Hello @herguzav, Not sure if you came across the following link. But I also recently faced the same issue and seems that this is a known issue from Splunk.  As mentioned in the following knowledge article, it is going to get fixed in upcoming patch releases - https://splunk.my.site.com/customer/s/article/Alert-search-SPL-not-editable-in-Edit-Alert-modal-from-Settings-Searches-Reports-and-Alerts   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!!  ... View more

Hey @ankit86, Can you please elaborate more on what permissions you gave to the user? Was it read/write permissions from the Manage Apps page? If so, that wouldn't help the user to view the configuration page of the Add-on. In order to launch and configure the TA, it is mandatory to have the sc_admin role. However, if you need to restrict the users from getting sc_admin role, you can consider creating a new role with edit_local_apps, install_apps, admin_all_object, rest_properties_get, rest_properties_set, rest_apps_management, rest_apps_view capabilities. This should help the user to configure and edit the add-ons as per the organization requirement.   Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!  ... View more

We are not yet on 10.x.x. So, we'll wait till the upgrade. Thanks for the help. ... View more

Hello @RookieSplunker, Yes, your understanding is correct and you'll need to clean the dispatch directory job manually. I discovered following from the Splunk Doc - https://help.splunk.com/en/splunk-enterprise/search/search-manual/9.4/manage-jobs/dispatch-directory-and-search-artifacts#ariaid-title4 Thanks, Tejas. --- If the above solution is helpful, an upvote is appreciated..!!   ... View more

Hey @nunz10 / @klowke_svbz , I do not understand the need to extract all the fields at INDEXED TIME for JSON data. The AUTO_KV_JSON parameter is true by default which means it'll automatically extract all the fields at search time. Unless there's a specific use case, I would not suggest to go for INDEXED_EXTRACTIONS = json.  And yes, changing the KV_MODE will extract the fields twice at search time. Once because of AUTO_KV_JSON and the other time because of KV_MODE setting. Also, if KV_MODE is set to JSON, you'll not be able to disable the AUTO_KV_JSON. Following is the document - https://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf#:~:text=pattern.%0A*%20Default%3A%201000-,AUTO_KV_JSON,-%3D%20%3Cboolean%3E%0A*%20Used%20only Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! ... View more

Hey @bellb, You'll need to install and configure inputs for Splunk Add-on for Office 365 (#4055) to be able to collect the data. I found one of the community links for power platform where a user was able to successfully integrate power platform with Splunk - https://community.powerplatform.com/forums/thread/details/?threadid=aa044430-445e-48dc-ab79-7f30abdcdf08   Thanks, Tejas. --- If the above solution is helpful, an upvote is appreciated..!!  ... View more

This suggests that timestamp extraction and parsing is not working. Just search for index and sourcetype and give first 10 logs and that should be enough for defining the parsers if the source log format does not change. If there are multiple sources and different formats of the logs, will need logs for each of the pattern.  Also, it is suggestible to have only one single log format for one source. So, check if the logs are following a unified pattern throughout. Thanks, Tejas. ... View more

Hey @cmeo-bcit, If the add-on you're currently facing challenges with is https://splunkbase.splunk.com/app/3185, feel free to raise a Support Case to get the answer. The TA development team might have some reason for enabling INDEXED_EXTRACTIONS. Thanks, Tejas.  ... View more

Hey @ww9rivers, Can you share a couple of logs that you receive with masking sensitive information? If the TA parsing doesn't work, we can always customize the parsing parameters as per the log pattern we receive. I'm not sure if the issue is being faced by multiple customers, but if you can provide the logs, we can define the necessary parameters for parsing the data efficiently. Thanks, Tejas.  ... View more

Hey @DataWrangler, I have assisted customers set up the Splunk App for Chargeback and they've mentioned that they were able to distribute the costs as per their requirement within the different business units/orgs. You need to make sure that you enter the right proportion in the lookup while configuring the business units. I do agree that a one time setup is a complicated process, but it does eventually help with the task. Thanks, Tejas.  ... View more

