I was afraid of that.  Makes it hard for me because I don't have access to the source side of things for most things coming into HEC. ... View more

@kapenta  To adjust the map to see only a portion of it, such as just the USA you need to edit the Latitude, Longitude, and Zoom settings for the map. You can set these in Format Visualization, on the General page. The following settings work for me for the continental USA: - Latitude: 38.62 - Longitude: -93.91 - Zoom: 4 I was not happy with my attempts to show all 50 states since (including Alaska and Hawaii) because of the excess empty/irrelevant space (oceans and Canada) shown. Alternatively, when editing the dashboard, you can zoom in and out and move the map around and if you are satisfied with how you have got it looking, you can save these settings by going to Format Visualization and on the General page click on Populate with current map settings. (Refer to the attached map-usa.jpg file to see the settings I mentioned.) ... View more

I will sum up what I learned about this from @Brett's session titled "PLA1163C - Perfecting Perfmon and Other Metrics" at .Conf 2023 below.  .conf Online | .conf23 | Splunk When mode is set to multikv, Splunk combines all of the counters and instances for an object into one event on disk.  It does this to be more efficient and save disk space. When searching, Splunk will automatically convert this one event on disk to separate events for each instance (it does this for events based on their PerfmonMk prefixed source or sourcetype.) To test this out yourself, you can temporarily set the source and sourcetype for a Perfmon stanza in multikv mode to something like test, and Splunk will not conert it into separate events by instance. The screen shot below shows an example where I set the source and sourcetype to "test" on the UF (so Splunk would not break it up and you can actually see the headers in the single tab-separated event containing all of the instances in addition to the collection and category fields). ... View more

I'm seeing the same issue.  Did you ever get this figured out? ... View more

I just spent a while dealing with this, so wanted to share what I did to resolve the issue in case it will be useful for anyone else. Scenario: I updated the DB Connect app, after which Java 8 was no longer supported.  After this when accessing the DB Connect app I got the following errors: Cannot communicate with task server, please check your settings. DBX Server is not available, please make sure it is started and listening on 9996 port or consult documentation for details. I installed JDK 17.0.7, then went into DB Connect - Configuration - Settings where I updated the value of JRE Installation Path (JAVA_HOME). When saving it, I got the error Failed to restart task server.  Restarting Splunk did not help. After a couple of hours of troubleshooting, and it not really behaving any differently, I wondered what if it is trying to use the old JRE still?  So I renamed the old JRE directory from /usr/lib/jre1.8.0_151 to /usr/lib/jre1.8.0_151_z to guarantee it could not find it and then splunkd.log then had a helpful entry after restarting: ERROR ModularInputs [1677 MainThread] - <stderr> Introspecting scheme=server: /opt/splunk/etc/apps/splunk_app_db_connect/linux_x86_64/bin/server.sh: line 33: /usr/lib/jre1.8.0_151/bin/java: No such file or directory host = splunk-ifw-p02.austin.utexas.edu source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd ... so it was still trying to use the older JRE (in fact, that was the original JRE I installed for DB Connect, I had since then already installed a newer JRE a couple of years ago that I *thought* it was using) To find out where this old JRE was being specified, I ran grep -rnw '/opt/splunk/etc/apps/splunk_app_db_connect' -e 'jre1.8.0_151' Which returned one file: /opt/splunk/etc/apps/splunk_app_db_connect/linux_x86_64/bin/customized.java.path   After updating the content of customized.java.path and restarting Splunk, DB Connect was working again. Searching for files containing jdk-17.0.7 returned 7 files in total..... it looks like the Settings page in DB Connect is updating all of them except for the one I had to edit. I suppose adding $JAVA_HOME would have worked as well, I was trying to get it to work without doing that since it had worked fine in the past without it set: this way there is one less place to have to go (outside of Splunk itself) to update it in the future when the JDK has to be updated again, and also not knowing if any (non-Splunk) updates or other processes in the future may change it in /etc/profile ... View more

