Hi @sonaralt  You can achieve these with a monitor stanza as @richgalloway  mentioned. For converting xlsx to csv you might get somewhere by looking into the in2csv which is part of csvkit (https://github.com/wireservice/csvkit) and then using the 'unarchive_cmd' flag within a props.conf setting for your sourcetype.  See https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.4/configuration-file-reference/10.4.0-configuration-file-reference/props.conf#:~:text=unarchive_cmd%20%3D%20%3Cstring%3E for more info This means the file contents would be piped to the cmd in unarchive_cmd and the output would be indexed. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @eholz1  My apologies, for Splunk Enterprise (on prem) it was added in 10.0 - see https://www.splunk.com/en_us/blog/platform/splunk-enterprise-10-0-and-9-4.html I wrongly assumed Splunk Cloud which was 9.3.2411 as previously mentioned.    🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @eholz1  I believe it was 9.3 that got this. You can find out more on the announcement blog post at https://www.splunk.com/en_us/blog/platform/splunk-dashboard-studio-publish-guest-friendly.html 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @javier_oshiro  I would recommend reaching out to your account team as the information isnt available in the public domain and is usually shared with customers under NDA.  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @eholz1  Is this what you are looking for?   Sample Dashboard Studio JSON below: { "title": "Splunk Answers - Select token", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" } }, "defaults": { "dataSources": { "ds.o11y": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } }, "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } }, "ds.spl2": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } }, "visualizations": { "global": { "showProgressBar": true } } }, "visualizations": { "viz_1AKJy9Nl": { "options": { "markdown": "Column = $myToken_colName$ \nField Val = $myToken_val$" }, "type": "splunk.markdown" }, "viz_3gsbpHDP": { "options": { "markdown": "# Search: \nindex=_internal $myToken_colName$=$myToken_val|s$ | stats count by source, sourcetype" }, "type": "splunk.markdown" }, "viz_JuRIvRRn": { "dataSources": { "primary": "ds_wp6MIDyw" }, "eventHandlers": [ { "options": { "tokens": [ { "key": "name", "token": "myToken_colName" }, { "key": "value", "token": "myToken_val" } ] }, "type": "drilldown.setToken" } ], "options": { "count": 20, "dataOverlayMode": "none", "drilldown": "none", "showInternalFields": false, "showRowNumbers": false }, "type": "splunk.table" }, "viz_tylYiXSD": { "dataSources": { "primary": "ds_P0dq5nsp" }, "options": {}, "type": "splunk.table" } }, "dataSources": { "ds_P0dq5nsp": { "name": "Search_1", "options": { "query": "index=_internal $myToken_colName$=$myToken_val|s$ | stats count by source, sourcetype" }, "type": "ds.search" }, "ds_wp6MIDyw": { "name": "Table search", "options": { "query": "| tstats count where index=_internal by sourcetype, host prestats=t | stats count by host, sourcetype", "queryParameters": { "earliest": "-24h@h", "latest": "now", "sampleRatio": 1 } }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_JuRIvRRn", "position": { "h": 250, "w": 1440, "x": 0, "y": 50 }, "type": "block" }, { "item": "viz_1AKJy9Nl", "position": { "h": 50, "w": 340, "x": 10, "y": 10 }, "type": "block" }, { "item": "viz_3gsbpHDP", "position": { "h": 80, "w": 850, "x": 20, "y": 320 }, "type": "block" }, { "item": "viz_tylYiXSD", "position": { "h": 180, "w": 1410, "x": 10, "y": 410 }, "type": "block" } ], "type": "absolute" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } }, "applicationProperties": { "hideEdit": false, "hideExport": false } }   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @user5  Can you confirm - have you also installed the app on your search head(s)? There will be field extractions etc within the app which occur at search time and therefore needs installing on the search heads as well as the HFs. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @hakonlu  As this is a Splunk supported TA/Splunkbase app, I would be recommend filing a support ticket with them with this information as they should be able to pass this directly to the app developers to investigate for you. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @morethanyell  I would recommend using the ACS CLI for these type of changes - there is a specific "acs indexes bulk-update" command for this task although its not clear if it pushes all in one go or iterates over each of them but there is a warning to note in the docs: In some cases, when performing bulk index operations on Classic Experience, the operation completes successfully for the first index (status code 202), but the operation fails for subsequent indexes Are you on Classic or Victoria? If you did want to stick to using the API directly then its worth checking out https://github.com/splunk/acs-cicd-starter/blob/e6bf9211d996857622655afc686c219029da2b49/.github/workflows/automated_deployment_splunk_cloud.yaml#L494 - in this Splunk-provided example there is a loop over files to update the retention of an index, which would suggest this is a supported approach, but as I mentioned, to save yourself re-inventing the wheel you might be better with the ACS CLI tool. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing.   ... View more

