It seems the CiscoSecurityCloud app isn’t correctly parsing fields from your Cisco FTD syslog data—likely due to a misconfiguration in props/transforms or a format mismatch. A good starting point is to check the syslog.conf or your app's props.conf and transforms.conf files to ensure the correct TIME_FORMAT, field extractions, and source types are in place. If you're working with a Windows/macOS GUI, you might also consider using an APK file editor (like APKTool, JADX, or APK Editor Pro)—not for Splunk specifically, but as a familiar toolset to browse configurations or reverse-engineer similar structured files and gain insight into file layout or logic flow. ... View more

Interesting discussion! It looks like you're exploring the details of this Splunk app/add-on—perhaps review its structure, manifest, or resource files? If anyone wants to dig deeper into its inner workings, you could use an APK file editor like APKTool, JADX, or APK Editor Pro to unpack and inspect its components. It’s a handy way to audit how the app is built or modify its behavior. ... View more

If you're encountering the error command="sendemail", [Errno -2] Name or service not known in Splunk, it typically indicates a DNS resolution issue where the SMTP server's hostname cannot be resolved. Here's how to troubleshoot and resolve this: 1. Verify SMTP Server Hostname Ensure that the SMTP server hostname specified in your Splunk configuration is correct. This should be a fully qualified domain name (FQDN) that can be resolved by your system's DNS. For example: smtp.example.com Avoid using IP addresses directly in the configuration, as they may not be resolvable in all contexts. 2. Check DNS Resolution From the Splunk instance, test if the SMTP server's hostname can be resolved: nslookup smtp.example.com If this command fails, it indicates a DNS issue. Ensure that your Splunk server has proper DNS settings and can reach the DNS server. 3. Test SMTP Server Connectivity Verify that your Splunk instance can reach the SMTP server on the required port (typically port 25, 465, or 587): telnet smtp.example.com 25 If the connection is refused or times out, check your firewall settings and ensure that the SMTP server is accessible from your Splunk instance. 4. Configure SMTP Settings in Splunk Ensure that your SMTP settings are correctly configured in Splunk: Navigate to Settings > Server settings > Email settings. Enter the correct SMTP server hostname and port. Provide authentication details if required (username and password). Specify the sender email address. 5. Check for Firewall or Proxy Issues If your Splunk instance is behind a firewall or proxy, ensure that it allows outbound connections to the SMTP server on the necessary ports. You may need to configure proxy settings in Splunk if applicable. 6. Review Splunk Logs Check Splunk's internal logs for more detailed error messages: $SPLUNK_HOME/var/log/splunk/splunkd.log Look for entries related to the sendemail command to identify any additional issues. 7. Restart Splunk After making changes to the configuration, restart Splunk to apply the new settings: $SPLUNK_HOME/bin/splunk restart By following these steps, you should be able to resolve the [Errno -2] Name or service not known error and successfully send emails from Splunk. If the issue persists, consider reaching out to your network administrator to ensure proper DNS and network configurations. ... View more

This error usually isn’t about your credentials but rather a DNS or endpoint resolution issue — Splunk Cloud may not be able to reach the Event Hub namespace you’ve configured, which is why it throws the [Errno -2] Name or service not known error. Since the same credentials work in FortiSIEM, double-check that the Event Hub FQDN/namespace in your Splunk Add-on settings is correct, ensure that it includes the full suffix (like *.servicebus.windows.net), and confirm with Splunk Support that the necessary outbound connectivity to Azure Event Hubs is allowed from your Splunk Cloud stack (sometimes a firewall or network restriction on Splunk Cloud’s side blocks the connection). Updating the namespace field and verifying network egress is usually the fix. ... View more

added. Thanks it solved my issue ... View more

I had the same question Thanks  ... View more