I've never seen action=ui.view as a thing, but it would be great to have.  As an alternative, try this query index=_audit action=search info=granted provenance=UI:Dashboard*   ... View more

@livehybrid 's advice is good.  IMO, the hardest part of integrating Git with Splunk is keeping your users and admins from making changes in the Splunk UI.  Changes made in the UI override those made in apps so it's critical to make sure all changes go through Git. ... View more

Generally speaking, apps and add-ons by the same(-ish) name go together.  Installing one without the other most likely will lead to disappointment. Apps typically provide dashboards and other user interface objects, whereas add-ons provide the product integrations.  The docs for the Cisco Secure Access App does not mention this dependency so perhaps it's not the case here.  There are a couple of things you can check: Verify the app is able to connect to your Cisco Secure Access server.  See Make a Secure Access API Request Verify your data is where the app expects to find it.  See https://developer.cisco.com/docs/cloud-security/cisco-cloud-security-app-for-splunk/#splunk-indexes   ... View more

Try my revised regex.  It should extract the desired text, assuming there are no embedded spaces. ... View more

If the intent is to skip the word following "Process" then this should do it. description\": \"Process \S+ (?<uicgroup>[^\S]+) ... View more

I've never heard of active-active as a Splunk-recommended architecture for Deployment Servers.  DS Clusters is the support architecture for DS redundancy. ... View more

ODS is correct - active-active is not a thing for deployment servers.  If you need DS redundancy, consider creating a Deployment Server Cluster.  See https://help.splunk.com/en/splunk-enterprise/administer/update-your-deployment/9.4/configure-the-deployment-system/implement-a-deployment-server-cluster for details. ... View more

The splunkbase page for that app says to contact the developers at support@wiz.io ... View more

Depending on the size of the lookup file, the map command may do the job. | inputlookup id.csv | eval search_start=strptime(time,) | map search="index=id ID_index=$ID$ starttime>$search_start$ timeformat=\"%m.%d.%Y\" | stats count as cnt by $ID$ | where cnt>$limit$ | | eval msg="limit outreached" | table $ID$ cnt $limit$" ... View more

When the query ends with stats count, it will always return one result.  Therefore,  Number of Results > 0 will always trigger the alert.  Add a where command to the alert so it only returns results if there are consecutive errors. index=your_logs "error" | bin _time span=1m | stats count as error_count by _time | streamstats window=2 current=t count(error_count) as consecutive_error_minutes | where consecutive_error_minutes >= 2 | stats count as alert_trigger | where alert_trigger > 0 That said, I have doubts about the methodology used.  The current query will trigger if two consecutive errors are detected, but what if they're different errors?  Does it matter?  I would think that two different errors would not be considered "persistence". ... View more

Have you tried this filter? JournalFilter = NOT MESSAGE~"apparmor=ALLOW" If that doesn't work then you can use props and transforms or Ingest Actions to drop the unwanted events in HF or indexer.  Props and transforms work only in the first full instance (HF or indexer) that the data passes through; Ingest Actions work in any full instance. ... View more

SPL files are just renamed tgz files.  There's no need to do anything.  Just install the file as-is. ... View more

Have you tried cloning the XML dashboard to Dashboard Studio?  Splunk will do the conversion for you. ... View more

The best way to get clarification on a Documentation page is to submit feedback on the page.  Click the "Share feedback" button at the bottom of the page. ... View more

We need more information. Are not getting any logs or just some of them?  If some, are you getting the internal logs for the forwarder that is supposed to be sending them? Please share the inputs.conf stanza for the missing logs. ... View more

Splunk 10.0.x is not the latest version.  Try 10.2.x. ... View more

Questions like this should be directed to someone at Cribl. ... View more

Splunk has not supported SSL 2.0 or 3.0 for some time now.  It only supports TLS 1.0, 1.1, and 1.2 with 1.2 being the recommended version.  I'm curious about how Tenable was able to connect using an unsupported protocol. Splunk 9.1.x is no longer supported so no fixes are forthcoming for that version.  A supported version may contain a fix, but it's hard to know without a CVE number. You may find mention of a fix at http://advisory.splunk.com ... View more

Yes, the upgrader has to run as root to do its work, but the end result should be the UF running as the specified non-root user.  If that is not happening then it's a problem that should be reported using one of the methods previously mentioned. ... View more

If you can't submit a case then submit it as an RFE at https://ideas.splunk.com ... View more

I suggest you submit a case to Splunk Support.  The upgrader should not assume the UF runs as root.  Running as root is a Bad Practice. ... View more

Use the splunk offline --enforce-counts command to take down each indexer one at a time.  Splunk will handle moving data as necessary.  Make sure the RF/SF is met and all indexes are searchable before moving on to the next indexer. ... View more

It looks like you researched it well.  I like your plan. Yes, you will need an on-prem DS to manage your UFs unless you have a separate tool (like Ansible) for that. Replacing Cribl with Edge Processor is worth looking into as it may save you some money.  EP cannot yet do everything Cribl can, however.  I agree with putting EP nodes close to the data sources. I have not used EP for syslog so I can't comment on that.  I found SC4S to be a good syslog solution, but it's been a few years since I've used it. ... View more