Hi @irisywang  You will need to contact splunk_certification@cisco.com and they should be able to help you. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @chenfan  By having a single replica copy one each site you might find that there is a lot of cross-site replication when there are issues, typically this would take longer than replicating a bucket from the same site.  Regarding 'each site’s search heads should only search data stored locally in their own site' - with site affinity it will search the site *if possible* which means it will get the buckets from another site if it has to (see https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/10.4/deploy-and-configure-a-multisite-indexer-cluster/implement-search-affinity-in-a-multisite-indexer-cluster#:~:text=A%20search%20head%20with%20search,primary%20copies%20on%20both%20sites.) Having a single SHC across multiple sites worries me a little - there can be alot of chatter/traffic between the SHC members to keep them in sync through replication/election etc. Splunk guidance is that SHC members need low-latency links between all members.  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @epronko  I believe the main thing to ensure is that between each app upgrade that your inputs trigger/execute as this is when the checkpoint migrations occur - ie they dont happen automatically on Splunk startup. If you work through the DBConnect upgrades running the inputs each time then the checkpoints will be updated as per the design. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @Wohamed_wakkad  Yes, you can colocate LM and MC components into a single box - check out https://help.splunk.com/en/splunk-enterprise/administer/monitor/10.4/configure-the-monitoring-console/which-instance-should-host-the-console for more info on where you can host an MC.  Regarding the license - the inbuilt 'Forwarder' license limits the abilities of the server so is typically no good for services you might need to login to the UI of (eg DS/LM/MC/CM etc) - for these you do need an Enterprise License - that being said, when sending to Splunk Cloud but still need to run a HF and associated components on-premise then Splunk can issue a 0-byte Enterprise license which some people also refer to as a Forwarder license. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @SN1  Does your Splunk instance have internet access? If not you might need to make the following server.conf settings in $SPLUNK_HOME/etc/system/local/server.conf [applicationsManagement] allowInternetAccess = false splunkbaseAppsDumpUrl= archivedSplunkbaseAppsDumpUrl= 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @narenrecw  In 10.4 this has changed a little - if you navigate to https://<yourStack>.splunkcloud.com/en-US/manager/launcher/authorization/tokens then you should be able to enable and then create tokens. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing. ... View more

Hi @samfresh-ai  I would suggest calling support to see what they can do as Im not sure how this works for Trial accounts. http://www.splunk.com/en_us/about-us/contact.html#tabs/customer-support   🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @igall  Im wondering if it relates to this issue: https://community.splunk.com/t5/Splunk-Enterprise/Spike-in-503-errors-in-the-Splunk-WebUI-after-upgrading-to-10-0/m-p/758029/highlight/true#M23813 its a similar kind of thing and could relate to a backend call to apps (perhaps) which is causing the spinning wheel issue. I'd be tempted to try the following server.conf change to see if it improves/fixes: # server.conf [applicationsManagement] splunkbaseAppsDumpUrl= archivedSplunkbaseAppsDumpUrl= allowInternetAccess = false 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @davyst  This sounds to me like it could either be a KV store type issue or something like the API endpoints not returning in a timely manner and thus it times out or defaults to N/A. Can you check loading the service analyser with the Dev tools of your browser open to the network tab and see if there are any error'd requests (e.g. red / 40x / 50x responses). This might point to something which is causing an issue - if there is anything then let us know - failing that it might be worthwhile raising a support case as they might be able to help look in more detail with you. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Andre_  I agree, its a bit of a mixed setup at the moment, I think there is a push to move away from the older UI design to the new framework but it will ultimately take some time, there have been pages updating in the background across many of the recent versions but some are less noticeable than others. If it helps, for now, the navigation can be reverted back to the previous style across the entire Splunk instance with the following web-features.conf change: [feature:modern-nav] enable_nav_vnext = false 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Emersion  I think the best thing to do here would be to have a second HF and have the upstream forwarders balance the output between the two HFs (single output group with 2 servers) - that way they can patch one at a time and ensure that data is still received in a timely manner. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @i0ntempest  Was there anything in the mongod.log file? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @spl_aficionado  What does your current app development/deployment process look like? I have used two primary processes/methods for managing Splunk Cloud apps: 1) Single Git repo per app - Create a single repo for each of your Splunk apps and have GitHub Action/Gitlab CI configuration to build, package, test and deploy using AppInspect CLI (fail-fast), and Admin Config Service (ACS) that triggers when you either merge to main or tag a version/release. 2) Ansible managed - https://github.com/livehybrid/ansible-for-splunk-cloud - This works well for managing the whole environment, not necessarily just apps - you can maintain a source-of-truth within Ansible variables to control the specific version of custom/Splunkbase apps - It has support for downloading apps from private github repos too.  Let me know your current approach and if you have any questions. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @meenu_2017  Please could you let us know what issues you are having and what you have done so far to try and remediate this?  Have you been able to confirm that the alert has fired with events that should have gone to teams? Were you able to find any errors/logs in _internal index about the alert to Teams which should have fired? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @martaBenedetti  As long as you are using hostnames and the hostname can resolve successfully to the new IP and there are no firewall or routing/network changes/issues between the hosts then this shouldnt be a problem. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @shocko  You're returning an array by using stats values(fct_version) - The dropdown values need to be strings. Instead of the stats try | dedup fct_version And then use the fct_version value for the dropdown. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more