According to the Splunk Stream for Cloud deployment architecture, you need a HEC token only if you are using a Independent Stream Forwarder (ISF). If the Stream Add-on for Stream Forwarders is installed on a universal or heavy forwarder, then the data is sent to the indexers via the Splunk2Splunk protocol. If you are receiving any logs from your server already, then your Splunk2Splunk data stream authentication is working. If you are using the add-on on the universal forwarder, then it does request stream configurations from the search head and will likely need to authenticate these requests. Are your internal logs showing status:401 errors connecting to the /streams/ endpoint of your Splunk cloud tenant? Ref: https://help.splunk.com/en/splunk-cloud-platform/collect-stream-data/install-and-configure-splunk-stream/8.1/splunk-stream-architecture/splunk-stream-for-cloud-deployment-architecture ... View more

From looking at the /default/props.conf file in the "CCX Unified Splunk Add-on for Trend Micro" app, it seems the main sourcetype is "trendmicro". It looks like logs with that sourcetype will be transformed into various other Trend Micro Apex sourcetypes, such as "trendmicro:apexone:content_security". ... View more

Is it impossible to switch the device to use syslog format instead of CEF? If you can switch, then the official Fortinet FortiGate Add-On for Splunk (https://splunkbase.splunk.com/app/2846) seems like a good fit. If you must stick to CEF format, then most likely you will have to try a "CEF Extraction" app like this one: https://splunkbase.splunk.com/app/487 (I have not used it myself so cannot vouch for its quality) ... View more

SOAR generates the vault_id by taking the SHA1 hash of the file, so if the files have the same content, they will have the same hash and therefore same vault_id. ... View more

This sounds like more of a Gemini question than a Splunk question, as the Splunk MCP server should work using the same MCP .json configuration and any arbitrary MCP Client that accepts the configuration.  E.g. here is a project to interface with Gemini, and it uses the mcp.json configuration file schema. I don't see any reason why this wouldn't work: https://gemini-cli.xyz/docs/en/tools/mcp-server ... View more

Is your prod environment using a different SSL certificate than your test and dev environments? I have had headaches when using a cert that worked fine on version 9.3.x, but suddenly the KVStore failed on version 9.4.x because it required the SSL certificate to have clientAuth capability to start the Kvstore. It may be worth checking that you are not using the same cert config in server.conf and web.conf. To solve this I used the default Splunk SSL cert in server.conf stanzas, but a custom cert in web.conf. If this is the problem on your prod server, you might be able to find internal logs indicating the use of your web cert to communicate with the kvstore by searching: index=_internal <yourcertfilename> ... View more

At least in SOAR 6.2+ (IIRC) it should be also possible to make a "Code" block that allows the direct addition of code to a playbook block without having to make and reference a custom function. I recall it having a dark blue block symbol. ... View more

I have a linux installation but it still lets me load https://127.0.0.1:8000/en-US/manager/search/manage_system_config/win_event_log_collections?entity=localhost even if it says "Operating system not supported for this page." Some questions: 1. Does your logged in user (divin) have privileges to add inputs and therefore access this page? Try it again with an administrative user just to rule out permission issues. 2. Are you able to load any other URLs like /en-GB/manager/manage_system_config , or does it still return 404 not found? ... View more

This is intended behavior, because the visual editor was not designed to interpret and handle custom code. The visual editor is for applying common configurations, but when you modify the code directly by yourself then you are assuming manual control and cannot rely on the visual editor unless you revert the custom code changes. Making a code block to refine output of another block should not prevent the previous block from being editable by the visual editor. ... View more

EDIT: I think PickleRick has the right approach. ... View more

When changing the sourcetype, please note that any knowledge objects (field extractions, calculated fields, etc) in the app that apply to the previous sourcetype will then no longer apply, unless you then modify them to apply to the new sourcetype. It is likely possible to configure the app using the webUI to make the /local/inputs.conf stanzas, which could then be edited to use a different sourcetype.  Another option would be to use transforms to change the sourcetype: You can put these config files in the local directory of the app (E.g. /opt/splunk/etc/apps/Splunk_TA_MS_Security/local) in the heavy forwarder where you installed the app, or append their contents to existing files of the same name in the local directory. props.conf # e.g. if you want to change ms365:defender:incident to "ms:new:sourcetype:value". Add more stanzas for each sourcetype to change. [ms365:defender:incident] TRANSFORMS-ChangeSourceType = ChangeSourceType   transforms.conf [ChangeSourceType] #custom regex can be set here to apply to matching events REGEX = .* FORMAT = sourcetype::"ms:new:sourcetype:value"   Ref: https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides ... View more

