I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=.  According to this page, https://splunk.github.io/addonfactory-solutions-library-python/credentials/#solnlib.credentials.CredentialNotExistException , this is due to the username not being valid.  I'm trying to work out how to get what is passed to credentials.py since the information in the username doesn't make sense to me.  Is there anyway of debugging credentials.py, I tried to put print statements in, but the TA UI didn't like it.  I had to remove the print statements to get the UI working again.  I've tried debugging via command line but always get stuck at this point, session_key = sys.stdin.readline().strip().  I can't work out what I need to do to see where the user information is coming from.  Any help on how I can debug this? TIA, Joe ... View more

Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may experience different behaviors for the UI preferences that used to persist and show latest preferences by updating ui-prefs.conf on the fly. Now after upgrade to 9.0.5+ or 9.1.0+ its behavior changed and no longer uses ui-prefs.conf to remember the user's UI level preferences, but instead, uses the url in the request or localStorage/Web Storage. In Firefox I found this webappsstore.sqlite in my ../Library/Application Support/Firefox/Profiles/e0fxb1hs.default-release which is similar to the above.  Is this where the ui-prefs.conf information was moved to?  I've had a request from a user that wants to set the 'Selected fields', but after the upgrade to 9.1.2 the changes would be stored in a sqlite DB.  Is this correct?  Is there any way of changing the 'Selected fields' other than using the backend?  Does this work for other apps beyond Search? TIA, Joe ... View more

I'm working with a custom TA, AlertAction_SFTP, that has the following .conf.spec file.   [my_sftp_alert_action] param.sftp_server = <string> param.sftp_user = <string> param.sftp_rfile = <string> param.sftp_key = <string> param.ssh_key_dir = <string> param.sftp_password = <string>   When I try to use $date$ in the file name, filename-$date$, I get "Remote path is invalid."  I've tried multiple ways of doing this including adding date to my search   index=vuln sourcetype="qualys:hostDetection" signature="SMB Version 1 Enabled" TAGS="*Server*" earliest=-1d@d latest=@d | eval date=strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d") | table date, *   I've tried $results.date$, $date$, and a couple of other things.  Is there some reason that the rfile path must not use a Spunk variable? TIA Joe ... View more

I'm working with Proofpoint Threat Response events that are being sent to our instance of Splunk using an HEC connection.  The part of the threat response event   u'incident_field_values': [{u'name': u'Severity', u'value': u'Informational'},   The raw Splunk event   "incident field values": [{"name": "Severity", "value": "Informational"},   As far as I know the HEC shouldn't do any translation so how did incident_field_values become the same name using spaces instead of underscores?  The version is 7.3.6. TIA, Joe ... View more