@addOnGuy - I don't know if its very clear from your description what exactly that you are building.   But here is the document for helper functions - https://docs.splunk.com/Documentation/AddonBuilder/4.5.0/UserGuide/PythonHelperFunctions   If you are building Custom Alert Action with Add-on Builder then this should help - https://docs.splunk.com/Documentation/AddonBuilder/4.5.0/UserGuide/CreateAlertActions    I hope this helps!! ... View more

@splunker2k24 - You can use this App. App not supported meaning that App is not supported by Splunk Support. But App is still valid and developed by "Splunk Works". And this App is one of the widely used App so you should be good with it.   I hope this helps!!!  ... View more

@salohiddin - You need higher precedence starting with Alphabetical order for Global Precendece of Splunk. * Doc Reference - https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofindtheconfigurationfiles    So, create the App named AAA_disable_windows_security_input App and put the inputs.conf in the local folder and deploy.   I hope this helps!!! ... View more

@Alan_Chan - Here is what got to understand: * You are using SOAR on 8443 port. * You are trying to connect SOAR from Splunk ES as per this - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/introduction-to-splunk-soar-on-premises/pair-splunk-soar-on-premises-with-splunk-enterprise-security-on-premises   If this is the case and if: * you are entering the IP & credentials correct * and there is no connectivity issue.   Then it is most likely SSL certificate validation issue. And your error also suggests the same thing.   You can follow the document to fix it - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/manage-splunk-soar-on-premises-certificate-store/update-or-renew-ssl-certificates-for-nginx-rabbitmq-or-consul#f311597b_e8dd_40f2_9844_a62f90ffc64c__Updating_the_SSL_certificates * Please kindly understand SSL certificates well before you apply this on Production to avoid any issues.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@mwmw  - Does @tej57 answered your question?? If that does, kindly please accept the answer by clicking on "Accept as Answer". ... View more

@sarit_s6 - That one requires Javascript to be written to remove "All" option. Reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-quot-All-quot-from-Multiselect-Input-in-Dashboard/m-p/301375   OR you can opt for complex XML editing suggested in this reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-ALL-from-multi-select-input-once-any-value-is-selected/m-p/711199   I hope this helps!!! Kindly upvote if it does!!! ... View more

@Macedovin - Great that you join the Splunk community here. And I'm glad that you were able to resolve the issue you had and even updated that details here.   It would be amazing if you can answer your own question here with the details that you added in your question instead currently (UPDATE). So that future Splunk community users can clearly see your question & answer and can get help from it. Once you add your answer, also please mart it as "Accepted".   Community Moderator, Vatsal ... View more

@Alan_Chan - Are you sure your Splunk port is 8443??   ... View more

@vader13 - You did not included the reference which mention supported and not supported. Also, I'm not sure what you are referring to with HTTPOUT.   ... View more

@msatish - As mentioned by @dionrivera you can use SC4S CEF for parsing.   But if you want to parse the already ingested CEF formatted data in Splunk then you can use this App's custom search command to do that. https://splunkbase.splunk.com/app/7701   ... View more

@msatish- Yes you can always define your own sourcetype & your own custom index that you want any data to fall into.   But as @livehybrid is asking you can need to figure-out how you are collecting the data & which format of the logs so you can figure-out from which config file & where you can apply the new sourcetype & index. And you also need to put props.conf configuration (Parsing, Timestamp extraction, Field Extraction, etc.) for your custom sourcetype.   And make sure index is created on your indexers before you start pushing the data into your custom index.   I hope this helps!!! ... View more

Then I think definitely it something related to Log4j configuration or on Spark/Java side in which I have 0 experience, so I'm sorry I won't be able to help you, but I hope someone else in the community will be able to help. ... View more

@livehybrid- This curl tool sounds useful. And @Zoe_  you just need to add | outputlookup <your-lookup-name> at the end of @livehybrid 's query. ... View more

@livehybrid  json_array_to_mv - that's sounds interesting.  🙂 ... View more

@Andre_- FYI, I haven't tried these config on my side so may need to read about them on spec file & Splunk docs. Also, I'm not sure how metrics based queries will be used for role based restriction.   # props.conf.example [em_metrics] METRICS_PROTOCOL = statsd STATSD-DIM-TRANSFORMS = user, queue, app_id, state # transforms.conf.example [statsd-dims:user] REGEX = (\Quser:\E(?<user>.*?)[\Q,\E\Q]\E])   I hope this helps!!! Kindly upvote if it does!!! ... View more

@davidco- Did you check connectivity from Spark server to Splunk service on splunk HEC port? * via telnet or curl     ... View more

@gn694- I don't think there is any direct way or internal logs you can use this for this what you need. Unless you can see the difference in data in terms of fields indexed OR you check on the source side.   ... View more

@marisstella- Kindly please accept the answer @isoutamo if that help you resolve/understand your query by clicking on "Accept as Solution" so future Splunk Community users will get benefited from your question as well. ... View more

@ramuzzini- Glad to hear that you are able to resolve the issue. Please kindly click on my answer with "Accept as Solution" so that future Splunk users can get benefited from it as they see it solution that worked for you. ... View more

@KKuser- I don't know if it would be possible to get the first request, rest of the requests mostly available by default on latest Enterprise Securities default dashboards. You can get the queries for the reports from these default Enterprise Security dashboards.   I hope this helps!!! ... View more

@romedawg- Great to hear that you fixed the issue and thank you for writing up your solution on Splunk community. Kindly accept your answer (your last msg here) by clicking on "Accept as Solution" so future Splunk Community users will also get benefited from your answer. ... View more

@ahmsid- ML toolkit is additional tool. You can use to write more rules. No relation with your current stuff.   I hope this helps!!! Kindly upvote if it does!!! ... View more