Hi @lmarcel  Do any of the searches populate at all in the Wireless dashboard? Can you try running a search for `eventtype=cisco_ios product=WLC` to see if you get any results? From what I can see the product=WLC is populated by 'isnotnull(filename) AND isnotnull(filename_line)'  Can you also confirm - are you running (Cisco Catalyst Add-on for Splunk)   https://splunkbase.splunk.com/app/7538  ? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @danielbb  Is the timestamp that is used coming from the report itself? Are you able to confirm that the report is available to Splunk at the timestamp shown - I've seen very similar behaviour with report type APIs where the report is 'generated' at say 00:00 but only processed and available for retrieval at a later time. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @justinrichter  The easiest way to achieve this is to set an index-time field on each host that applies to all sourcetypes, such as: # props.conf [default] TRANSFORMS-setSourceMeta = setSourceMeta or RULESET-setSourceMeta = setSourceMeta # transforms [setSourceMeta] #Update field/value name accordingly. INGEST_EVAL = travelledVia=ThisHostName   With Edge Processor you can apply a similar approach by using eval to set an index-time field which will be stored for each event. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Thanks for the suggestion, but as I mentioned in the original post I've already tried both with and without quotes around the regular expression. I've subsequently tried changing the regex to match against the raw JSON as a further test.  regex101.com still shows the regex matching, but the fields are still not extracting for me. Is there really no way short of trial and error to get this to work? No _internal logs to be looking for, or anything like that? ... View more

Hi @Dav , you must use your Splunk.com credentials, not the credentials on the Splunk instance. Ciao. Giuseppe ... View more

We have not configured the log_file_prefix argument and the sourcetype is set to aws:cloudtrail. I suspect that indexing CloudTrail events directly from an S3 bucket using the aws:cloudtrail sourcetype may only support CloudTrail Management Events. Other event types, such as Data Events or Network Activity events, might not be fully supported in this configuration. But I cannot find anything in the docs about this. ... View more

Hi Livehybrid.   Thanks a lot for your prompt response. I have reviewed both the queries, and I appreciate your effort. For the first query, I was able to see some data, which is great. However, for the second query, the count appears to be zero. I have attached the screenshots for your reference. Could you please help me understand what I might be missing here? Looking forward to your insights.     ... View more

After backing away for a bit, I'm guessing that this is supposed to serve as a template and should be commented out. ... View more

OK. The issue with _any_ product which supports "extending" and SELinux is that you can either provide a policy covering the base product and make people add further extensions for more use cases (like access to specific files for log retrieval, spawning processes for modular inputs and so on) or make it run "relatively unconstrained". Unfortunately that's the deal with any similar permissions system. For example, RHEL/Rocky/Alma comes out of the box with SELinux policies for exim or dovecot but when I wanted to configure both of them to run with mysql as authentication source I needed to adjust the policies manually. You can't predict all possible use cases. ... View more

anyone? I also contacted Splunk Support some weeks ago and got no response ... View more

Hi @danielbb  What is it you're wanting to see? Whilst some Add-Ons which collect/parse data have specific 'App' equivalents which have dashboards to view the data, this isnt necessarily the same for all.  Depending on what you're wanting to see visualised there may be existing apps containing the relevant dashboards but if not the Add-Ons you mentioned should provide the required parsing to enable you/your users to create dashboards according to your requirements. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Thanx. Can you copy that part from db_inputs.conf? Also add relevant part from inputs.conf, so we see the schedule also. And put those inside </> editor tag, so this platform didn’t change your paste and it’s easier to read. ... View more

Thank you for the reply. I had found the split buckets command before, but couldn't get it to run. We are still on 9.4 and it looks like that was added in 10.0. I'll make sure to add version info in future posts.  ... View more

Well... to some extent it makes sense. RFC says that HTTP/1.1 client SHOULD include User-Agent header. So if it doesn't, it's either not a fully implemented HTTP/1.1 client or might have other features also not fully implemented (persistent connections are also a SHOULD requirement for HTTP/1.1 implementation). ... View more

