Hey @lar06, I went through the documentation and it seems that the input is not properly configured and it needs the key to authenticate the request and fetch the data. You need to check on your envrironment if the input is enabled or disabled. From the looks of it, the input should be enabled. If you want to disregard the logs, consider disabling the input. If it needs to be enabled for data ingestion, I suggest reviewing the document and configure all the parameters properly. Document Guide - https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=gso1581445176035&topicId=hvj1633980712678.html&_LANG=enus   Thanks, Tejas.    --- If the above solution helps, an upvote is appreciated..!! ... View more

In addition to @kiran_panchavat, all the components support backward communication to n-3 Splunk versions in decreasing order of significance in architecture components. First tier is Management nodes like cluster manager, search head cluster deployer. Next would be components like Search Head, Indexer, and then comes the forwarders.  ... View more

@captaincool07, it would still be the same situation for the datamodel summaries also. Considering your RBAC situation, I would not use datamodel summaries if you want to restrict the access for indexes. You'll add a hell lot of workload on your systems for accelerating the summaries and keeping them intact.  If you want to just use tstats for faster query, it would be better to use index time field extractions for the new ingestion.  Thanks, Tejas. ... View more

Also, you can use concepts like base search and chained search to restrict the number of searches so that less number of searches will consume the resources. And try to optimize the search to get faster results. ... View more

Hey @meng, You can also check the latest status of your search head cluster using REST endpoint as mentioned here - https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/9.4/cluster-endpoints/cluster-endpoint-descriptions#get-38 It'll always fetch the latest information for your cluster. And as for getting inaccurate information from metadata, as @gcusello mentioned, open up a support case with Splunk. Thanks, Tejas.   ... View more

Hey @Karthikeya, What @ITWhisperer mentioned is correct. I have currently modified that source code of the dashboard to open the same search in a new tab based on the clicked selection. Paste the following code in your dashboard and it should work as per your requirement.  <form version="1.1" theme="light"> <label>Akamai WAF Dashboard</label> <search id="base_search"> <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid$ source=$source$ </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <description></description> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="configid" searchWhenChanged="true"> <label>Security Configuration ID</label> <choice value="*">All</choice> <fieldForLabel>attackData.configId</fieldForLabel> <fieldForValue>attackData.configId</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf source=$source$ | stats count by attackData.configId</query> <earliest>-5m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="source" searchWhenChanged="true"> <label>Service Name</label> <choice value="*">All</choice> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf attackData.configId=$configid$ |stats count by source</query> <earliest>-5m@m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="time" token="time"> <label>Select Time Range</label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Top 10 Attack Rule IDs</title> <chart> <search base="base_search"> <query> | top limit=10 attackData.rules{}.id | rename attackData.rules{}.id as "Rule ID"</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 Attack Rule Tags</title> <chart> <search base="base_search"> <query> |stats count by attackData.rules{}.tag |sort - count |head 10</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Rule Messages</title> <table> <search base="base_search"> <query>| stats count by attackData.rules{}.message |sort - count |head 10</query> </search> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Rule Action by Count</title> <chart> <search base="base_search"> <query> | stats count by attackData.rules{}.action |sort - count</query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.05</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="clicked_value">$click.value2$</set> <link target="_blank">search?q=index%3D%22waf_app_*%22%20sourcetype%3Dakamai_waf%20%7Cfields%20*%20|search%20attackData.configId%3D$configid$%20source%3D$source$%20%7C%20stats%20count%20by%20attackData.rules%7B%7D.action%20|sort%20-%20count%0A%7C%20search%20attackData.rules%7B%7D.action%3D%22$clicked_value$%22&amp;earliest=$time.earliest$&amp;latest=$time.latest$</link> </drilldown> </chart> </panel> </row> <row> <panel> <title>Rule IDs Trend (5 min)</title> <chart> <search base="base_search"> <query> | timechart count(attackData.rules{}.id) span=5min</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Status Code Trend</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.status</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 IP Addresses</title> <chart> <search base="base_search"> <query> | stats count by attackData.clientIP |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Top 10 HTTP Path Details</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.path |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>HTTP Method Count</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.method |sort - count </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> </chart> </panel> </row> </form>   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! ... View more

Hey @Karthikeya, The other data is coming because of improper drilldown configuration. Can you share the dashboard source code here? Make sure to share it in code block for better visibility.  Thanks, Tejas.  ... View more

Hello @Karthikeya, Can you share a screenshot of how the dashboard looks right now and how it should look ideally? I believe you can use spath command to separate out each rules from the attackData and use mvexpand. But to provide more context, I'll need some more information. Thanks, Tejas.  ... View more

Hello @mwmw, I can see on Splunkbase that the JAMF Pro add-on for Splunk is now cloud compatible. The latest version was released on June only. Thanks, Tejas.  ... View more

Hey @lgsh, Was this solved? If not, following is the reason for the behavior you are facing. geo_countries lookup does not have any field named latitude or longitude if you are using the built-in lookup. Following are the fields in the lookup table:   You'll need to extract the latitude and longitude fields from the geom field and use mvexpand to list record for all the coordinates for the same country as a separate event. You'll then be able to match the latitude and longitude fields from the events with those of the lookup and populate the Country. Hope this helps with your use case. Thanks, Tejas.   --- If the solution helps, an upvote is appreciated..!! ... View more

