How did you get your Splunk Enterprise to run on only 127.0.0.1:8000? By default Splunk should be exposed on other interfaces. If you try accessing your Splunk Enterprise instance using the IP address of your Splunk server as seen on your local network (I assume 192.168.0.112?), does it load? ... View more

This docs page contains a link to a Transparent PNG of icons you can use to draw your deployment architecture. https://docs.splunk.com/Documentation/Splunk/9.4.1/InheritedDeployment/Diagramyourdeployment ... View more

Does it work if you use any other command in the query? E.g. just "| stats count"   Also what version of Splunk are you using, out of curiosity? ... View more

I copied your dashboard into my test instance and modified the base search to find events, and it worked.   As a test, could you try saving your full search as a dashboard panel for a new dashboard, then editing the source of that new dashboard to move the first half of the search into a base query? ... View more

Are you using the API to dispatch and retrieve the results of a search? If so, does the search take roughly the same amount of time on its own? ... View more

That is odd. I don't know how AppInspect works internally so I could not say for sure it is an issue with AppInspect. Are you able to find any mention of these files with text searches? It is indeed very strange that it would complain about these files after they are deleted and replaced. ... View more

Excellent. Always good to give it a restart to refresh everything. ... View more

I recommend checking the internal logs for the forwarder. It may contain error messages that indicate why /opt/log/ is not logging. You can use various keywords: index=_internal host=<forwardername> log_level=ERROR /opt/log/ ... View more

If you need a quick patch then it may be possible to edit the password handler code, but as this app is Splunk supported, you could submit a support ticket for it. ... View more

Are you able to check if your user has a role with the schedule_search capability?  ... View more

You could give https://syslog-ng.github.io/admin-guide/050_The_configuration_file/001_Configuration_syntax.html a shot, for understanding how the configuration file syntax works. ... View more

It seems to be unhappy that the file "linux_x86_64/bin/lib/_cffi_backend.cpython-39-x86_64-linux-gnu.so" is built for AMD64, not AArch64. Are you able to install and use "_cffi_backend.cpython-39-aarch64-linux-gnu.so" instead? ... View more

You are likely viewing the old status dashboard (lookup_editor_status.xml) that has been superceded. Try going to the Status page in the Health dropdown and it will bring you to the updated status dashboard (status.xml). ... View more

Which app are you using to implement this command, and are you able to connect to chatGPT from your Splunk machine? Perhaps the command timed out. ... View more

Is the search a newly formed search or an edited Report? There should be an option for "Alert" when you make a new search and press "Save As", even in cloud. ... View more

Which Syslog system are you using? There are likely docs available online for it. ... View more

Perhaps this method could work if the number of unique Names is not too high: <yoursearch> | eval mvs = mvzip('DeviceProperties{}.Name','DeviceProperties{}.Value',"=") | rex field=mvs "^Id=(?<Id>.*)" | rex field=mvs "^DisplayName=(?<DisplayName>.*)" | rex field=mvs "^OS=(?<OS>.*)" | rex field=mvs "^BrowserType=(?<BrowserType>.*)" | rex field=mvs "^TrustType=(?<TrustType>.*)" | rex field=mvs "^SessionId=(?<SessionId>.*)"   ... View more

I think this "admin_all_objects" privilege is needed by the app to access the client secret stored in the app, which is used to authenticate the advanced hunting requests. There is another app (https://splunkbase.splunk.com/app/6463) which appears to do the same thing albeit with a differently named command "defkqlg". It says in the Details tab that you can use the "edit_storage_passwords" capability instead of "admin_all_objects" if your Splunk Enterprise version is later than 9.1.0. It might also be possible to use edit_storage_passwords privilege instead on the MS Defender Advanced Hunting app, but it would need to be tested. ... View more

Can you increment the checkpoint number by one before saving it using the helper functions in the add-on builder? This should prevent it from getting the last event multiple times when there are no new events after the last checkpoint. ... View more

I am glad it is working 🙂 ... View more

In what format are you adding that link? If it is using <A> tags, or you can otherwise control the attributes of the link, then you can add a target="_blank" to it to make it open a new tab by default. <a href="linktowebsite.com" target="_blank">Link</a> ... View more

I don't have Splunk running on a windows machine so I can't comment on whether those files are necessary or not, but if you find that your splunk installation is working well without those files and then you would like to just disable the warning, then you can remove the related lines in the manifest file in your splunk directory to disable the integrity checking on them. ... View more

According to the readme.md file, to configure it: On your Splunk instance navigate to `/app/KeycloakAPI_nxtp` to perform the configuration. I would assume this takes place after you install the app on your instance. Then you should be able to go to https://yoursplunk:8000/<locale>/app/KeycloakAPI_nxtp  And there may be a setup page. ... View more

Splunk will store the indexed data until the end of the retention period in the index. You cannot tell Splunk to just store the latest copy from inputs.conf. You can, however, use searches to return only the latest indexed event. By default, events will be returned in reverse chronological order. So if your list of certificates is in a single event, then you may be able to filter to only the latest one by using "head 1" index=test_event source=/applications/hs_cert/cert/log/cert_monitor.log | head 1 | rex field=_raw "(?<Severity>[^\|]+)\|(?<Hostname>[^\|]+)\|(?<CertIssuer>[^\|]+)\|(?<FilePath>[^\|]+)\|(?<Status>[^\|]+)\|(?<ExpiryDate>[^\|]+)" | multikv forceheader=1 | table Severity Hostname CertIssuer FilePath Status ExpiryDate If this is not the case, then perhaps you could post a sanitized screenshot of your events to give us a better idea of how they appear in your search interface. ... View more

Talvez algo assim: index=analise Task.TaskStatus="Concluído" Task.DbrfMaterial{}. SolutionCode="410 TROCA DO MOD/PLACA/PECA" State IN ("*") CustomerName IN ("*") ItemCode("*") | spath path=Task.DbrfMaterial{} output=DbrfMaterial | mvexpand DbrfMaterial | table TaskNo DbrfMaterial | spath input=DbrfMaterial path= | table TaskNo EngineeringCode ItemDescription ItemQty SolutionCode Como exatamente você gostaria que sua tablela fosse? ... View more