secret/password/token added in the Configuration page of the Splunk app would disappear when you go back to it - however if you re-submit the configuration without re-entering it then it may overwrite it to a blank value... Its no ideal but is what it is! Regarding your oauth2 token, did you allow the required scopes from the docs at https://github.com/splunk/TA-slack-add-on-for-splunk/blob/master/README.md ? In the app's settings, select OAuth & Permissions from the left navigation. Scroll down to the section titled Scopes. Click Add an OAuth Scope under User Token Scopes. Add the auditlogs:read scope. Click Add an OAuth Scope under Bot Token Scopes. Add the chat:write scope. Scroll up to the OAuth Tokens section, click Install to Organization. Click Allow in the pop-up window. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more