Hi All, I am trying to import azure.keyvault through Splunk script input, but i am getting the following error - ImportError: No module named azure.keyvault. Initially i indexed events via visual studio code editor, where i installed azure.keyvault using command -pip install azure-keyvault. Now i am trying to run the python code as Splunk script input and getting the error - no module found I copied the azure SDK for python folders from python(which i installed) sitepackages and placed it under splunk_home/python2.7/Lib/sitepackages/ and restarted Splunk, but still it didnt work Myscript inculdes below lines from azure.keyvault import KeyVaultClient, KeyVaultAuthentication from azure.common.credentials import ServicePrincipalCredentials Please provide ur inputs ... View more

Hi Team, I am having field called expirationdatetime in my event and its format is 2019-06-21T06:08:40.220082Z. My requirement is to get the count of users whose request going to expire in next 2 days. Built a search - index="XXX" sourcetype="RRR" expirationdatetime=now+2d When i hit the above expression, i didnt get any events. Help on this ... View more

I am new to Splunk addon builder. I am using splunk addon builder to build an addon that feeds the REST API response as input to Splunk enterprise. For this i am using Python modular input method. Since REST API modular input one of the data collection input doesnt supports Oauth2.0 we are using python modular input to get the REST API response Before i feed the response to splunk enterprise, tried feeding some sample data using the below syntax def collect_events(helper, ew): event=helper.new_event(data="123",index="new_index",sourcetype="new_sourcetyp e) ew.write_event(event) pass I am able to print the output in console, but when i search for index="new_index" in search bar, its returing 0 events Please let me know what i am missing here ... View more

Hi Team, I have downloaded and configured the Splunk add-on for Okta and enabaled the saved searches for okta.i configured the data input as Events and users and saved the setting. as per the document they asked me hit the sourcetype=okta:im. when hit this in search bar i didnt get any results. And then i installed Splunk app for okta and tried setting the index as okta. Created a new in put using splunk add-on for okta and directed to this index. When i tried hitting index=okta in Splunk app for okta i dint get any result. Please help me on this should i need to open any firewall between okta and splunk.? ... View more

Hi Team, I have two dashboards - dashboard-1 and dashboard-2. In Dashboard-1, i have a text input field with a value populated from the events and a link which takes the user to next dashboard I need to pass the dashboard-1 text input called errorid value to the dashboard-2 text input field. When the user clicks the link in the dashboard-1 ie. http://www.google.com?form.errorid=$errorid$.where $errorid$ is the dashboard-1 text input value so that when the user navigates to dashboard-2 the text input field called errorid will be populated with the value from the link. Kindly help me to resolve this issue. ... View more

Hi Team, I have a field called errorid in my log, where errorid=x1234 and i have a solution field and its value is a link. On linking the link the user is navigated to Splunk dashboard. The dashboard contains a input text box Please let me know how to prepopulate errorid text box with the value(x1234) from the event? Please help us ... View more

Hi Team, Using SplunkDB connect we get data from database to indexer(App A), both splunkdb connect and App A are deployed in the same indexer. All the DB queries are saved under Splunk_Home\etc\apps\APP A\local\db_inputs.conf not in Splunk_Home\etc\apps\splunkdb_connect\local\db_inputs.conf . Only database connection and identity details are stored in splunkDB connect App. In App A if we query DB data we are able to get the DB data and we prepared statistical data using that DB data in App A. Now we package App A and deploy that in new environment no db data are coming in new environment as App A contains only the queries and DB connection details are present in splunkdb connect app The question here is how to move the splunkdb connect app from old environment to new environment? ... View more

Hi team, I am trying to install Splunk 6.6 in windows 2008 R2 in the following path d:/programfiles/splunk. I selected the customized path to configure the following path d:/programfiles/splunk. Splunk installation starts, but installation setup wizard exits with following error "Splunk Enterprise Setup Wizard ended prematurely" and all the files are rolled back. But i am able to install Splunk successfully in C drive in a different server Also tried with CMI, but no luck. Please help me on this. Thanks ... View more