@karthi2809  one advice here, don't post your org-specific queries as is. Obfuscate content to its maximum before posting in any public forum. ... View more

Simplifying the way to approach it with a regex... | rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous" | where like(check,"%assetcard%") The idea is to get values before the word "previous" and check that string with the one you want to meet your search criteria. ... View more

hi @AL3Z  Have you checked everything is clear on the Splunk licensing front? ... View more

Hi @frodelauka  One way to do it based on the events you shared is as below. | makeresults | eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetcard\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"subscreenName\":\"STB.TOP.HOME\"\r\nMessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"assetcard\"" | makemv log delim="\r\n" | mvexpand log | eval check_msg_rxd=trim(replace(replace(mvindex(split(mvindex(split(log,",\"previous"),0),"received:"),-1),"\"",""),"\{","")) | where like(check_msg_rxd,"%assetcard")   If the reply helps, a Karma upvote would be appreciated. ... View more

Hi @Prathyusha891  A quick search on stackoverflow yields this. Try the steps mentioned in here to resolve the pycrypto dependency. https://stackoverflow.com/questions/50080459/failed-installing-pycrypto-with-pip    If the reply helps, a Karma upvote would be appreciated. ... View more

hi @LearningGuy  I believe it's due to the collect commands used for scheduled summary indexing. More on this can be found here. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowledge/Configuresummaryindexes#Other_configuration_files_affected_by_summary_indexing  https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Collect If the reply helps, a Karma upvote would be appreciated. ... View more

hi @Chiranjeev  The default configuration in web datamodel for dest field is evaluated. if(isnull(dest) OR dest="" OR dest="-","unknown",dest) So you'll need to either update this eval statement in the data model to fit your case or map correct field for dest field. If the reply helps, a Karma vote would be appreciated.  ... View more

Hi @sairajkiran  Try checking the values from the job inspector for your event/search. Not sure if it will fulfil your needs. The field you can use is search_id -- in _introspection and _audit indexes For _internal, you'll need to extract this value from job which looks something like this search/search/jobs/1710936732.74/control so the search_id field value is 1710936732.74  If the reply helps, a Karma vote would be appreciated. ... View more

Hi @LearningGuy  Not sure if I understand your requirement correctly. But below maybe something you can use. <form version="1.1"> <label>Dropdown-token-condition</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="token_week_or_day" searchWhenChanged="true"> <label>Week Or Day</label> <choice value="w">Week</choice> <choice value="d">Day</choice> </input> <input type="dropdown" token="token_day" searchWhenChanged="true"> <label>Day Number</label> <choice value="0">Sunday</choice> <choice value="1">Monday</choice> <choice value="2">Tuesday</choice> <choice value="3">Wednesday</choice> <choice value="4">Thursday</choice> <choice value="5">Friday</choice> <choice value="6">Saturday</choice> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval selected_week_or_day_option="$token_week_or_day$" | eval selected_day=$token_day$ | table _time selected_week_or_day_option selected_day date_day | eval day_no_each_timestamp=strftime(_time,"%w") | eval day_in_week = if(selected_week_or_day_option="w", $token_day$, "*")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>   If the reply helps, a Karma vote would be appreciated. ... View more

Then you should check this troubleshooting guide... https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/TroubleshootKVstore ... View more

@whitecat001  The best starting point is to view the KV store events from the Monitoring console. Then look for events that correspond to any issues and build alerts based on it. Below is a sample query you can use to view health status of KV Stores. Alert on health_info -> red |rest /services/server/info |eval a=now() |eval time=strftime(a,"%Y-%m-%d %H:%M:%S") |table time host kvStoreStatus author health_info isForwarding server_roles |sort host  If the reply helps, a karma upvote would be appreciated. ... View more

Use AWS Direct Connect to send data from on prem infra to AWS. It is the most reliable,secure and efficient way of doing it.  From there feed the data to Splunk as deemed fit. ... View more

Hi @asncari  I just started going through this Splunk UI Toolkit and was able to resolve the issue using the following method. There needs to be an update made in the webpack config. My setup: node -v  v21.7.1 npm -v 10.5.0 yarn -v  1.22.22 Do the following 1. Install querystring-es3 and querystring using npm npm i querystring-es3 npm i querystring 2. Update the webpack.config.js file (MyTodoList\packages\react-to-do-list\webpack.config.js) const path = require('path'); const { merge: webpackMerge } = require('webpack-merge'); const baseComponentConfig = require('@splunk/webpack-configs/component.config').default; module.exports = webpackMerge(baseComponentConfig, { entry: { ReactToDoList: path.join(__dirname, 'src/ReactToDoList.jsx'), }, output: { path: path.join(__dirname), }, resolve: { fallback: { querystring: require.resolve('querystring-es3'), }, }, });   3. Now re-run the setup steps and let it build successfully and re-link any modules and then head into the react-to-do-list and execute the yarn start:demo command your build should be successful and if you navigate to localhost:8080 you should be able to see the react app. Note: I had a socket error ERR_SOCKET_BAD_PORT NaN exception for port 8080. I updated the build.js file to enforce use of 8080 (/packages/react-to-do-list/bin/build.js)   demo: () => shell.exec('.\\node_modules\\.bin\\webpack serve --config .\\demo\\webpack.standalone.config.js --port 8080'),   If the reply helps, karma would be appreciated.   ... View more

