Do you use the Splunk Add-on for JIRA on a Splunk Enterprise instance or in your Splunk Cloud env? Have you verified the network connectivity? ... View more

1. Choose a custom index that exists for the input 2. Check this index and verify if data flow in 3. If not, check the internal logs of the instance where the addon is configured ... View more

So the UF is not phoning home  successfully and not popping up in the Clients tab on the DeploymentServer? Change your deploymentclient.conf on your UF stanza as below: [target-broker:deploymentServer] targetUri = https://10.128.0.5:8089   ... View more

How to you verified that the parameter was not updated? Have you checked the changed indexes.conf on a peer node? If not, please check it and execute $SPLUNK_HOME/bin/splunk btool indexes list main --debug to check the parameter and its app location. It’s possible that another indexes.conf file takes precedence over your modified configuration. ... View more

Check out on your splunk instance the Dashboard Example Hub. There you will find a bunch of examples how to visualize your data. http://<your_splunk_url>:8000/en-GB/app/splunk-dashboard-studio/example-hub-nav-visualizations#Single%20Value Example Source definition: { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_search1" }, "options": {}, "context": {}, }   ... View more

Please provide sample data to help you with the search query ... View more

If the owner of the scheduled and embedded report is deleted in Splunk the report is not executed anymore until the report is reassigned to a user who has all required capabilities to run and embed the report. And I'm pretty sure that the link for the embedding must be recreated.   To prevent this behavior, you could create a technical (local) user. ... View more

Please validate your data. Based on your screenshots, it seems that when error code 404 occurs, the field message.incomingRequest.lob does not exist in these events. ... View more

Add message.incomingRequest.lob=* to your base search to filter for events that contain the field message.incomingRequest.lob index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" "message.incomingRequest.lob"=* | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"   ... View more

Please try: index=<yourindex> sid=* |eval Guest=if(sid=22,BOT,Others) | bin _time span=1d | eventstats count as totalevents by _time | eventstats count as guest_count by Guest | eval percentage=round((guest_count/totalevents)*100,2) | eval final_field = guest_count. "(" .percentage. " %)" | eval time=strftime(_time, "%Y-%m-%d") | chart values(final_field) over Guest by time     ... View more

You have events where Field message.incomingRequest.lob does not exist but field message.backendCalls{}.responseCode exists in these kind of events. That's why the "NULL" value is set. ... View more

Please share the search so far and some sample data then we might be able to help you with the search query. ... View more

Have you checked the logs of the Otel Collector? Could you please define a separate pipeline for the statsd metrics like: service: pipelines: metrics/statsd: receivers: - statsd exporters: - signalfx ... View more

Have you verified that you use a token with the API permission or a session token to use the API? ... View more

Unfortunately for browser tests you can only use the global variables to fill any fields on a web page with the "Fill in Field" action .  Feel free to create an idea as a feature enhancement request at https://ideas.splunk.com/ ... View more

The documentation is not correct. You have to create two separate certificate files because the Splunk Web certificate must not contain the private key. web certificate format: -----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA)... -----END CERTIFICATE----- server certificate format: -----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ...<Server Private Key – Passphrase protected> -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the certificate authority certificate)... -----END CERTIFICATE----- Check out: Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect - Splunk Documentation Final configuration must look like: web.conf [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/mycerts/mySplunkWebPrivateKey.key serverCert = /opt/splunk/etc/auth/mycerts/mySplunkWebCertificate.pem sslPassword = <priv_key_passwd> server.conf [sslConfig] serverCert = /opt/splunk/etc/auth/sloccerts/myFinalCert.pem requireClientCert = false sslPassword = <priv_key_passwd>   ... View more

Have you already checked followings docs? Troubleshoot the Splunk OpenTelemetry Collector — Splunk Observability Cloud documentation ... View more

Parameter DEPTH_LIMIT must be set in transforms.conf  DEPTH_LIMIT = <integer> * Only set in transforms.conf for REPORT and TRANSFORMS field extractions. For EXTRACT type field extractions, set this in props.conf. * Optional. Limits the amount of resources that are spent by PCRE when running patterns that do not match. * Use this to limit the depth of nested backtracking in an internal PCRE function, match(). If set too low, PCRE might fail to correctly match a pattern. * Default: 1000 transforms.conf - Splunk Documentation ... View more

Remove the collect command in your search query. The enabled summary indexing is enough to fill the summary index. ... View more

Ah okay, then I would execute it in following order: 1. Do the fresh installation 2. copy all custom apps and their configuration files to %SplunkHome/etc/apps/ from your source 3. start splunk ... View more

What is the reason for the planned the migration? For me it sounds like more that you just wanna install a new Universal forwarder on a different server to collect the logs. Usually you have all specific configuration like inputs.conf and outputs.conf on your deployment server and in case of setting up a new UF you only add it to a existing or new serverclass to rollout the configuration files. I would do a fresh installation on the new server, configure the local configurations (e.g. deploymentclient.conf) and then distribute all other configurations via the Deployment Server. Regarding the installation routine I recommend to take a look into the documentation Install a Windows universal forwarder - Splunk Documentation There is also a silent installation on command line described. ... View more

Okay, and I guess the data is pulled via the tenable API, right? Could you try: transforms.conf [tenable_remove_logs] REGEX = (?m)(ABCSCAN) DEST_KEY = queue FORMAT = nullQueue  If it is not working I would increase the depth_limit for testing. ... View more

Where you have applied these settings? On an indexer or on a Heavy Forwarder? ... View more