Hey @Samiul59, I believe you are looking at the wrong place once the workflow action is set up. You should be able to see your workflow action label as per the following screenshot:   You may also want to review the permission and scope of the app where you are trying to search the action and where it has been defined. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!!   ... View more

Hello @Satyams14, If you plan to stream WAF logs to Eventhubs and wish to use Splunk Supported Add-on, you can also consider using Splunk Add-on for Microsoft Cloudservices (#3110 - https://splunkbase.splunk.com/app/3110). It is a supported add-on and can fetch logs directly from the eventhub. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!!  ... View more

Hey @vnetrebko, One of the approach that I can think of considering your scenario is to use REST endpoints to fetch the information. You can run a search that would do an inputlookup to both the lookup tables and then export the search job result and access the data. Also, whenever a search is run from the search head that references the lookup table, the lookup is migrated to the search peers (indexers) as part of the search bundle. All the information for running the search via REST API and getting the output exports are documented here - https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-tutorials/9.4/rest-api-tutorials/creating-searches-using-the-rest-api Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! ... View more

Hello @Namo, There can be multiple reasons for KVStore failure. What version of Splunk did you upgrade from? Also, did you check the expiry of the certificate used by kvstore? Setting enabledSplunkdSSL to false will disconnect secure communication internally throughout the Splunk deployment wherever management port is being used.  Thanks, Tejas.  ... View more

Hello @Jasmine, Is this resolved? ... View more

Hey @rishabhpatel20, I believe it is the html and css styling that's blocking your headers. If there's no particular need to add CSS, I would suggest you to remove it since you'll be able to add all those 4 panels in the same row by just drag and drop using the double ellipses line at the top of your panel. Thanks, Tejas. ... View more

Hey @ND1, Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual index events/datamodel summaries or not. Also, validate the trigger condition to see if the events are present, do they qualify for the correlation search to trigger the notable creation or not. Thanks, Tejas. ... View more

Hey @rishabhpatel20, Can you share the dashboard source code here to understand why the headers are not visible? Also, a clear screenshot from dashboard that shows the header is missing. The second screenshot displays fields like Hot Ports, and Trans/Hour. If those are not the headers, what are you expecting? Thanks, Tejas. ... View more

Hello @gabriele_chini, Can you provide the code you use for generating the token and do you save it in kvstore? How long does the token stay active and do you regenerate the token if it has already been expired? Thanks, Tejas.  ... View more

Hey @danielbb, While creating architecture diagrams, I used to go for config file icon only for any of the conf files  i.e. props, transforms, server, etc. Yes, for inputs there are multiple icons supported i.e. monitor input, API input, etc.  I haven't come across any specific stencils for props/transforms. Thanks, Tejas.  ... View more

Hello @NanSplk01, If it is only the actions field that you're interested in the subsearch, you don't need to perform all of the other operations. But since you're using splunk_server=* in the second search, here's something that might help you. | rest /servicesNS/-/-/saved/searches | search title=kafka* | rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" | eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | eval identifierDate=now() | convert ctime(identifierDate) AS identifierDate | table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo | fillnull value="" | sort -lastUpdated | join type=left title [ | rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* | search disabled=0 AND title="kafka*" | fields title actions splunk_server | stats values(actions) as actions by title splunk_server]   Let me know if this helps your use case. Thanks, Tejas.   --- If the solution works, an upvote is appreciated..!! ... View more

Hello @eriktb, Did you try making DIRECT as a static and default value for the dependent dropdown. You can keep the makeresults section as it is to have different values populated based on the environment selection. However, if I understood the request properly, you need the DIRECT value selected by default for any of the environment. And, the case statement also ensures that for any of the environment value, DIRECT is one of the choice for the dependent dropdown.  Also, when I used your source code in my lab environment, it shows DIRECT as the selected value no matter what the environment dropdown selection is. Check the following screenshots for your reference: I'm on Splunk v9.3.2. Let me know if you meant something else and we can think about it.   Thanks, Tejas. ... View more

Hey @ilhwan, I believe as of now Splunk Support will only be able to provide you with the roadmap on when they plan to add support for Infoblox NIOS 9.0.3. Also, the last version was published in 2022 and since they haven't planned a release, I doubt it's going to be anytime soon. However, you can publish the request on ideas.splunk.com and have it voted on high number to get their traction and probably develop a new release supporting newer version of Infoblox.  Additionally, if the timeline is far away for the support and you have a use case, you can opt for developing a custom TA. If you enjoy scripting, you can definitely create new add-on using Splunk Add-on Builder and UCC framework.  Thanks, Tejas. --- If the solution helps your use case, an upvote is appreciated..!!  ... View more

Hello @_joe, If it is mentioned on the Splunkbase, then the TA would be compatible with the Splunk version. However, we will need more info on the ERROR log that you're receiving to understand why the input won't run.  Check if you can enable the DEBUG logging and what ERROR does the python script log and we can take it from there. Thanks, Tejas. ... View more

Hey @uagraw01, I understand that you might not have liked the solution. But it wasn't chatgpt based. If you would have read correctly, I mentioned that I used it as a solution and it worked perfectly in my scenario. Community is for helping every member and that's what I tried honestly. If you would have tried the solution, you could have observed how it would help you with the situation.   Anyways, I hope you get the solution that you need outside of ChatGPT. Happy Splunking >. Thanks, Tejas. ... View more