@SN1 - I would suggest first reviewing the error logs inside Splunk's splunkd.log file for ERRORs to see the root cause behind this error, since the error is generic and does not tell the exact reason. But as @livehybrid mentioned, this is the most common cause that most people are seeing after upgrading Splunk to some of the recent Splunk versions (10.0 or 10.1). ... View more

Hello @erlingen , The developer has not dropped its contact details for the App on Splunkbase. Also, as you mentioned no link to source code repo.  But you can download the App from Splunkbase, extract the file, and look at the source code inside the bin folder of the App if you want. Though Splunkbase's App license do not state whether you can modify the code and use it or not. Though you can definitely not redistribute it.   I hope this helps!!! ... View more

Hello@splunkreal  I think you are looking at the wrong tool. Splunk MLTK is wrong App to get help write AI generated SPL queries.   Use native Splunk assistant now, or use this App - https://splunkbase.splunk.com/app/7245   I hope this helps!!! ... View more

Hello @javier_oshiro ,   Local Splunk account users need to go through a special URL when SAML/SSO/Duo is configured in Splunk. https://<FQDN>:<port>/en-US/account/login?loginType=splunk   This will take you to regular Splunk login page, where users including local admin can login.   I hope this helps!!! Kindly upvote and accept the answer if it does!!! ... View more

Hello @AceX ,   As per Segura Documentation, they have native integration to Splunk - https://docs.senhasegura.io/docs/about-auditing-and-logs (Though I was not able to find the details about it.) But as you mentioned there is no Splunkbase Add-on that does CIM mapping. So you need to build your CIM mapping.   As per what I see in the documentation of Segura, I think need need to do map the logs from it with following CIM data models: Change - Node add/remove, Config changes, Elastic scaling, etc https://help.splunk.com/en/splunk-cloud-platform/common-information-model/6.0/data-models/change  Authentication - user logins, sessions, etc https://help.splunk.com/en/splunk-cloud-platform/common-information-model/6.0/data-models/authentication  Endpoint (not sure about this) https://help.splunk.com/en/splunk-cloud-platform/common-information-model/6.0/data-models/endpoint    I hope this helps!!! Kindly upvote if it does!! ... View more

Hello @ASierra ,   I don't see it in known issue of Splunk. Maybe if you are still having this issue in production, raise Splunk support case to get it fixed.   I hope this helps!! ... View more

@arthy-velusamy - I think large part of your question is the script, but I don't think you have issue with the script, as what you are describing you seems to be having issue with ingest processor. Paste details about what Splunk instance this script is sending data to. Mention details about your Splunk environment topology and architecture and from where data is flowing where. Include details about your ingest processor pipelines.   And this way someone from Splunk Community will guide you to appropriate path.   I hope this helps!!! ... View more

Hello @nongingerale I don't have much experience but what I can see is: phantom.collect2 with a playbook_output datapath works for static visual playbook blocks, not dynamic calls from custom code in a loop. With a dynamic name, the datapath can't be resolved the way SOAR's data engine expects.   Maybe you can try to handle it in python code, something like this: (code not tested) def my_callback(action=None, success=None, container=None, results=None, handle=None, **kwargs): phantom.debug("my_callback() called") for result in results: run_id = result.get('playbook_run_id') if not run_id: continue # Hit SOAR's internal REST API — no auth token needed when called from within a playbook response = phantom.requests.get( f'/rest/playbook_run/{run_id}', verify=False ) if response.status_code != 200: phantom.error(f"Failed to get playbook run {run_id}: {response.status_code}") continue run_data = response.json() raw_outputs = run_data.get('outputs') # list of JSON-encoded strings if not raw_outputs: phantom.debug(f"No outputs for run {run_id} — is the subplaybook an input playbook with defined outputs?") continue for raw in raw_outputs: output = json.loads(raw) search_results = output.get('search_results_data') # your output name phantom.debug(f"Got search_results_data: {search_results}")   References: https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/SessionAPI https://help.splunk.com/en/splunk-soar/soar-cloud/rest-api-reference/run-playbook-endpoints/rest-run-playbook   I hope this helps!!!       ... View more

