Hi , If you are sending logs from On prem Panorama consoles to Splunk and using Palo Alto addon. The logs will go to pan:traffic . However, if you are sending logs from Strata console via HEC the logs will be in Json format and the right sourcetype to use is pan:firewall_cloud.  ... View more

Hi, To resolve the issue find the HF in your environment then Go to the Splunk Web home screen. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner. Click on the Input tab. And there will be a enable and disable option . First disable the inputs and enable it back again.  There is nothing to do with the https://splunkbase.splunk.com/app/1739  Splunk app. The log collection will be happen with the help of addon. ... View more

If you are collecting logs from O365 app. Then try disable the inputs  and enable it back again in HF.  ... View more

Hi @VijaySrrie , I have given a sample config below. You can try like that. props.conf [mentionsourcetype] TRANSFORMS-acctmasking = mask-acctcode Transforms.conf [mask-acctcode] REGEX = (.*DetectedValues{}.Value=\d+).* DEST_KEY = _raw FORMAT = $1-XXXX ... View more

The config only helps to process multiple events at a time and send logs in a real time without much delay. If any use cases are configured to monitor those events . Then you can monitor the logs in real time. ... View more

Hi @PickleRick , In order to process the events faster you can try increasing the pipeline in the UF. But this will consume more resources from the UF server end. cd %SPLUNK_HOME%\etc\system\local [general] parallelIngestionPipelines = 2 https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configureaforwardertohandlemultiplepipelinesets     ... View more

Hi @Prakash23, You can remove the data from summary index using delete command. Add the | delete command to the end of the search string and run it again - for example: index=summary "exception message logs" | delete Note: To use a delete command you should have a additional capability to your role like "can_delete" . The delete command will not remove data from the index. But the data is not searchable. Instead Identify the reports which are sending duplicate logs to summary index. And use the dedup command to control it. If this answer helps you then upvote it. ... View more

Hi @johan, I have observed few things after installing and testing the Splunk Add-on for BMC Remedy with ITSI. Below is the list of my findings.​ ​The TA can be installed and used for Ticket creation and all the functionalities are working fine. The Assignee group will be taken by default by the Splunk TA. No control over the assignee group.​ It is because the Splunk TA WSDL Action(parameter) is using as PROCESS_EVENT for ticket creation. Whereas it supposed to be used Action as CREAT_INCIDENT for ticket creation.​ The CI information is not processing by TA correctly. So, we can't control the Assignee group.​ In order to proceed, you need to create the Custom Addon by using Splunk Add-on builder. Create a Separate WSDL and username and password in order to access Remedy. And develop a script to Pass the payload in XML format to remedy. Before passing the payload test the payload in the SOAP UI.   ... View more

Hi @Noorzai , There is no other way to download ITSI. Try contacting the sales option. ... View more

Hi @Azeemering , In the new Azure Addon version, the interface and settings have been changed. So if you are trying with the old local config like Passwords.conf&ta_ms_aad_settings.conf it will not work in the new version. Try to do a fresh config and erase all the old configs. ... View more

Hi @Marius732 ,   It is not a Splunk error it is your script error it is saying the Pycurl module unable to identify the curl attribute.  c = pycurl.Curl() AttributeError: module 'pycurl' has no attribute 'Curl' ... View more

HI @Marius732 , Try to create one Add-on for the custom alert action. And download the pycurl module package and place it inside the Addon. <Addon name>/bin/<Addon Name>/Place the pycurl module package  here And place the custom Alert action script inside  <Addon name>/bin/custom_alert_script.py and see if it works or not.   ... View more

yes.. ... View more

Hi @morethanyell , Try to give the full permissions to the script file and restart. And check the output. ... View more

Hi @anandhalagaras1 ,   What was your previous Splunk version? ... View more

Hi @anandhalagaras1 , Yes remove the Splunkforwarder package and keep only the Splunk package. In Linux, any Splunk command should run with (./) as a prefix. Whereas in windows you can run the Splunk commands without  (./) as a prefix. ... View more

Hi @Noorzai , Since ITSI is a premium app the download option will not be available for everyone. If your company buys the ITSI premium app then you can request Splunk to provide access for downloading the package. Then download option will be available to you. ... View more

Hi @pavanbmishra , Can you try with the below eval and see the result. EVAL-XYZ = case(src== "AAA", "field1", src== "BBB", "field2" , src== "CCC", "field3") And also make sure you are able to see the mentioned src fields values in the case. ... View more

Hi @pavanbmishra,   Did you verify the local.meta of your apps folder? And also the after placing the props.conf in search head can you quickly restart and check if it is a single instance. For distributed search head cluster no restart required. The only eval is not working all other fields are working fine? ... View more