Are you using SOAR? If so, are you running the playbook from the container view? ... View more

Can you confirm that the app indeed has a default/app.conf file, and that it does not contain files or folders outside its app folder named "hashicorpvault", and that its file permissions are in the expected state? ... View more

Are you sure you used the full second command of "sudo apt-get install vim"? If so, what messages or errors did it return? ... View more

I don't think it is possible to constrain a dataset to "only intake 1 event containing each value of EventId and then exclude the rest of the events with the same EventId value." This would require the dataset to check against a list of already-included EventId values for every new event it intakes. It would be better to do this in another way. Ideally you could change the events themselves so that they only have one event per EventID, but there are other tricks you could try, like making a search that makes summary-indexed events once per EventID while excluding all EventIDs that already exist in the destination index. Then you could set the datamodel+dataset to include events from the index of summary-indexed events. ... View more

It seems that you are not using {0} in your query input. Also can you post the sanitized code for the code block and the full entry for the data path of the 0 input? ... View more

As the error message describes, you are trying to delete a playbook from a read-only repository. If you are importing it directly from the Splunk security content github repo, then you cannot delete the playbook and would be better off removing the repo in your Source Control settings. If it is cloned to a repo you control, then you need to uncheck the "read only" setting for that repo. ... View more

The HTTP Event Collector won't do load balancing itself, so you will need to set up a load balancer in front of the indexers. One way you could set up the HEC token is to take a Splunk server with a web interface (probably not the indexers), go to Settings->Data inputs->HTTP Event Collector, then click the "New Token" button. Go through the menu specifying your desired input name, sourcetype, index, etc. This will generate an inputs.conf stanza for the HTTP input. You can then open the inputs.conf file and copy this stanza to each of your indexers to ensure they have the same token. (Remaining instructions assume your indexers are running Linux) For me, the inputs.conf file was generated in /opt/splunk/etc/apps/launcher/local, because I went to the HTTP Event Collector web interface from the main Splunk Enterprise screen. The stanza will look like this: (with different values, of course) [http://inputname] disabled = 0 host = yourhostname index = main indexes = main source = inputsourcetype token = fe2cfed6-664a-4d75-a79d-41dc0548b9de Of course, you should change the host value for each indexer or remove the host line so that the host value is decided on startup. Then, create a new file on each indexer at: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf Containing this text: [http] disabled = 0 This will enable the HTTP event collector on the indexers. You can check that the HTTP event listener is opening the port on the indexer by using netstat: netstat -apn | grep 8088 ... View more

Assuming that you are able to edit the inputs.conf file, and that you have a definite value for env, service, and custom for each input stanza, then you could add meta tags to the input stanzas: _meta = env::<env value> service::<service value> custom::<custom value> I don't know if this works the same way with OTEL collectors. ... View more

When you don't include the UID, are there any differences in the field values? What pattern do you see in how it adds artifacts to containers? E.g. are there specific fields which determine the container that the artifact gets added to, or does it add artifacts to the most recently created container? Depending on how you would like it to behave, you could throttle the creation of new artifacts by using a outputlookup and NOT [|inputlookup] commands in your saved search used to forward events to SOAR, then use a time field to make sure the artifacts+containers are different. ... View more

This usually means that something in your playbook is referencing a term that does not exist, like a misnamed block or a nonexistent datapath. If you are certain that the error originates from this Splunk app block, then you could try setting all of the inputs to be formatted text (as you did with the query input) so that SOAR does not think it could be a datapath. ... View more

