This sounds like more of a Gemini question than a Splunk question, as the Splunk MCP server should work using the same MCP .json configuration and any arbitrary MCP Client that accepts the configuration.  E.g. here is a project to interface with Gemini, and it uses the mcp.json configuration file schema. I don't see any reason why this wouldn't work: https://gemini-cli.xyz/docs/en/tools/mcp-server ... View more

Is your prod environment using a different SSL certificate than your test and dev environments? I have had headaches when using a cert that worked fine on version 9.3.x, but suddenly the KVStore failed on version 9.4.x because it required the SSL certificate to have clientAuth capability to start the Kvstore. It may be worth checking that you are not using the same cert config in server.conf and web.conf. To solve this I used the default Splunk SSL cert in server.conf stanzas, but a custom cert in web.conf. If this is the problem on your prod server, you might be able to find internal logs indicating the use of your web cert to communicate with the kvstore by searching: index=_internal <yourcertfilename> ... View more

At least in SOAR 6.2+ (IIRC) it should be also possible to make a "Code" block that allows the direct addition of code to a playbook block without having to make and reference a custom function. I recall it having a dark blue block symbol. ... View more

I have a linux installation but it still lets me load https://127.0.0.1:8000/en-US/manager/search/manage_system_config/win_event_log_collections?entity=localhost even if it says "Operating system not supported for this page." Some questions: 1. Does your logged in user (divin) have privileges to add inputs and therefore access this page? Try it again with an administrative user just to rule out permission issues. 2. Are you able to load any other URLs like /en-GB/manager/manage_system_config , or does it still return 404 not found? ... View more

This is intended behavior, because the visual editor was not designed to interpret and handle custom code. The visual editor is for applying common configurations, but when you modify the code directly by yourself then you are assuming manual control and cannot rely on the visual editor unless you revert the custom code changes. Making a code block to refine output of another block should not prevent the previous block from being editable by the visual editor. ... View more

EDIT: I think PickleRick has the right approach. ... View more

When changing the sourcetype, please note that any knowledge objects (field extractions, calculated fields, etc) in the app that apply to the previous sourcetype will then no longer apply, unless you then modify them to apply to the new sourcetype. It is likely possible to configure the app using the webUI to make the /local/inputs.conf stanzas, which could then be edited to use a different sourcetype.  Another option would be to use transforms to change the sourcetype: You can put these config files in the local directory of the app (E.g. /opt/splunk/etc/apps/Splunk_TA_MS_Security/local) in the heavy forwarder where you installed the app, or append their contents to existing files of the same name in the local directory. props.conf # e.g. if you want to change ms365:defender:incident to "ms:new:sourcetype:value". Add more stanzas for each sourcetype to change. [ms365:defender:incident] TRANSFORMS-ChangeSourceType = ChangeSourceType   transforms.conf [ChangeSourceType] #custom regex can be set here to apply to matching events REGEX = .* FORMAT = sourcetype::"ms:new:sourcetype:value"   Ref: https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides ... View more

In the playbook, there is a "End" block created automatically along with the "Start" block. If you click on the "End" block, you can set outputs for the playbook which can be used by other playbooks that include the playbook using a playbook block. ... View more

That's very strange, as cacheEntriesLimit should disable the cache, thus forcing all clients to re-load static assets. Can you confirm that the setting is used, using btool? ... View more

Are you using SOAR? If so, are you running the playbook from the container view? ... View more

Can you confirm that the app indeed has a default/app.conf file, and that it does not contain files or folders outside its app folder named "hashicorpvault", and that its file permissions are in the expected state? ... View more

I don't think it is possible to constrain a dataset to "only intake 1 event containing each value of EventId and then exclude the rest of the events with the same EventId value." This would require the dataset to check against a list of already-included EventId values for every new event it intakes. It would be better to do this in another way. Ideally you could change the events themselves so that they only have one event per EventID, but there are other tricks you could try, like making a search that makes summary-indexed events once per EventID while excluding all EventIDs that already exist in the destination index. Then you could set the datamodel+dataset to include events from the index of summary-indexed events. ... View more

It seems that you are not using {0} in your query input. Also can you post the sanitized code for the code block and the full entry for the data path of the 0 input? ... View more

As the error message describes, you are trying to delete a playbook from a read-only repository. If you are importing it directly from the Splunk security content github repo, then you cannot delete the playbook and would be better off removing the repo in your Source Control settings. If it is cloned to a repo you control, then you need to uncheck the "read only" setting for that repo. ... View more