Hello @ParsaIsHash , I don't know how well you understand CIM of Splunk, but just to take you through this so you understand. CIM has DataModels that represents the formats and fields of the data, and it tells what should be field names in the data. So that being said CIM needs to be compatible with ES Detections/Correlation-Searches that you are having. So as far as your Correlation searches are not using deprecated Datamodels or fields that has been removed from data-model you should be ok. Since these check for all your correlation searches may take quite sometime, you can Splunk support if they have compatibility matrix. But also ask compatibility matrix for ES Content Update App if you are using correlation searches from there.   I hope this helps!!! ... View more

Hello @akai , The issue is $name$ inside the macro is no longer a token its more of a macro parameter. In order to fix you need to pass $name$ as a macro argument from the saved search itself. Define your macro to accept the search name as an argument — e.g., my_macro(1) with argument search_name. And macro definition would be something like this: [my_macro(1)] args = search_name definition = eval search_name=$search_name|s$   Then you can call the macro like this: ..... | `my_macro($name$)` | table search_name I hope this helps!!! ... View more

@artkhod - I don't think it has been documented anywhere in Splunk Docs that accelerated report supports SPL2. FYI, I also didn't find its documented anywhere that it does not support as well.   Maybe if you need it as a feature you can submit it as an idea to https://ideas.splunk.com     ... View more

@shoaibalimir - You can enable in your $SPLUNK_HOME/etc/system/local/web.conf config file. https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.0-configuration-file-reference/web.conf dashboard_html_allow_embeddable_content = <boolean> * Whether or not to allow <embed> and <iframe> HTML elements in dashboards. * If set to "true", <embed> and <iframe> HTML elements in dashboards will not be removed and can lead to a potential security risk. * If set to the default value of "false", <embed> and <iframe> HTML elements will be stripped from the dashboard HTML. * Default: false   Some related options in web.conf dashboard_html_wrap_embed = <boolean> * Whether or not to wrap <embed> HTML elements in dashboards with an <iframe>. * If set to "false", <embed> HTML elements in dashboards will not be wrapped, leading to a potential security risk. * If set to "true", <embed> HTML elements will be wrapped by an <iframe sandbox> element to help mitigate potential security risks. * Default: true dashboard_html_allow_iframes = <boolean> * Whether or not to allow iframes from HTML elements in dashboards. * If "false", iframes from HTML elements in dashboards will be removed to prevent potential attacks. * Default: true dashboard_html_allowed_domains = <comma-separated list> * A list of allowed domains for inline iframe element source ('<iframe src="<URL>">') attributes in dashboards. * If the domain for an <iframe> src attribute is not an allowed domain, the Simple XML dashboard adds the 'sandbox' attribute to the <iframe>, which further restricts the content within the <iframe> by treating it as coming from a unique origin. Simple XML dashboards will allow <iframe> src attributes by default if the src is the same hostname and port number as the Splunk Web server's hostname and port number. * You can specify these domains as a hostname or an IPV4 address or an IPV6 address. * You can configure a hostname as a full name or with a wildcard to allow for any subdomains. For example, *.example.com would allow for any subdomain of example.com as well as example.com itself. * You can specify an IPV4 address as an exact address or: * You can use an asterisk to specify a wildcard (Example: 192.168.1.*). Asterisks allow for any address within that byte segment. * You can use a dash to specify a range of addresses (Example: 192.168.1.1-99). Dashes will only match IP addresses within that range. * You can specify an IPV6 address either as an exact address or with a subnet mask. If you specify a subnet mask, any IPV6 address within the subnet will be an allowed domain. * You can specify a port number for any of the domains. If you do, the '<iframe src>' must match the port number as well. * Additional configuration examples: * Hostname: docs.splunk.com, *.splunk.com * IPV4: 127.0.0.1, 127.0.0.*, 127.0-10.0.*, 127.0.0.1:8000 * IPV6: ::1, [::1]:8000, 2001:db8:abcd:12::, 2001:db8::/32 * Default: not set   I hope this helps!!! ... View more