Hi @STCK  Please could you give us a bit more detail on how you attempted to add this to Splunk? Are you using a dashboard studio dashboard or classic dashboard? Or have you added the file to a custom apps static folder? 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @mohdkaif7186  Is this in the context of Splunk? Please could you provide a bit more information on what it is you're trying to achieve with some examples and/or apps which are being used so that we might be able to help you.  🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

@wodrog note that @livehybrid solution of using hidden searches is also a good alternative to putting it in a subsearch - both techniques work and, as you can see, use the same principle of | addinfo to get the master time picker search range as an epoch time. ... View more

Hi @Eran  If you havent already its worth checking out https://www.splunk.com/en_us/blog/artificial-intelligence/unlock-the-power-of-splunk-cloud-platform-with-the-mcp-server.html and https://help.splunk.com/en/splunk-cloud-platform/mcp-server-for-splunk-platform/about-the-mcp-server-for-splunk-platform Regarding your questions, you should install the MCP Server on all members in your SHC.  Once installed you can configure your client with help from https://help.splunk.com/en/splunk-cloud-platform/mcp-server-for-splunk-platform/connect-and-use-an-mcp-client - It is your client which will connect to the LLM and then utilise the tools from the MCP Server. The MCP server itself does not connect to the LLM. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @Solitus31  Do you have category.SHCSlave=DEBUG anywhere in a .cfg (e.g. log.cfg) in $SPLUNK_HOME/etc ? Do you have any components/categories set to DEBUG in $SPLUNK_HOME/etc/log*.cfg files which are between the SHC members? If possible can you please post the entire log event. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @mhebert  Firstly, yes its normaly that a secret/password/token added in the Configuration page of the Splunk app would disappear when you go back to it - however if you re-submit the configuration without re-entering it then it may overwrite it to a blank value... Its no ideal but is what it is! Regarding your oauth2 token, did you allow the required scopes from the docs at https://github.com/splunk/TA-slack-add-on-for-splunk/blob/master/README.md ? In the app's settings, select OAuth & Permissions from the left navigation. Scroll down to the section titled Scopes. Click Add an OAuth Scope under User Token Scopes. Add the auditlogs:read scope. Click Add an OAuth Scope under Bot Token Scopes. Add the chat:write scope. Scroll up to the OAuth Tokens section, click Install to Organization. Click Allow in the pop-up window. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hi @ibrahim1 , you should configure one of HF in Site A as License Master for all the Indexers and other Splunk Server in SiteA. Then open the firewall routes on port 8089 between HF-A and HF-B, in this way you can use this HF as Liense Master also for the HF-B. Ciao. Giuseppe ... View more

@ericaooi  in SPLUNK MCP APP configuration : $SPLUNK_HOME\etc\apps\Splunk_MCP_Server\default\mcp.conf  You need to uncomment or add the "ssl_verify = false" variable. See below # SSL verification behavior for requests to Splunk. # Accepted values: # true : Verify SSL certificates using system CAs (default) # false : Disable verification (NOT recommended for production) # <path> : Path to a custom CA bundle or self-signed certificate (PEM/CRT) # none : Ignore this setting and fall back to PYTHONHTTPSVERIFY or default # Examples: # ssl_verify = true ssl_verify = false # ssl_verify = /opt/splunk/etc/auth/myCA.pem # If not set or set to 'none', the application honors PYTHONHTTPSVERIFY env var, else defaults to true. # ssl_verify = true ... View more

Hi @livehybrid  Thank you so much for your answer and for sharing those resources  I really appreciate it. Regarding where to put the app, I believe hosting it on a HF will be the best approach, and I'll make sure that the HF have an access on the AWS hosted app. Thanks again for your help   Nicolas ... View more

Thanks, I have the same situation and the emailing helped me. ... View more

Hi , did you found any solution. I need to decode base64 string in edge processor pipeline. Thanks. Olivier. ... View more