If the alerts are shared in an app, they will be in the savedsearches.conf in the app. If they are private alerts, they will be in your user directory in splunk. When in doubt, you can take a unique string from the alert like its name (if it has a unique name) and then run 'grep -r "<name>"' in the /opt/splunk/ directory to find where the alert's configuration file is. ... View more

If you make a new dashboard and then add this one choropleth panel, without adding anything else, then does the new dashboard and its single panel load without complaint?  ... View more

If you are running Splunk on-prem, you can edit the alert webhooks using the filesystem. Search for your alert name in /opt/splunk/etc/apps/<appnameorall>/local/savedsearches.conf , then replace the webhook lines using your favorite text editor. ... View more

One thing you could do is save your search as an alert that triggers rapidly, which uses a different recipient email value that is supplied by a lookup table and iterates using another lookup table containing the email addresses that have already received an email. MAIN SEARCH: <yoursearch> | search [| inputlookup list_all_emails.csv | table action | search NOT [| inputlookup done_sending_email.csv | table action | dedup action] | head 1] | outputlookup done_sending_email.csv append=true You can generate the done_sending_email csv with this search: | makeresults | eval action = "randomfillervaluethatisnotanemail" | outputlookup done_sending_email.csv And generate the list_all_emails.csv with this search: <yoursearch> | dedup action | table action | outputlookup list_all_emails.csv Once the 2 lookup tables are generated, run the main search a few times to see if it iterates through the results for the first few users. If it works, then regenerate the done_sending_email.csv lookup and then save the main search it as an alert. In the Alert settings, scroll down to "When Triggered", then set the To: field to be $result.action$, and then set the rest of the "send email" options to your preference. Set the cron schedule to be something rapid like * * * * * or */5 * * * *, then save the alert. You can then wait as your alert sends a different email to a different user on each execution, containing only the results relevant to them.  Once the done_sending_email.csv and list_all_emails.csv lookup tables are almost the same size, (done_sending_email.csv will be +1 bigger if it has the filler value) then the emails are all sent out. You can then disable the alert, or you can empty the done_sending_email.csv file if you'd like to send another wave of emails. ... View more

Can you test connecting on port 8089 of your Splunk server to ensure that it is not blocked by a firewall or something? The timeout sounds like a connection or firewall problem. ... View more

You could make a transforms config which tells Splunk to extract the host field from the log:   # props.conf [yoursourcetype] TRANSFORMS-anynameyouwant = arbitrarytransformname # transforms.conf [arbitrarytransformname] DEST_KEY = MetaData:Host REGEX = ^[^,]*,([^,]+) FORMAT = host::$1   Once this config is applied to your indexing tier, it will set the host based on the second column in your logs. The default timestamp finder should also find the _time value from your logs in the first column, unless you are setting a sourcetype that bypasses the regular timestamp extraction. You might also try putting the logs to import into a file on the splunk machine using the cli and then making an inputs.conf to index it. You should be able to set the sourcetype either from the inputs.conf stanza or in the webUI when uploading the logs. ... View more

There is no objective "best approach" for IaC setup for Splunk Enterprise. I would recommend choosing the one which your engineers are most familiar with, and the one where the pricing structure best fits into your budget. ... View more

Could you try clearing your browser cache, and telling us which version of Splunk you are using? Also if you remake this panel in a fresh new dashboard, does it make the same error?  ... View more

No you shouldn't need to enter it every time as an input. You can make custom add-on settings which are not username/password and then these will be set once on app configuration and can be re-used for inputs.     ... View more

You may have better results by un-checking the "Global account settings" in Add-on setup parameters in the Add-On Builder and then adding your own Add-on Setup Components like a Text field for Client ID and a Password field for Client Secret, rather than attempting to re-name the account username and password. ... View more

I can't see any obvious issue with your code. What happens if you include debug log statements that output the report_id value, and then the resulting URL? Assuming logging mode is set to debug: helper.log_debug(f"Report ID is: {report_id}") url = f"https://example_url/{report_id}/download" helper.log_debug(f"URL is: {url}") headers = { "accept": "application/json", "Authorization": f"Bearer {jwt_token}", }   ... View more