Hey @pinksqtuason, I think you're using snowincidentalert command or the action while configuring the alert. Instead, can you confirm if you've tried creating event using the snowevent command in the SPL itself?  You can find the reference here - https://splunk.github.io/splunk-add-on-for-servicenow/Commandsandscripts/ The document mentions you'll need Event Management Plugin. Please check and confirm if it works for you. By default, the alerting mechanism will create a servicenow incident only. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!  ... View more

Hey @dtaylor, You can create static shift  times from the date field. You're already extracting closed date, and using strptime, identify the epoch time and then in increments of 8 hours, you can create the other shifts. Once we have the shift, using the case or if condition, assign the shift in which the task was closed. And once the shift is assigned, you can then do a stats by shift. | inputlookup shift_tickets.csv | eval closed_date = strptime(closed,"%a, %d %b %Y %T %Z"), _time = strptime(occurred,"%a, %d %b %Y %T %Z") | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | eval shift_time_1=relative_time(closed_date, -24h@d) | eval shift_time_1st=shift_time_1+86400+23500 | eval_shift_time_2nd=shift_time_1st+28800 | eval shift_time_3rd=shift_time_2nd+28800 | eval closed_ticket_shift=case(closed_date>shift_time_1st AND closed_date<shift_time_2nd, "1", closed_date>shift_time_2nd AND closed_date<shift_time_3rd, "2", closed_date>shift_time_3rd, "3") | stats count by closed_ticket_shift Let me know how this works for you and we can check further with the help of sample data.    Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! ... View more

You can also go for configuring the Chargeback App for Splunk. It was created for the same intended purpose. The configuration is quite complex at the initial stage, but once you setup the lookup files it needs, you'll get a clear view of how much of the fund is consumed by which part of the project/team/business etc. ... View more

Hey @tdavison76, You can use the following regex in your rex command.  | rex field=InterfaceDocument "MessageType\\"\:\\\"(?<message_type>[\w\_\d]+)\\\",\\\"OrgId\\\"\:\\\"(?<org_id>[\w\d\_]+)\\\""  You can play around regex here - https://regex101.com/r/auuJ8u/1 For now, I've only captured alphabets, numbers, and underscores (_). If there are any other special characters that are part of either MessageType or OrgId, feel free to add them within the square brackets in the capturing group. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! ... View more

Hey @GSNRMUVW, Did you check the mongod.log? It would indicate some message as an error for terminating the KVStore process. Can you paste the last few lines from the log and mask the sensitive data? Thanks, Tejas.  ... View more

Hey @DataWrangler, I do agree to the document to not increase the squash_threshold. However, if you want host based utilization, you can check metrics.log with group=per_host_thruput and then sum up the values of kb and group it by series. The series field will contain the host values for group=per_host_thruput. index=_internal source=*var/log/splunk/metrics.log* group=per_host_thruput | eval gb = round(kb/1024/1024,2) | timechart sum(gb) as total_ingestion by series I haven't tried experimenting the value of squash_threshold.  Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!   ... View more

Hey @AsmaF2025, You can go through the following documents before you upgrade the Splunk Environment -  1. Read First before Upgrade -  https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.0/upgrade-or-migrate-splunk-enterprise/about-upgrading-to-9.0-read-this-first 2. Order of Upgrade - https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!!   ... View more

Hey @eholz1, I came across a previous community answer to get the theme of the dashboard on the basis of token - https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-a-simple-way-to-get-the-current-dashboard-theme-in-a/m-p/511268. Once the background REST call is made, you can define conditional token for your table panel to set the color based on the theme_tok value. Thanks, Tejas.   --- If the above solution is helpful, an upvote is appreciated..!!  ... View more