Could you elaborate on the dashboard you are using? Is it a custom dashboard that sends HTTP requests to SOAR to create new containers and artifacts, or are you using the Event Forwarding settings of the Splunk App for SOAR Export?   If you are using the Event Forwarding settings, then check which field has the checkbox to group, as this will cause results with the same grouping field to be added to the same container in SOAR. ... View more

thambisetty has a great search for this at: https://community.splunk.com/t5/Splunk-Search/How-to-find-dashboards-not-in-use-by-the-amount-of-days/m-p/418629 Here it is, modified for your use case (find dashboards not viewed in the last 60 days) | rest /servicesNS/-/-/data/ui/views splunk_server=local f=id f=updated f=eai:acl ``` Produces all views that are present in local searchhead ``` | table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells whether the dashboard can be deleted or not. removable=1 means can be deleted. removable=0 means could be system dashboard``` | rename eai:acl.* as * | rex field=id ".*\/(?<dashboard>.*)$" | table app dashboard updated removable | join type=left dashboard app [ search index=_audit earliest=-60d ```Change this earliest= value if you want a different value than 60 days``` action=search provenance="UI:Dashboard:*" sourcetype=audittrail savedsearch_name!="" | stats earliest(_time) as earliest_time latest(_time) as latest_time by app provenance | rex field=provenance ".*\:(?<dashboard>.*)$" | table earliest_time latest_time app dashboard ```produces dashboards that are used in timerange given in earliest/global time range```] | where removable=1 ``` condition to return only dashboards that are not viewed ``` | stats values(dashboard) as dashboard by app ... View more

In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forwarder and do not add the SplunkForwarder virtual user to the "Event Log Readers" group, then it may fail to subscribe to the Security event log channel. Search: (assuming that your forwarder IS sending internal logs, but not windows event logs) index=_internal host=<host> errorCode=5 "unable to subscribe to Windows Event Log"   ... View more

Depending on whether you want to do this directly in Splunk, and what modules you have installed in your Splunk Enterprise deployment, it may be practical to schedule a scripted input which sends a HTTP request to the download page, searches for the <span class="version">9.4.1</span> text, then extracts the value in the middle. You can then set up a scheduled alert if the version does not match your current version which can be retrieved using "| rest services/server/info". ... View more

You could do the same thing to the MaxExecutionTime by adding 2 more rows in the search: ... | eval colorCode2 = if(MaxExecutionTime > Treshold, "#D94E17", "#55C169") ... | eval MaxExecutionTime = mvappend(MaxExecutionTime,colorCode) ...  And another format section: <format type="color" field="MaxExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> So now it reads: <row> <panel> <html depends="$hidecsspanel$"> <style> #ColoredTable table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <title>TEST XRT Execution Dashboard</title> <table id="ColoredTable"> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | eval colorCode2 = if(MaxExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime | eval AverageExecutionTime = mvappend(AverageExecutionTime,colorCode) | eval MaxExecutionTime = mvappend(MaxExecutionTime,colorCode) | fields - colorCode</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="MaxExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> </panel> </row> ... View more

How did you get your Splunk Enterprise to run on only 127.0.0.1:8000? By default Splunk should be exposed on other interfaces. If you try accessing your Splunk Enterprise instance using the IP address of your Splunk server as seen on your local network (I assume 192.168.0.112?), does it load? ... View more

This docs page contains a link to a Transparent PNG of icons you can use to draw your deployment architecture. https://docs.splunk.com/Documentation/Splunk/9.4.1/InheritedDeployment/Diagramyourdeployment ... View more

Does it work if you use any other command in the query? E.g. just "| stats count"   Also what version of Splunk are you using, out of curiosity? ... View more

I copied your dashboard into my test instance and modified the base search to find events, and it worked.   As a test, could you try saving your full search as a dashboard panel for a new dashboard, then editing the source of that new dashboard to move the first half of the search into a base query? ... View more

Are you using the API to dispatch and retrieve the results of a search? If so, does the search take roughly the same amount of time on its own? ... View more

That is odd. I don't know how AppInspect works internally so I could not say for sure it is an issue with AppInspect. Are you able to find any mention of these files with text searches? It is indeed very strange that it would complain about these files after they are deleted and replaced. ... View more

Excellent. Always good to give it a restart to refresh everything. ... View more

I recommend checking the internal logs for the forwarder. It may contain error messages that indicate why /opt/log/ is not logging. You can use various keywords: index=_internal host=<forwardername> log_level=ERROR /opt/log/ ... View more