Need to provide user upload lookup only on one particular app permission. Hi I need to assign permission to particular role/User so that they can upload there CSV lookup files to only that perticular app, not to any other apps. Can anyone help me with it. ... View more

I want to get the date when the Splunk admin credential got changed, is there any way to get it? ... View more

Want to add a text box on a dashboard  e.g--> search |table field1 field2 field3 Here I want to put a textbox on field3 on the pannel it self so that it can be filter with the field3 value.   ... View more

How to limit on uploading of CSV lookup by size. Hi, I want to restrict the upload of lookup files with a certain size, like let's say a user with some role has permission of uploading a lookup file, but I want to filter it in that role so that the user can able to upload or create a CSV lookup file but with 5MB not more than that. ... View more

Needs to blacklist certain syslogs messages from the forwarder level. We have raw syslogs as below: 2023-03-27T00:00:00+00:00 10.10.33.15 Mar 27 2023 00:00:00.028 UTC : %UC_Test-4-DeviceTransientConnection: %[ConnectingPort=2000][DeviceName=AN004A1328478011][IPAddress=10.152.157.107][DeviceType=30027][Reason=3][Protocol=SCCP][IPAddrAttributes=2][UNKNOWN_PARAMNAME:LastSignalReceived=StationRegister][UNKNOWN_PARAMNAME:StationState=wait_register][AppID=Siso CallManager][ClusterID=c6801ccm][NodeID=c6801011ccm007]: A device attempted to register but did not complete registration 0.0.3.1 0 0 2023-03-27T00:00:00+00:00 10.10.33.15 Mar 27 2023 00:00:00.144 UTC : %UC_Test-4-DeviceTransientConnection: %[ConnectingPort=2000][DeviceName=ANF000673BC20003][IPAddress=10.70.56.248][DeviceType=30027][Reason=3][Protocol=SCCP][IPAddrAttributes=2][UNKNOWN_PARAMNAME:LastSignalReceived=StationRegister][UNKNOWN_PARAMNAME:StationState=wait_register][AppID=Siso CallManager][ClusterID=c6801ccm][NodeID=c6801011ccm007]: A device attempted to register but did not complete registration 0.0.3.1 0 0 2023-03-27T00:00:00+00:00 10.10.33.15 Mar 27 2023 00:00:00.147 UTC : %UC_Test-4-DeviceTransientConnection: %[ConnectingPort=2000][DeviceName=AN00A13274B800D][IPAddress=10.108.2.248][DeviceType=30027][Reason=3][Protocol=SCCP][IPAddrAttributes=2][UNKNOWN_PARAMNAME:LastSignalReceived=StationRegister][UNKNOWN_PARAMNAME:StationState=wait_register][AppID=Siso CallManager][ClusterID=c6801ccm][NodeID=c6801011ccm007]: A device attempted to register but did not complete registration 0.0.3.1 0 I need to filter the data before pushing it to the Splunk indexer, with respect to UC_Test-4-DeviceTransientConnection and Reason=3 which means I don't want to push the data which have UC_Test-4-DeviceTransientConnection and Reason=3. I have tried blacklisting it in inputs.conf blacklist = ^.*UC_Test-4-DeviceTransientConnection.*\[Reason=3\].*$ above isn't working then I have tried with props.conf and transforms.conf like below [testsys] TRUNCATE = 0 TRANSFORMS-NULL = setnull [setnull] REGEX = ^.*UC_Test-4-DeviceTransientConnection.*\[Reason=3\].*$ DEST_KEY = queue FORMAT = nullQueue But unfortunately, it's still not filtering. ... View more

I want to disable the feature of save as, user can able to search but shouldn't be able to save it as a dashboard or report or any knowledge object.   ... View more

Hi, I have a search head cluster of 3 members and I have a scheduled search which is basically doing an output CSV at the end, but my query is to is there a way I can run the scheduled search in only one node, not in all the nodes? ... View more

