Is this TA hosted somewhere so we could have a better picture of what the complete python code looks like?  ... View more

Depending on how you set your authorization, you might end up with different permissions in the roles in each SH (e.g access to indexes). Check you roles to see what are the allowed indexes in each SH for the roles you have. ... View more

Since September 2021, Splunk does not include python 2. so you need to update your code if its not compatible with python 3. https://www.splunk.com/en_us/blog/platform/removing-python-2-from-new-splunk-cloud-and-splunk-enterprise-releases-starting-september-2021.html  ... View more

I dont think there is a connector for that purpose. If you want to follow the "develop your own solution" route i would recommend building a connector for SOAR instead of a function in the visual editor. IMO its more flexible on what you can do (e.g. include external libs) and its easily reusable and you can add multiple assets to use in the PBs. Also, the new app wizard makes it easier to get started and you have tons of "examples" if you look in the SOAR connector GitHub account.  ... View more

With the splunk_TA_windows you can index logs regarding windows update from the machines where you have a forwarder installed. With that you can check the packages that are installed in each machine. I dont think you can check which patches are missing unless you already have them installed somewhere. With these logs, you can also check for problems with windows update (check splunk lantern). ... View more

Splunk APM is part of the Observability Cloud and is available as a SaaS offering only. https://www.splunk.com/en_us/products/pricing/observability.html ... View more

You can use the grouping you explained with some splunk commands to accomplish that. | windbag | eval group = if(lang="Euro","groupA","groupB") | timechart count by group  This is just an example with random data that you can try in your environment . You can change your grouping conditions in the if statement to your field1=your unique value. ... View more

You can use id that can be referenced by the css. Check this example dashboard (you can just copy/paste in to a new dashboard 😞 <dashboard version="1.1"> <label>css test</label> <row> <panel> <html> <style> #mycss table tr{ font-size:150% !important; font-weight: bold; width:150px !important; border: 1px solid black !important; text-align: right !important; background-color: #FF00FF !important; } </style></html> </panel> </row> <row> <panel> <table id="mycss"> <search> <query>index=_internal sourcetype IN (splunkd, splunk_python)| timechart span=1h count by sourcetype | table _time splunkd * | fillnull value=0 splunkd splunk_python mongod</query> <earliest>-4h@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </table> </panel> <panel> <table> <search> <query>index=_internal sourcetype IN (splunkd, splunk_python)| timechart span=1h count by sourcetype | table _time splunkd * | fillnull value=0 splunkd splunk_python mongod</query> <earliest>-4h@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </table> </panel> </row> </dashboard> Note that I added the mycss id to the css and to one of the tables. ... View more

You can create a stanza in props.conf with: [host::<host>] TZ=<TZ>   ... View more

Check the roles assigned to the user in question. ... View more

Just place a text input in the dashboard and use normal dashboard tokens. Then you can make your search something like this: | mycustomcommand path=$path_token$   ... View more

How are you indexing the data? UF with a monitor stanza in the syslog server? If that's te case the logs would be there. If not, do you have some rules that might change or discard the logs you are looking for? If, as I believe given the %Port_Security, you are running cisco devices use this: https://splunkbase.splunk.com/app/1467 The final source type should not be syslog but something like cisco:ios. Avoid using syslog as a final source type since the logs will be different fro device to device and it will make a mess to build proper extractions since they will apply to everything with math source type. ... View more

It seems that you might have some hidden characters in your original data. Open the file with e.g. VS Code and enable the the render control characters in the settings to check if there are hidden characters there. ... View more

Check the splunk dev portal. Its has some examples on custom commands. https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/ Also Splunk's git has some other examples for custom commands here: https://github.com/splunk/splunk-app-examples/blob/master/custom_search_commands/python/generatingsearchcommands_app/bin/generatingcsc.py In this example you can replace the count with a path to do something along the lines of: | mycustomcommand path="D:/Temp/temp.txt" ... View more

Hi Matheo  Can you post the mongod.log and splunkd.log? As a side note, you should read the docs before upgrading Splunk. https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/HowtoupgradeSplunk v8.0.x should be upgraded to v8.1.x or V8.2.x before going to v9.0.x   ... View more

Have you tried to index the xml version of those event? ... View more

Depending what you are trying to see I would say you could use either a sankey or a parallel coordinates custom viz. Sankey https://splunkbase.splunk.com/app/3112 Parallel Coordinates https://splunkbase.splunk.com/app/3137 ... View more

There are no issues with either approaches. Depending on what data you are indexing you would probably need to have UFs/HFs on-prem to collect and forward data to you azure instances. Either way, since you are moving splunk to a new platform I would suggest you to take a look at Splunk's validated architectures for the best architecture that fists your org needs. With just 1 indexer you run the risk of having downtime on search and indexing in case of maintenance.  https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf ... View more

You use an account that has admin privileges. Usually you create one during the installation. Older versions used to have a default account (user:admin and pass:changeme) nowadays you just create one. If you forgot you can use these solutions to reset the password: https://community.splunk.com/t5/Security/How-to-Reset-the-Admin-password/m-p/10622 ... View more

The following docs page has a list of the default hex codes for charts, although I believe that they are not update, at least not in the v9.x docs. https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/ChartConfigurationReference   *Default value for charting.seriesColors: [0x1e93c6, 0xf2b827, 0xd6563c, 0x6a5c9e, 0x31a35f, 0xed8440, 0x3863a0, 0xa2cc3e, 0xcc5068, 0x73427f, 0x11a88b, 0xea9600, 0x0e776d, 0xffb380, 0xaa3977, 0x91af27, 0x4453aa, 0x99712b, 0x553577, 0x97bc71, 0xd35c2d, 0x314d5b, 0x99962b, 0x844539, 0x00b290, 0xe2c188, 0xa34a41, 0x44416d, 0xe29847, 0x8c8910, 0x0b416d, 0x774772, 0x3d9988, 0xbdbd5e, 0x5f7396, 0x844539] ... View more