Hey @atme, It would be complex if you try to extract all of these fields at index time. The computational load would also increase. I would prefer going for search time extractions. However, if you still wish to extract fields at index time,  it would be great if you can share what you've configured till now in props and transforms. Since the _raw event varies in number of fields also,  we need to define a regex based pattern or key-value pair to extract the fields. Thanks, Tejas. ... View more

Hey @luispulido, As the warning suggests, it is possible that Drilldown might not function properly for Dashboard Studio. However, upon checking Splunkbase, it seems it can work well with Classic Dashboard. If you can switch your dashboard back to Classic, I suppose you'll be able to have fully functional visualization. And you can then utilize the tokens as per the use case as well.    Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! ... View more

Hey @DanielPriceUK @dmoberg , I think the feature is not into production yet as confirmed by Elizabeth Li on the following community page - https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-Studio-How-to-hide-export-and-full-screen-that-come-up/m-p/688222. You can also try the workaround provided in the same post. I haven't tried it....you can test it out.   Thanks, Tejas. ... View more

Hello @hettervik, From the scenario, it seems that collect is the only way to achieve your use case. You'll have to try filtering out the events you don't need and better optimize the SPL search and use the collect command so that you do not miss the required events. However, if you want to migrate the buckets, I've found one of the older community posts that might help you - https://community.splunk.com/t5/Installation/Is-it-possible-to-migrate-indexed-buckets-to-a-different-index/td-p/91085. But I would be quite cautious while trying this approach. Haven't tried it myself. But copying the buckets might bring unwanted data to the new index. You can test it out with one of the smaller buckets and test if you achieve the desired result or not. IMO, collect is the best way to move forward. You can use the following SPL query to keep the original parsing configuration index = old_index | <<filter out the events required>> | fields host source sourcetype _time _raw | collect index=new_index output_format=hec   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.!!   ... View more

Hey @SN1, What @PickleRick said is correct. You'll be receiving the latest result only since you're using dedup. However, since it is an expensive command, you can use transforming command like stats as well to fetch the latest results. Your query should look something like below:   index=endpoint_defender source="AdvancedHunting-DeviceInfo" | search (DeviceType=Workstation OR DeviceType= Server) AND DeviceName="bie-n1690.emea.duerr.int" | search SensorHealthState = "active" OR SensorHealthState = "Inactive" OR SensorHealthState = "Misconfigured" OR SensorHealthState = "Impaired communications" OR SensorHealthState = "No sensor data" | rex field=DeviceDynamicTags "\"(?<code>(?!/LINUX)[A-Z]+)\"" | rex field=Timestamp "(?<timeval>\d{4}-\d{2}-\d{2})" | rex field=DeviceName "^(?<Hostname>[^.]+)" | rename code as 3-Letter-Code | lookup lkp-GlobalIpRange.csv 3-Letter-Code OUTPUTNEW "Company Code" | lookup lkp-GlobalIpRange.csv 3-Letter-Code OUTPUT "Company Code" as 4LetCode | lookup lkp-GlobalIpRange.csv 3-Letter-Code OUTPUT Region as Region | eval Region=mvindex('Region',0) , "4LetCode"=mvindex('4LetCode',0) | rename "3-Letter-Code" as CC | stats latest(SensorHealthState) as latest_SensorHealthState by DeviceName Region ... The latest function will always fetch the latest value of the field passed as an argument on the basis of time. You can add the fields that you want to group the results in the by clause. Hope this helps you optimize your query.   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! ... View more

Hello @km, I don't think there's any need for resolving the #Concern 1 using web.conf and point the management port of the search head. Since the TA is not functioning as of now, I would suggest to uninstall the TA from HF and directly hit the server/info endpoint on the HF itself. Does that result into 200? If not, there's your problem and there can be different reasons for not getting successful connection. Maybe your splunkd process is terminated and in dangling situation or maybe different other reasons.  Please check the local connection first after reverting the web.conf change and let us know the output and we can troubleshoot further. Thanks, Tejas. ... View more