In the playbook, there is a "End" block created automatically along with the "Start" block. If you click on the "End" block, you can set outputs for the playbook which can be used by other playbooks that include the playbook using a playbook block. ... View more

That's very strange, as cacheEntriesLimit should disable the cache, thus forcing all clients to re-load static assets. Can you confirm that the setting is used, using btool? ... View more

Are you using SOAR? If so, are you running the playbook from the container view? ... View more

Can you confirm that the app indeed has a default/app.conf file, and that it does not contain files or folders outside its app folder named "hashicorpvault", and that its file permissions are in the expected state? ... View more

I don't think it is possible to constrain a dataset to "only intake 1 event containing each value of EventId and then exclude the rest of the events with the same EventId value." This would require the dataset to check against a list of already-included EventId values for every new event it intakes. It would be better to do this in another way. Ideally you could change the events themselves so that they only have one event per EventID, but there are other tricks you could try, like making a search that makes summary-indexed events once per EventID while excluding all EventIDs that already exist in the destination index. Then you could set the datamodel+dataset to include events from the index of summary-indexed events. ... View more

It seems that you are not using {0} in your query input. Also can you post the sanitized code for the code block and the full entry for the data path of the 0 input? ... View more

As the error message describes, you are trying to delete a playbook from a read-only repository. If you are importing it directly from the Splunk security content github repo, then you cannot delete the playbook and would be better off removing the repo in your Source Control settings. If it is cloned to a repo you control, then you need to uncheck the "read only" setting for that repo. ... View more

The HTTP Event Collector won't do load balancing itself, so you will need to set up a load balancer in front of the indexers. One way you could set up the HEC token is to take a Splunk server with a web interface (probably not the indexers), go to Settings->Data inputs->HTTP Event Collector, then click the "New Token" button. Go through the menu specifying your desired input name, sourcetype, index, etc. This will generate an inputs.conf stanza for the HTTP input. You can then open the inputs.conf file and copy this stanza to each of your indexers to ensure they have the same token. (Remaining instructions assume your indexers are running Linux) For me, the inputs.conf file was generated in /opt/splunk/etc/apps/launcher/local, because I went to the HTTP Event Collector web interface from the main Splunk Enterprise screen. The stanza will look like this: (with different values, of course) [http://inputname] disabled = 0 host = yourhostname index = main indexes = main source = inputsourcetype token = fe2cfed6-664a-4d75-a79d-41dc0548b9de Of course, you should change the host value for each indexer or remove the host line so that the host value is decided on startup. Then, create a new file on each indexer at: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf Containing this text: [http] disabled = 0 This will enable the HTTP event collector on the indexers. You can check that the HTTP event listener is opening the port on the indexer by using netstat: netstat -apn | grep 8088 ... View more

Assuming that you are able to edit the inputs.conf file, and that you have a definite value for env, service, and custom for each input stanza, then you could add meta tags to the input stanzas: _meta = env::<env value> service::<service value> custom::<custom value> I don't know if this works the same way with OTEL collectors. ... View more

When you don't include the UID, are there any differences in the field values? What pattern do you see in how it adds artifacts to containers? E.g. are there specific fields which determine the container that the artifact gets added to, or does it add artifacts to the most recently created container? Depending on how you would like it to behave, you could throttle the creation of new artifacts by using a outputlookup and NOT [|inputlookup] commands in your saved search used to forward events to SOAR, then use a time field to make sure the artifacts+containers are different. ... View more

This usually means that something in your playbook is referencing a term that does not exist, like a misnamed block or a nonexistent datapath. If you are certain that the error originates from this Splunk app block, then you could try setting all of the inputs to be formatted text (as you did with the query input) so that SOAR does not think it could be a datapath. ... View more