Had the very same issue. Are you using custom certificates? In that case, you might have had the same issue as me. Wrote about our the solution here: https://community.splunk.com/t5/Deployment-Architecture/KVStore-does-not-start-when-running-Splunk-9-4-WITH-A-SOLUTION/m-p/743791#M29350 Note that splunk themselves says that custom certificates are not supported, but we got it to work 😄 ... View more

Summarize and finishing this post: After installing Splunk Ent v9.3.2 the initial problems were solved. After that it appears that Splunk Secure Gateways did not connect anymore (Splunk Mobile) Had contact with Splunk about this. After some back and forth copying of backup directories and running repair, chaning app.cong files etc, SSG became connected again. The main reason why I want to upgrade were some new features that were mentioned to be available in Dashboard Studio. Unfortunately, now the present Dashboard Studio (version 1.15.3 under v9.3.2)  has some other issues, like: eg background color shows black instead of transparent (on mobile/table), big-font size 22+ text is unreadable small in Markdown (on mobile/tablet), using title color is  neither working as I expected... Nb. besides the fact that also the new tab feature was already noted not to work in this version including next version  v9.4.0. so I understand. So here I close this post and will create a new post next year about Dashboard Studio. In the meantime waiting for an update to v9.4.X  @all, have a great new year 2025! AshleyP ... View more

Thanks PeteAve! I'll try that and see what happens.....  ... View more

Here is the answer: https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Web-featuresconf#.5Bfeature:dashboards_csp.5D in web-features.conf, there is a stanza called  [feature:dashboards_csp] where you can allow list domains like this: dashboards_trusted_domain.<name> = <string> aka dashboards_trusted_domain.smartsheet = app.smartsheet.com ... View more

Update: Had a session today with O365 support about message in python.log: (posted before) SendAsDenied; ticket@eremote.nl not allowed to send as Splunk_eRemote@uBDC01;" Answer: As discussed on the call, the bounceback (NDR report) you received shows that your office 365 account (ticket@eremote.nl) is not allowed to send email as Splunk_eRemote@uBDC01. This shows that there is a setting in Splunk that is preventing this action. And like I mentioned on the call, from Microsoft 365 perspective, email relayed is allowed and that is why you can send normal email from the application, and it delivers. De 'Splunk_eRemote@uBDC01'  comes from the SMTP-server settings in Splunk: Note: 1) We use O365 and some 4-5 months ago we stepped over from a personal account to a shared account (but did not notice the defect in the Alerting_email_function, just last week :-(. As Sendemail was working in Dasboards and in SPL code as expected. 2) We now use a shared mailbox under O365, which means you can not use any Alias. Before we could. 3) Using my personal account (with Alias's) is 2FA and is not possible according to O365 support. 4) Last week tried many things -including different fields A en B, without succes. Also tested it with use of a GMAIL account, no succes either. 5) Yesterday (Sunday) rebooted our W2029 server as part of our weekly maintenance schedule,  Today I found out: Note: Field A (username) must be same as SendAS (in the past we used only the word "Splunk" in field B) Also note that keeping the B feidl empty it does a discovery and comes up with "Splunk@uBDC01"  so it appears.  Now it is working again (in test) with field-A = field-B! (what is de use? apperantly only working in combination with personal-account and proper Alias, I conclude) I will close this post now and thank you for the repsonse PickeRick :-)! AshleyP ... View more

Thank @isoutamo , Yes, I update email password via gui, and reboot splunk, but this problem is still present ... View more

Completely ridiculous, at Nov-2023 on Splunk Enterprise v91.1.1 still an issue installing Python for Scientific Computing (for Windows 64-bit), even after change setting upload limit in web.conf as documented # Default is to allow files up to 500MB to be uploaded to the server # change this in local/web.conf if necessary # max_upload_size = 500. max_upload_size = 5000. There was an error processing the upload.Error during app install: failed to extract app from C:\Windows\TEMP\tmpp0s51vp5 to D:\Program Files\Splunk\var\run\splunk\bundle_tmp\f8e20425d3b382c7: The system cannot find the path specified. What do I miss here, how much must be this size be to , what units, or where are the brains of splunk. Splunk Enterprise after v9. 1.x is full of **bleep**.  ... View more

Update,  finally I succeed by using the subsearch as was mentioned before + creating 3x6=18 daily scheduled reports. (6 machines)       Dahboard to split in 2 tables panel... Nb. Unfortunately I was not able to make a historical search all-in-one! Thanks ... View more