I want to extract as below using universal forwarder props.conf           Whatever data I have before: should be the field name and after : would be the value eg- for Class field value is Catalyst 9500 "class": "Catalyst 9500", "var_actionname": "Logstash - Chain", "var_alertid": "4000", "var_app_sys_id": "", "var_assetfloor": "0", "var_assetlocation": "", "var_assetmake": "mycompany Systems", "var_assetmodel": "Catalyst 9500", "var_assetpanel": "", "var_assetplate": "", "var_assetpunch": "", "var_assetrack": "", "var_assetroom": "", "var_assetserial": "", "var_assetshelf": "", "var_assettag": "", "var_assetzone": "", "var_autopolicyname": "Chain Active Events", "var_autopolicynote": "", "var_categoryid": "8", "var_categoryname": "Network.Switches", "var_classid": "6659", "var_classname": "Catalyst 9500", "var_classtype": "mycompany Systems", "var_clearuser": "", "var_collector": "csit2apacdca06", "var_composite_criticality": 3, "var_composite_id": "0", "var_device_back_link": "https://123.121.12.13//index.?exec=registry&act=registry_device_management#devmgt_search.did=4526", "var_deviceid": "4526", "var_duty_pager": "", "var_esp_class_name": "", "var_event_back_link": "https://123.121.12.13//index.?exec=device_events&did=4526&etype=12708", "var_event_guid": "EEBC704A15AFBB55FA19EF7D50A93993", "var_eventcategory": "", "var_eventcounter": "1", "var_evententityid": "4526", "var_evententityname": "ccntrx4-cn-bb-gw2.mycompany.com", "var_evententitytype": "1", "var_eventfirstoccurtime": "2022-09-22 22:32:05", "var_eventid": "10784243", "var_eventindexid": ".1199", "var_eventlastoccurtime": "2022-09-22 22:32:05", "var_eventmessage": "mycompany: Temperature problem. Currently, Temperature (TenGigabitEthernet1/0/40 Module Temperature Sensor) status: unavailable", "var_eventpolicy": "mycompany: Temperature Unavailable", "var_eventpolicycause": "<strong><!--StartFragment-->Description</strong><br>mycompany network device is reporting an &quot;unavailable&quot; status on temperature. Meaning that the agent presently can not report the temperature&apos;s sensor value.<br><br><strong>Probable Cause</strong><br><ul class=\"fr-tag\"><li class=\"fr-tag\">The sensor could have a hard failure (disconnected wire).</li><li class=\"fr-tag\">The sensor could have a soft failure such as out-of-range, jitter, or wildly fluctuating readings.</li></ul><br><strong>Resolution</strong><br>Manually check functioning of fan and replace if necessary.<!--EndFragment-->", "var_eventpolicyexternalid": "", "var_eventpolicyid": "12708", "var_eventseverity_deprecated": "2", "var_eventseveritylevel": "3", "var_eventseveritytext": "MAJOR", "var_eventsourceid": "4", "var_eventsourcename": "Dynamic", "var_eventstate": "Active", "var_eventstateful": "1", "var_eventsubentityid": "0", "var_eventsubentityname": ".1199", "var_eventsubentitytype": "0", "var_eventticketid": "", "var_eventtimeactive": "2022-09-22 22:32:05", "var_eventtimedeleted": "None", "var_eventurllink": "https://123.121.12.13//index.?exec=events&q_type=aid&q_arg=10784243&q_sev=1&q_sort=0&q_oper=0", "var_eventusercleared": "", "var_eventusernote": "", "var_ipaddress": "10.79.194.32", "var_orgbillingid": "", "var_orgcrmid": "ff7ac89f1b5f8d94d73aec22b24bcbe9", "var_orgid": "2", "var_orgimpacted": "", "var_orgname": "mycompany IT", "var_parentid": "", "var_parentname": "", "var_priority": "", "var_resultvalue": "unavailable", "var_rootid": "", "var_rootname": "", "var_slsystemname": "", "var_super_organization": "unknown", "var_support_group": "", "var_sysid": "fd19769ddb00c3ccdaeaf9551d961908", "var_threshold": "", "var_ticketemailsubject": "2", "var_ticketid": "0", "var_username": "", "external_id": "ScienceLogic_", "manager": "SCIENCELOGIC__ASSURED", "signature": "ccntrx4-cn-bb-gw2.mycompany.com::Catalyst 9500::.1199", "source": "ccntrx4-cn-bb-gw2.mycompany.com", "source_id": "1234"            I will attach the example of the log file that needs to be pushed with extracted fields, in the comment section         ... View more