@SplunkExplorer- Just to be clear SSL offers compression but during the data transit only. So Let's say If you are sending SSL compressed data from UF to HF. As soon as HF receives the data it unencrypt & uncompress it. Now if you apply the SSL compression again between HF to IDX then only HF will compress the data & forward it to IDX.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@Joei- I'm not sure if there is any direct connector for Splunk which updates lookup in Splunk. But here is an alternative you can try if you are a developer or someone in your team is a developer and can create a custom Python playbook in SOAR.   Splunk offers rest-endpoint to update the lookup which can be leveraged in Python SOAR Playbook to update the lookup. https://docs.splunk.com/Documentation/Splunk/9.4.0/RESTREF/RESTknowledge#data.2Flookup-table-files.2F.7Bname.7D   I hope this helps!!! Kindly upvote if it does!!! ... View more

@SHEBHADAYANA  - Can you please share the details on what you configured exactly and what alert did you receive??   ... View more

@secure- Probably custom command from this App might help. https://splunkbase.splunk.com/app/4297   Kindly upvote if it helps!!! ... View more

@Wiessiet- Thanks for posting your findings on Splunk community.   Though I have a suggestion for you. If you already have a solution to the problem. What I would do is post a question and post a reply to your question & accept your answer. This way other people see that question as resolved & available with solution straightaway.   I hope this make sense!! ... View more

@Anit_Mathew- If it is Splunk ES default dashboard without any change in it and if it is still giving you error you can raise Splunk support ticket for it.   ... View more

@mpc7zh- Downgrading never works the same way as Upgrade. Will the commands work?? -> Yes, maybe. But it will break functionalities and stuff. Soar may not work properly. It may even create issues when you upgrade it in the future as well.   Maybe Splunk support might be able to help you with this. You can raise a support ticket for it.   But my question to you is, why do you need to downgrade in the first place?? Because a lot of time, usually thing that you need to do might be possible even without downgrading the soar.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@JagsP- I don't see this App on the Splunkbase. Where did you get this App?? ( The reason I'm asking is because the error is coming from the Python code within this App.)   I hope this helps!!! ... View more

@cybersunny- Can you please post part of the dashboard XML which includes this mailto?? ( You can hide any sensitive information.)   ... View more

@NithinR- You can try and send them email to support@splunk.com   I hope this helps!!! Kindly upvote if it does!!! ... View more

@ryanaa- I think question better suitable for Machine Learning community. ... View more

@joe2- I would like to clarify few points and I think you will get the idea on how you can do something like that: Your query-1 is not working, because it seems you are using the old query, that macro from old query does not exist anymore it seems. The new query is based on firewall data. Here - https://research.splunk.com/network/1ff9eb9a-7d72-4993-a55e-59a839e607f1/ But because this is dependent on firewall traffic data, it only works when you have firewall between those two machines. It could be traditional firewall or AWS firewall or anything. For your query-2, again you are looking for source=firewall* data. And windows data contain contain that sourcetype that's why you are seeing no results.   Summary: If you have the traffic monitoring device in-between those two machines, use the traffic logs to detect it. https://research.splunk.com/network/1ff9eb9a-7d72-4993-a55e-59a839e607f1/ https://research.splunk.com/network/3141a041-4f57-4277-9faa-9305ca1f8e5b/ But you don't then the only option is to have something on the Windows Victim device that logs all traffic to the machine, and use that traffic logs to build the query.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@darling- Its public release App now, I don't think there should be any restriction on which Cloud stack you can install. But for better clarity maybe you can contact Splunk support for Cloud & they should resolve your confusion.   I hope this helps!!! ... View more

@davedeluxe- There is no direct way to run Python script from Splunk dashboard. But you can use one of the two ways below to Run Python script from a dashboard button. Python Custom Command Create Javascript to initiate the Splunk search with this custom command in it. Python Custom Rest Endpoint Create Javascript to make a rest call to the custom rest endpoint created by you.   And in both case you can use Javascript to pass whatever data you need to pass-along the way. And you can put your custom python script within custom python command code or custom rest endpoint code. And you will find number of examples online for both custom command & custom rest endpoint. This is one is old blog about custom rest endpoint for reference - https://community.splunk.com/t5/Dashboards-Visualizations/Can-I-call-a-Python-script-from-a-dashboard-and-output-its/m-p/398088   I hope this helps!!! Kindly upvote if it does!!!! ... View more

@saiiman- This SOAR document clearly describes current limitations with community license. https://docs.splunk.com/Documentation/SOARonprem/latest/Admin/License 100 licensed actions per day 1 tenant 5 cases in the New or Open states   I hope this helps!!! Kindly upvote & accept the answer if it does!!! ... View more

@silverKi- As @richgalloway mentioned it is not possible to do it for particular role or user. But you can disable risky for particular command or for all commands. Reference document - https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards   I hope this helps!!! ... View more

@uthornander_spl- Kindly please accept your own answer, so future Splunk Community users gets benefited from it. ... View more

@Sathish28- Few things I want to take your attention: The error you are seeing is not related to the login issue you are having at all.   For the Login Issue: Are you trying LDAP credential? Login first with Admin Splunk native account. Then fix the LDAP related issue. Check Splunk internal logs & LDAP configuration page. Is it Splunk native authentication? Then you might need to reset the creds.   For Mongod related errors you are seeing in the logs. As suggested by @splunkreal  please check the Splunk's internal logs to find the details on why mongodb service unable to start.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@AShwin1119- I think its the same question here I have answered - https://community.splunk.com/t5/Monitoring-Splunk/indexer-cluster-to-SH-cluster-replication-issue/m-p/709746/highlight/true#M10687   I think you are not forwarding the SH data to Indexers. * Which is compulsory when you are using SHC. * And best-practice in all SHs. https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/Forwardsearchheaddata   I hope this helps!!! Kindly upvote if it does!!!! ... View more

@CrossWordKnower- When you say earliest=-8h@h , latest becomes now as you are not providing it. So number of results differ even when you run the search again manually, because your search will search new events coming in every time.   Try using static values of earliest & latest, for example earliest=01/22/2025:00:00:00 latest=01/23/2025:00:00:00 And in this scenario it should gave exactly the same count, regardless of its manual search or alert or when ever you search the search,   I hope this is understandable. Kindly upvote if it helps!!! ... View more

@welcomerrr- As described by @PickleRick , you cannot create a function for stats command, but you can create the whole new custom command which might be implementing the functionality in Python.   But most of the requirements that you might have should be able to fulfilled with existing stats command function. Kindly please describe exact use-case and community should be able to help you write query without writing custom command or function.   ... View more

@karn- As @dolezelk answered your question, if that sounds okay, then kindly accept the answer by clicking to "Accept as Solution" so future community users get help from it as well.   Community Moderator, Vatsal ... View more

@AShwin1119- I think you are not forwarding the SH data to Indexers. * Which is compulsory when you are using SHC. * And best-practice in all SHs. https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/Forwardsearchheaddata   I hope this helps!! Please upvote if it helps!!! ... View more

@pipehitter- Please accept my answer if it helped you with your question by clicking on "Accept as Solution". ... View more