@spl_explorer - AOB is no longer used. I recommend moving to UCC. UCC Framework - https://splunk.github.io/addonfactory-ucc-generator/  You should be able to create a new Add-on with UCC and migrate most of your code to UCC created Add-on.  FYI, AOB internally uses the UCC framework anyway.   If you are a developer, I recommend using this GitHub Action - https://splunk-app-action.readthedocs.io/en/latest/. This Action will help with the following stuff about UCC Always keep libraries up to date Generate a new build directly from GitHub workflow Automatically check Splunk App Inspects when you make changes to the App from GitHub workflow, and also allow a manual check option This Action would work in your Private and public Repo as well. This action should work even for your non-UCC-based Add-ons and Apps, to help with build generation and App-inspect checks directly from GitHub.   I hope this helps!!! Kindly upvote if this helps!!! ... View more

@donaldwayne1976 - Ideally it should be part of message trace data.  https://splunkbase.splunk.com/app/4055 (Office 365 Add-on) has input for Message Trace data. (Though I'm not sure if that has what you need, but that might be your best bet)   If this does not work, you can build a custom App to fetch the data you need as far as Microsoft provides necessary API to get the data you need.   I hope this helps!!! ... View more

This could be related to perpetual license, it might not follow the rules defined in the Doc, which I guess is for a regular Splunk license. But you can still reach out to Splunk support and ask for a reset key. ... View more

That's right, if you have the  sc_admin role on Splunk, you should be able to read the logs: index=_internal source=*splunkd.log* index=_internal source=*ta_rapid7_insightvm_insightvm_asset_import*   If you are not a Splunk admin, then ask a Splunk Admin in your team.   ... View more

Right,   If you have full control of the sender and you can modify the sender to send the data along with the correct time value as a request parameter called "time" with services/collector/event endpoint. OR If you don't have any control over which parameter gets sent, you can change the endpoint to use services/collector/raw and then write props.conf to extract the timestamp correctly.   ... View more

@kn450 - If all events are reaching meaning, there are no connectivity issues. As the events are reaching after 8 minutes, which means it cannot also be a latency issue, as 8 minutes is too long for any default timeout settings.   So the only thing I could see is a "timestamp" (_time) of the event, which may differ from when the event arrives in Splunk. This usually refers to when the event occurs on the source system. Everything in Splunk uses this timestamp.   I hope this helps!!! ... View more

@ringo227 - Only way currently available on Splunkbase to collect the email logs is with Office 365 Add-on. https://splunk.github.io/splunk-add-on-for-microsoft-office-365/ConfigureMessageTraceInput/ https://splunkbase.splunk.com/app/4055    I hope this helps!!! ... View more

@TheBravoSierra - It should delete the App from SH members as well with your steps. Only one thing document which could affect it is that when App is disabled, SHC member will not remove the App.  ... View more

@MakszimM - Look at your outputs.conf as I mentioned in my answer. This is the issue I think you are having. ... View more

@NullZero - Splunk Docs are the proof: When you are using distributed environment, indexer's knowledge objects will not be used https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.2/knowledge-bundle-replication/what-search-heads-send-to-search-peers https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.2/knowledge-bundle-replication/knowledge-bundle-replication-overview  KVstore are generally not by default replicated to Indexers But if replicate=true is set for KVstore lookups then also, the replication happen from Search Head to Indexer in a CSV formatted files inside the knowledge bundle https://splunk.my.site.com/customer/s/article/indexer-name-Could-not-load-lookup-LOOKUP-automatic-lookup-name  https://splunk.my.site.com/customer/s/article/KV-Store-lookups-occupying-4-5-Gigs-of-bundle-size    And regarding lets say if you have some data from the past inside KVstore lookups, which might need to recover in the future, you can always re-enable the kvstore and get it back.   I hope this helps!!! ... View more

@dm1 - This App should help. IPInfo App for Splunk - https://splunkbase.splunk.com/app/4070   Kindly upvote and accept the answer if this help !! ... View more