The HTTP Event Collector won't do load balancing itself, so you will need to set up a load balancer in front of the indexers. One way you could set up the HEC token is to take a Splunk server with a web interface (probably not the indexers), go to Settings->Data inputs->HTTP Event Collector, then click the "New Token" button. Go through the menu specifying your desired input name, sourcetype, index, etc. This will generate an inputs.conf stanza for the HTTP input. You can then open the inputs.conf file and copy this stanza to each of your indexers to ensure they have the same token. (Remaining instructions assume your indexers are running Linux) For me, the inputs.conf file was generated in /opt/splunk/etc/apps/launcher/local, because I went to the HTTP Event Collector web interface from the main Splunk Enterprise screen. The stanza will look like this: (with different values, of course) [http://inputname] disabled = 0 host = yourhostname index = main indexes = main source = inputsourcetype token = fe2cfed6-664a-4d75-a79d-41dc0548b9de Of course, you should change the host value for each indexer or remove the host line so that the host value is decided on startup. Then, create a new file on each indexer at: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf Containing this text: [http] disabled = 0 This will enable the HTTP event collector on the indexers. You can check that the HTTP event listener is opening the port on the indexer by using netstat: netstat -apn | grep 8088 ... View more

Assuming that you are able to edit the inputs.conf file, and that you have a definite value for env, service, and custom for each input stanza, then you could add meta tags to the input stanzas: _meta = env::<env value> service::<service value> custom::<custom value> I don't know if this works the same way with OTEL collectors. ... View more

When you don't include the UID, are there any differences in the field values? What pattern do you see in how it adds artifacts to containers? E.g. are there specific fields which determine the container that the artifact gets added to, or does it add artifacts to the most recently created container? Depending on how you would like it to behave, you could throttle the creation of new artifacts by using a outputlookup and NOT [|inputlookup] commands in your saved search used to forward events to SOAR, then use a time field to make sure the artifacts+containers are different. ... View more

This usually means that something in your playbook is referencing a term that does not exist, like a misnamed block or a nonexistent datapath. If you are certain that the error originates from this Splunk app block, then you could try setting all of the inputs to be formatted text (as you did with the query input) so that SOAR does not think it could be a datapath. ... View more

Could you elaborate on the dashboard you are using? Is it a custom dashboard that sends HTTP requests to SOAR to create new containers and artifacts, or are you using the Event Forwarding settings of the Splunk App for SOAR Export?   If you are using the Event Forwarding settings, then check which field has the checkbox to group, as this will cause results with the same grouping field to be added to the same container in SOAR. ... View more

thambisetty has a great search for this at: https://community.splunk.com/t5/Splunk-Search/How-to-find-dashboards-not-in-use-by-the-amount-of-days/m-p/418629 Here it is, modified for your use case (find dashboards not viewed in the last 60 days) | rest /servicesNS/-/-/data/ui/views splunk_server=local f=id f=updated f=eai:acl ``` Produces all views that are present in local searchhead ``` | table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells whether the dashboard can be deleted or not. removable=1 means can be deleted. removable=0 means could be system dashboard``` | rename eai:acl.* as * | rex field=id ".*\/(?<dashboard>.*)$" | table app dashboard updated removable | join type=left dashboard app [ search index=_audit earliest=-60d ```Change this earliest= value if you want a different value than 60 days``` action=search provenance="UI:Dashboard:*" sourcetype=audittrail savedsearch_name!="" | stats earliest(_time) as earliest_time latest(_time) as latest_time by app provenance | rex field=provenance ".*\:(?<dashboard>.*)$" | table earliest_time latest_time app dashboard ```produces dashboards that are used in timerange given in earliest/global time range```] | where removable=1 ``` condition to return only dashboards that are not viewed ``` | stats values(dashboard) as dashboard by app ... View more

In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forwarder and do not add the SplunkForwarder virtual user to the "Event Log Readers" group, then it may fail to subscribe to the Security event log channel. Search: (assuming that your forwarder IS sending internal logs, but not windows event logs) index=_internal host=<host> errorCode=5 "unable to subscribe to Windows Event Log"   ... View more

Depending on whether you want to do this directly in Splunk, and what modules you have installed in your Splunk Enterprise deployment, it may be practical to schedule a scripted input which sends a HTTP request to the download page, searches for the <span class="version">9.4.1</span> text, then extracts the value in the middle. You can then set up a scheduled alert if the version does not match your current version which can be retrieved using "| rest services/server/info". ... View more