Any reason why it has to be a filter and not a decision block? Do you want it to only match on one condition and ignore the other condition? ... View more

I recommend coding your modular input. You can use the page number as a checkpoint, then index a page and increment or decrement the checkpoint. Set an interval so that your input gets a page every X seconds, then has a condition to stop when the checkpoint gets to the end.  ... View more

My test machine is also on Splunk version 9.3.1. Could you post sanitized snippets of your JS or dashboard source code? It's hard to see where the issue lies without seeing the full picture. ... View more

Could you try this regex: (?s)EventCode=4688.*Token Elevation Type: (%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited) And also post your (sanitized) props.conf and transforms.conf if it does not work? ... View more

Infrastructure as code? Does that mean you are terminating the indexers rather than shutting them off, upgrading, then turning them on again? ... View more

In Regex 1, you seem to have .* backwards (*.) in two instances, where the one near the end is particularly problematic, so if you have: (%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited)*. Then it will match strings like %%1936, 0 or more times, so it will match events which don't include %%1936 or the other strings.  Try removing the *. near the end. Also I recommend testing the regex on a site like regex101.com to make sure your regex is working before you put it in your splunk config. ... View more

I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts. My solution was to add a dummy artifact at the start of the playbook and then delete it near the end. ... View more

That looks like a Palo Alto Networks sourcetype. This documentation implies that these sourcetypes were used in a Palo Alto Networks app that is out of date, but has links for upgrading to the new app: https://pan.dev/splunk/docs/tune-or-reduce-firewall-logs/ I would expect that at least one of the Palo Alto Apps would include a dashboard and field extractions for pan:* sourcetypes. ... View more

Splunkflix   ...just kidding. There is not a successor available for Splunk TV, but many people are asking for it to be brought back or succeeded by a new version. If you add your votes to it on Splunk Ideas, then it is more likely that the Splunk company will work on it. https://ideas.splunk.com/ideas/EID-I-1913 ... View more

Does the time range picker need to be a time range picker? You could set it up as a dropdown with 2 options: 24h and 1month, then make 2 panels in your dashboard which each depend on a token to be set when the dropdown option is selected. Then set the panels to have searches whose <earliest> time is -24h and -1mon respectively. Only one panel will display at a time.   <form version="1.1" theme="dark"> <label>2 Time Picker Dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="field1"> <label>timerange</label> <choice value="1">24h</choice> <choice value="2">1month</choice> <change> <eval token="dp1">if($value$="1",true(),null())</eval> <eval token="dp2">if($value$="2",true(),null())</eval> </change> <default>1</default> <initialValue>1</initialValue> </input> </fieldset> <row depends="$dp1$"> <panel> <table> <search> <query>search index=* | head 5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$dp2$"> <panel> <table> <search> <query>search index=* | head 10</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   ... View more

You can gently tell the indexers to go offline using "/opt/splunk/bin/splunk offline" . They will stop indexing, roll hot buckets to warm and upload them to remote storage, then you can bring them up again and they will rejoin the cluster. Ref: https://docs.splunk.com/Documentation/Splunk/9.3.1/Indexer/Takeapeeroffline ... View more

Are you able to use the ID of the div containing the text input to apply the border style? E.g. my test input has id=input1_11212 , so using: #input1_11212 { border: 2px solid #f6685e !important; } Results in a red border:   ... View more

They seem to correspond to different Carbon Black products: https://splunkbase.splunk.com/app/5775 - Carbon Black App Control (formerly Bit9) https://splunkbase.splunk.com/app/5774 - Carbon Black defense https://splunkbase.splunk.com/app/5947 - Carbon Black Response https://splunkbase.splunk.com/app/6732 - VMware Carbon Black Cloud Which Carbon Black product are you using? If you have a contact with your Carbon Black license then perhaps you can ask them which is the most appropriate SOAR connector for your Carbon Black products. Or you could try your API keys on each product and see which one succeeds in its actions. ... View more