Like @meetmshah mentioned create a new tag or field in the notable that defines which team will work in it. Once in place create a filter in incident review dashboard with that team tag or field and let the respective teams select and work on those filtered incidents. ... View more

I usually encounter this issue when there’s an issue with the KV store. Fixing the issue of KV store resolves this. I also clean-up my browsers cache to ensure nothing browser really is causing the issue. ... View more

hi @prabbala  Some links to get you started. https://lantern.splunk.com/?title=Security%2FUse_Cases%2FThreat_Hunting%2FUsing_the_MITRE_ATT%26CK_framework_in_Splunk_Enterprise_Security   https://lantern.splunk.com/?title=Security%2FUse_Cases%2FThreat_Hunting%2FAssessing_and_expanding_MITRE_ATT%26CK_coverage_in_Splunk_Enterprise_Security ... View more

hi @Tao_Zeng  One way of doing it is like this. | makeresults | eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n" | makemv TEST delim="\n" | rex field=TEST "P-Access-Network-Info:\s+(?P<access_network_info>.*)" ... View more

Hi @Renunaren  Check your teammates access to the data you are referring to in those panels. Give them the query used in those panels and see if they get any results back. Lastly, check the roles and capabilities assigned to your teammates. ... View more

hi @kitkit321  Use the metadata command to get the details. |metadata type=sourcetypes index=my_index ... View more

Hi @apomona  You can add a search clause in your query that maps to the token "teaminfra". Something like this   | inputlookup append=t vulnevolution.csv | search Team="$teaminfra$" | xyseries Date Team "nbvuln" | makecontinuous         <form version="1.1"> <label>Learning Splunk</label> <fieldset submitButton="false"></fieldset> <row> <panel> <title>Test Token</title> <input type="dropdown" token="teaminfra" searchWhenChanged="true"> <label>Infra Team</label> <choice value="*">All Teams</choice> <default>*</default> <fieldForLabel>Team</fieldForLabel> <fieldForValue>Team</fieldForValue> <search> <query>| inputlookup append=t vulnevolution.csv | stats dc(Team) by Team</query> <earliest>0</earliest> <latest></latest> </search> </input> <chart> <search> <query>| inputlookup append=t vulnevolution.csv | search Team="$teaminfra$" | xyseries Date Team "nbvuln" | makecontinuous</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">connect</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </form>   ~ If the reply helps, an upvote would be appreciated. ... View more

Hi @dmuley  If using EKS from AWS then you can use Splunk Connect for Kubernetes  https://www.splunk.com/en_us/blog/partners/splunk-connect-for-kubernetes-on-eks.html You can also send logs from the Master node by installing Splunk Universal Forwarder and configuring /var/log or any other log path as per your need. https://www.splunk.com/en_us/blog/learn/splunk-universal-forwarder.html https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Typesofforwarders For application specific events, you can use Splunk HTTP Event Collector (HEC) to send custom events to Splunk. https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/UsetheHTTPEventCollector  Be sure to check the correct Splunk version documentation for configuration and implementation. ~ If the reply helps, an upvote would be appreciated. ... View more

@M_L_A  One way i think you can do this is by updating the alert and using |addinfo This will give you the SID of the search,  create a field of type url and append this sid value to it and share this url field to the destination. Example: <YOUR SEARCH> | addinfo    info_sid = 1680763667.414 you build a field or make this as part of the message to make search url http://localhost:8000/en-US/app/search/search?sid=1680763667.414 ~ If the reply helps an upvote would be appreciated. ... View more

@vincentgoh98 @akarivaratharaj  One of the ways I handled this for my Slack notifications from Splunk was to create a field with the required columns and then mvcombine them as a single field value and use this field in the alert.  It will list down items in your slack.  You can try something like this. | makeresults count=20 | eval rand =(random() % 20)+2 | eval field_a="A-"+rand | eval field_b="B-"+rand | stats count by field_a field_b | eval field_ab_count=field_a+" , "+field_b+" , "+count | fields field_ab_count | mvcombine field_ab_count     ~ If the reply helps, an upvote would be appreciated  ... View more