@gabriel_vasseur @stewlarsen @marysan  - Not sure if you have managed to resolve this. I had encountered the same issue and i had to change the drill-down to ensure calculated_risk_score is available in addition to all risk_* fields - https://docs.splunk.com/Documentation/ES/7.1.1/RBA/TopologyVisualization  If this helps, pls mark this accepted. thx ... View more

Have you considered fresh ES install on the new physical server and migrate the data from your VM? ... View more

Has this been resolved now? Appears to be auth errors/cache clear and possible re-load/re-login could sort the issue, if it persists still. ... View more

Just for clarity, when the correlation search runs and produces the events/results, it should have a field 'dest' with some values. Once these events/results are written to the index=notable (can be accessed  via notable macro), dest field should be there with some value, for it to appear in the Incident review screen, additional fields. ... View more

If you go to `notable` and search for your search, in the list of field values, are you seeing 'dest'? ... View more

Congrats everyone!  Have a great year ahead. ... View more

As of the latest version, 1.9.2 (Jun 2022), it still fails for python3 in the upgrade readiness app.  Hope app owner reviews and provides us an updated version. ... View more

Answering my own - Had to edit the LookupEditorhandler javascript file to TRIM the values passed to the json handler file. ... View more

@beano501 My recommendation would be not updating the datamodel as much as possible. One way to achieve what you are looking is to using the 'src_interface' and 'dest_interface' fields in https://docs.splunk.com/Documentation/CIM/5.0.0/User/NetworkTraffic . Populate these fields with your values from the firewall logs, which can then be used in your searches. Additionally the mapping can also be used via lookup table to enrich data as necessary. Additionally, I would also suggest you to capture all your firewalls in a lookup within the ES Assets, using appropriate values in 'category' (e.g. internal_fw, external_fw, dmzfw etc..). This would then be available both in your searches and in your datam ... View more

Something like this will do in Splunk Core or ES. index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?<mysaved_search>.+) err=" | rex field=_raw "savedsearch_id=\"(?<mysavedsearch>.+)\", message=\"Error" | stats count by host, mysaved_search  You can then adjust as per your setup and perhaps setup an alert/correlation search to show you  errors from macros/lookups within the correlation search in ES.  ... View more

did this setup work in the past? If so, has there been any changes to IP/host/dns resolution and/or firewall/connectivity? looks like connectivity/resolution issue ... View more

stop-all running for long time does indicate an underlying issue in the cluster. Have you run the pre-check and post health checks using the latest available scripts? If not, please run them and perhaps raise a case with support attaching the output. ... View more

@SamHTexas   you can look at  index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment.  Hope this helps. ... View more

@inayath_khanin1   The above error indicates that during the asset merge process, you have one of the 'key' entries exceeding the multi-value limit setup in the AssetFields page under 'Asset and Identity managent' UI ( you can access  in the ES app via Configure -> Data enrichment -> Asset and Identity managent).  Look at the all the key fields and the multi-value limit. Additionally, you can also check something like this (pick up any field you want to test, e.g. ip which has a mv limit of 6 by default   |`assets` | eval my_mvcount = count(ip) | stats count by my_mvcount | where my_mvcount > 3   ... View more

@dominikatvastli  - Perhaps this could help, to understand the dependency on the datamodel for each dashboard. https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Dashboardrequirements .  You normally don't need to include the index=MyIndex in your eventtypes.conf,  sourcetype alone will do, unless you want the index. Also, I assume the index is added to the Spunk_SA_CIM/local/macros.conf for cim_Change_indexes. ... View more

@grodaas I don't think non-english is supported. However, Windows event logs in XML format is supported (will be in english by default). If you need local language support, please raise with your account team and/or raise an enhancement support/request case. ... View more

@vr2312  - Assuming, you created an add-on, say, "TA-org-alert",  within that directory, that name will be referred in a number of python files and .conf files (e.g. app.conf).  If you want to change the name, rename in all the places, remove the .pyc files and restart splunk. ... View more

@snisaxena  One option would be stop and start all services, so they start gracefully. Pls refer to - https://docs.splunk.com/Documentation/UBA/5.0.4.1/Admin/CLICommands  ... View more