Were you able to resolve? http code 500 is "indicates a problem within the web server itself, such as misconfigurations, errors in the website's code, issues with database connections, or insufficient server resources."  Are able to access python.log or splunkd.log? It look like your having issue with the traffic or auth issue.  Also indicate the *.conf configuration file is missing. ... View more

Just documenting a mental note for myself and others navigating CAC enablement: After working through the options, things are much clearer now. There are multiple paths to integrate CAC authentication, each with trade-offs: SAML via CAC – This is the most straightforward and scalable option. It requires F5 configuration as a SAML Service Provider and integrates cleanly with enterprise IdPs like Microsoft Entra ID. It simplifies certificate validation and user mapping. LDAP/AD via CAC – Also requires F5, but involves deeper complexity: LDAP schema alignment, altsecid mapping, and certificate parsing. It’s more effort-intensive and better suited for legacy environments. Header-Based SSO via F5 + LDAP – F5 handles CAC auth and injects headers based on LDAP attributes. Useful for apps that don’t support SAML or OAuth directly. Direct Smart Card Logon to Windows Domain – Enables CAC-based workstation or domain logon. Requires registry tweaks and trusted CA enforcement. Best for tightly controlled on-prem environments. Hybrid Models – Some environments combine SAML for web apps and LDAP for legacy systems, using F5 to bridge both. This adds flexibility but increases configuration overhead. If you're starting fresh or aiming for simplicity, SAML via CAC is the cleanest and most future-proof path, especially in environments already using F5 and federated identity. Hope this helps others exploring CAC integration—especially in Zero Trust-aligned architectures. ... View more

I don't see the attachment.  Have you looked at the index = _internal for log_level IN (WARN, ERROR) ... View more

Wow!  I've encountered the same.  Thanks for posting. ... View more

So, there is two ways to do this CAC authentication.   SAML or LDAP trusted methods.  Before, I thought PKI was just one option but, SAML open up another option. I hope this helps:  Configure single sign-on with SAML - Splunk Documentation ... View more

Here are the latest props.conf setting at 9.2.1 on the universal forwarder:  (json file parsing works g8 with this option) EVENT_BREAKER_ENABLE = <boolean> EVENT_BREAKER = <regular expression> LB_CHUNK_BREAKER = <regular expression> force_local_processing = <boolean>  * new * Forces a universal forwarder to process all data tagged with this sourcetype locally before forwarding it to the indexers. * Data with this sourcetype is processed by the linebreaker, aggerator, and the regexreplacement processors in addition to the existing utf8 processor. * Note that switching this property potentially increases the cpu and memory consumption of the forwarder. * Applicable only on a universal forwarder. * Default: false ... View more

Additional idea on this thought is based on baseline of probing network.  You can use this information to assign a risk base alert.  Just a thought...  ... View more

It appears the problem still around.  I am upgrading to 7.3.1 and still getting the error.  I had to use the CLI option to upgrade.  ... View more

Here are the setting that you can enable on the log.conf to get more detail logging.  $splunk_install_dir$/etc/log.conf category.X509=DEBUG category.UiAuth=DEBUG Post the error message here or call support.  ... View more

Yes.  src is on the by clause, how do you display on the graph above the report & then table of the search results on the bottom for save report? Or Am I not asking the question correctly? ... View more

Here is the SPL index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*") | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT | convert ctime(mostRecentTime) | sort - mostRecentTime  Here is the .conf action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 action.nbtstat.param.verbose = 0 action.notable.param.verbose = 0 action.nslookup.param.verbose = 0 action.ping.param.verbose = 0 action.risk.forceCsvResults = 1 action.risk.param.verbose = 0 action.send2uba.param.verbose = 0 action.threat_add.param.verbose = 0 action.webhook.enable_allowlist = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -3mon@d cron_schedule = 0 1 * * 1 description = ```SRB Update: adjusted ACTION_NAME & SQL_TEXT Search Analyst-JYS : A/U-2024/01/10 : R/A-2024/01/12```\ dispatch.latest_time = now display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics enableSched = 1 request.ui_dispatch_view = search search = index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*")\ | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT\ | convert ctime(mostRecentTime) \ | sort - mostRecentTime  I don't see any where the visualization is set.  could you rephase "The x-axis of a chart is usually the first field / column in the result events used for the chart. Check your search query to ensure that the fields are in the correct order."  I don't get it because there is no chart command or setting in the report. ... View more

Monitor Windows data with PowerShell scripts - Splunk Documentation   Here is the update link to docs. ... View more

where able to find anything or build anything?  ... View more

@Stefanie  We configure everything has documented.  I've gotten the cac prompt, pin prompt.  Login with LDAP password but, no pass thru.  Do I need to enable token authentication or is there something on the LDAP that allow CAC login?  Should I login with CAC without any prompting?  We get prompted by the LDAP put the password in.  When we type the password.  We're login.  ... View more

Is this the answer to fixing the issue? ... View more

how do you validate that the setting is working?  do you use BTOOL? ... View more

index = _internal component=Shutdown | stats earliest(_time) as etime latest(_time) as ltime by host | convert timeformat="%Y/%m/%d %T" ctime(etime) ctime(ltime) The SPL above work on version 9.x ... View more

I started having the issue after upgrade 9.0.3.  Did you ever resolve? ... View more

where able to fix? ... View more

Studio is better, correct?  About spent some time learning but, don't wanted to be waste of time. ... View more