@splunkyj  You do this for the service account that SQL Server runs as. ... View more

@jaxjohnny2000 Set a service principal name on the user in Active Directory that SQL Server is running as. For example, if you are trying to connect to the following with DBConnect: sqlserver1.fqdn.com Add the following service principal name to the user / service account in AD: MSSQLSvc/sqlserver1.fqdn.com:1433   You can do this in the Active Directory Users and Computers console (on the user's Properties - Attribute Editor tab - set the servicePrincipalName attribute) or by using the setspn command. Depending on your permissions in AD you may be able to do this yourself or you may need to get someone to do this for you. ... View more

I had the same issue (tooltip gets stuck on the first country I mouse over) and found your post while looking into the problem.   Knowing it wasn't something I did (I'm still learning my way around Dashboard Studio) I went on to work on something else.  I just went back to my dashboard an hour later (I had left the dashboard up, I did not reload it just now), and the tooltip is now working as expected (changing for each country I mouse over.)  Looks like it just takes some time to work properly... We are still on Splunk 8.2.6, so maybe it has been fixed in a later version of Splunk... ... View more

For anyone else that may come across this posting, I was able to resolve the issue in my case by setting the MSSQLSvc SPN on the service account used by SQL Server. ... View more

Did you ever figure this out?  I am running into the same problem connecting to a MS SQL server. ... View more

The slow searches are only with this new data source.  Other searches run fine. I do not manage the SHC, so do not have details on the system specs - but every other search of other indexed data is fine, so it is not a problem with the SHC infrastructure. I am searching indexed events, there is no lookup involved. ... View more

Did you ever get this problem resolved? I just encountered the same issue on Server 2016. ... View more

From watching the recording of your presentation I understand how using the default certificates can lead to authentication issues because of the root CA certificate being the same with every instance of Splunk. If I do am not concerned with authentication, but want to ensure everything is encrypted, are the default certificates ok to use? Or would using our private CA (with one certificate shared used on all Universal Forwarders) provide some added benefit in terms of data encryption over the default certificates? ... View more

I was intending to make everything global (this app's purpose is to curate global objects among different groups using Splunk - most will be field extractions but there may be a few other types of objects.) In order to get the field extraction working I had already tried adding the following to default.meta: [props] export=system (It is just an inline field extraction, so there is no transforms.conf in the app) I am curious about your last statement "will be global (other than ones specifically set to a lower sharing level)" The field extraction I am testing is not configured as global itself, I am trying to make it global along with everything else in the app without explicitly setting each object as global. If I am understanding things correctly, with this config in place, none of the field extractions effectively have a "lower sharing level" / should be not global (private or shared only within the app.) ... View more

I gave it a try just now but that did not get it working. I added it to the app's metadata.local and restarted Splunk. The extracted field still only shows up in the app it was created in. ... View more

OK, thankx for the confirmation. I have updated the query so it now creates a new field without the TZ specified (which is OK in my case, as everything (Oracle servers, Splunk servers) are in the same time zone. For anyone else who might have this problem reading this.... I modified the query for the orcle:audit:unified template from SELECT * FROM ( SELECT CAST((event_timestamp at TIME zone 'UTC') AS TIMESTAMP) EVENT_TIMESTAMP_UTC,u.* FROM UNIFIED_AUDIT_TRAIL u) WHERE EVENT_TIMESTAMP_UTC > ? ORDER BY EVENT_TIMESTAMP_UTC ASC to SELECT * FROM ( SELECT CAST((event_timestamp at TIME zone 'UTC') AS TIMESTAMP) EVENT_TIMESTAMP_UTC,CAST((event_timestamp) AS TIMESTAMP) EVENT_TIMESTAMP_2,u.* FROM UNIFIED_AUDIT_TRAIL u) WHERE EVENT_TIMESTAMP_UTC > ? ORDER BY EVENT_TIMESTAMP_UTC ASC And set the Timestamp field to EVENT_TIMESTAMP_2. ... View more