Hi @apietersen and @templets, This option adds the given time to all login responses to help mitigate login timing attacks. https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Authenticationconf#Settings_for_Splunk_Authentication_mode  constantLoginTime = <decimal> * The amount of time, in seconds, that the authentication manager waits before returning any kind of response to a login request. * This setting helps mitigate login timing attacks. If you want to use the setting, test it in your environment first to determine the appropriate value. * When you configure this setting, a login failure is guaranteed to take at least the amount of time you specify. The authentication manager adds a delay to the actual response time to keep this guarantee. * The values can use decimals. "0.025" would make responses take a consistent 25 milliseconds or slightly more. * This setting is optional. * Minimum value: 0 (Disables login time guarantee) * Maximum value: 5.0 * Default: 0   ... View more

Hi Burwell, Thanks, Yes I have seen it and installed it on a test instance. Its looking good again. ... View more

Hi ITWhisperer, Thanks. Yes,  please note the max value 8 in first image and then the 4 value in second image . Have added the xml code in a seperate reply post.  The maximum value (8) is suddenly divided by 2 (4)...which is a disturbing difference from the reality probably caused by the timeline visualization panel ... View more

I created an idea some time ago for this issue, see sole the issue: sendemail without the cost of a security | Ideas (splunk.com) It appears to be in a stage of consideration.   ... View more

Update: "sendemail" does not work for default users with default user-role capability. The issue was reported back to me to be solved in 8.1.3,  unfortunately it is not. ... View more

This issue was reported by support to be solved in v8.1.3 . Unfortunately this issue is still there in v8.1.3 ... View more

After trying up/down, left/right, no succes sofar. ... View more

This exception is raised when the server unexpectedly disconnects, or when an attempt is made to use the python mail SMTP instance before connecting it to a server. Clients sending outgoing mail should connect on port 587 and use starttls. To use port 465, you need to call smtplib.SMTP_SSL(). Currently, it calls smtplib.SMTP() .. so,change your PORT from 465 into 587 it. Also, you'll need to send the ehlo command before the starttls command, then again after the starttls command.   ... View more

Found it. I was working on the wrong Splunk machine 😞 Change the  .../bin/sendemail.py and look for "plainFooterTemplate" remove or replace the "------//----" string. After remove I received: "how do I get rid of the redundant characters "---" i-Alert" Thanks regards AshleyP ... View more

I think I found the solution: adding a set token directly after query <dashboard> <label>variable-transfer</label> <init> <set token="err_page">https://mysplunkserver.nl/en-GB/static/</set> </init> <row> <panel> <title>Show the name of a valid helpfile</title> <table> <search> <query>| makeresults | eval msgcode="msgcode-46.html" | table msgcode </query> <done> <set token="file">$result.msgcode$</set> </done> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>create a valid url string including helpfile</title> <html> <div> $err_page$$file$ <iframe src="$err_page$$file$" width="100%" /> </div> </html> </panel> </row> </dashboard> ... View more

No response sofar, reason? everybody knows? (stupid question, sorry) nobody knows? AshleyP ... View more

This morning version 7.2.1 became available to me. I conclude from this that the roll-out of new versions are per region, but the (bulletin) messages you see in your instance are sent immediately all over the world after a release in US regards Ashley pietersen ... View more

Ok after creating a support ticket, restarted and rebooted several times, disabling Dashboard_example app, run the splunk7.2.0.msi repair over it. My Splunk behaves as expected again. Splunk Splunk Support assumed that the dashboard.css was overwritten somehow by the dashboard.css of the Dashboard_example app. What could explain what has happend. Apperently, during my testing with the Dashboard_example 7.2.0 app and trying to build a new dashboard in the Search app I might have of accidently copied the dashboard.css of the Dashboard_example app (located in C:\Program Files\Splunk\etc\apps\simple_xml_examples\appserver\static) in to Search app under directory: $SPLUNK_HOME/etc/apps/search/appserver/static. I am happy that everything is running as expected again and I like to thank 493669 and Splunk support for the help, tips and support. Best regards Ashley Pietersen ... View more

Glad to help. The return and format commands are essential when using subsearches. Use this command reference for more details on those two commands: http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/ListOfSearchCommands ... View more

Hey, If that work, xan you please up vote my respense or accept my answer to help another person. Thank's ... View more

Hi Adonio, Thanks for your response. Understood! regards Ashley Pietersen ... View more

You have the Cloud Outputs App installed which is good news. I am able to telnet to input-prd-p-7jmfcpd9xcqm.cloud.splunk.com on port 9997 so it's at least listening to receive data on the other end. I won't be able to test sending anything as your outputs app has an SSL Cert. Can you also try to telnet to input-prd-p-7jmfcpd9xcqm.cloud.splunk.com on port 9997 from your host to make sure you don't have a pesky outbound firewall rule in the way? Have you verified you're not receiving any internal logs for that host already? you should be able to search index=_internal host=<your_host_name> OR host=<your_host_ip> Can you look at your splunkd.log for errors? C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log. If you're unsure what you're looking at try and paste some of the most recent lines and see if any errors are sticking out in there. ... View more