Hi @woodcock this is old topic however just want to know if pushing addon from deployer using encrypted credentials in new local/passwords.conf (previously encrypted by clustered search head) is different in term of behavior   than configuring addon on search head (web UI) and letting SHC replicating passwords.conf? ... View more

I encountered the very same error. I was following this guide: https://www.splunk.com/en_us/blog/tips-and-tricks/write-your-own-search-language.html What I noticed was that this guide is from 2008. Newer version of Splunk already have a built-in "shape" command. This one is defined in etc/system/default/searchbnf.conf:   [shape-command] syntax = shape <field> (maxvalues=<int>)? (maxresolution=<int>)? shortdesc = Produces a symbolic 'shape' attribute describing the shape of a numeric multivalued field. Apparently, the built-in shape command takes precedence over your custom shape command when running a search. So I suggest rename your "shape" command to "shape2" or something else. ... View more

@irsysintegration, push it using $Splunk_Home/bin/splunk apply shcluster-bundle -target https://<Search Head Host>:8089 . ... View more

Thanks @jawaharas, just so happens I'm fault finding the TheHive add-on too ... View more

Hey @irsyintegration, which add-on are you referring to? ... View more

The default correlation would show in threat activity dashboard as well as would generate a notable event provided the correlation search is enabled and configured. There is a bit of housekeeping that is performed to prepare the data. I would take a look at the threat gen saved searches within ES, specifically Threat - Source And Destination Matches - Threat Gen and take a look at the search interval and also the search to ensure it runs. You can also look at the threat activity data model data and see what is in there as this is where the correlation search looks. ... View more

Getting same issue . how to upload the custom app on splunk cloud. ... View more

But new code should use v2. ... View more