@msatish- Yes you can always define your own sourcetype & your own custom index that you want any data to fall into.   But as @livehybrid is asking you can need to figure-out how you are collecting the data & which format of the logs so you can figure-out from which config file & where you can apply the new sourcetype & index. And you also need to put props.conf configuration (Parsing, Timestamp extraction, Field Extraction, etc.) for your custom sourcetype.   And make sure index is created on your indexers before you start pushing the data into your custom index.   I hope this helps!!! ... View more

Then I think definitely it something related to Log4j configuration or on Spark/Java side in which I have 0 experience, so I'm sorry I won't be able to help you, but I hope someone else in the community will be able to help. ... View more

@livehybrid- This curl tool sounds useful. And @Zoe_  you just need to add | outputlookup <your-lookup-name> at the end of @livehybrid 's query. ... View more

@livehybrid  json_array_to_mv - that's sounds interesting.  🙂 ... View more

@Andre_- FYI, I haven't tried these config on my side so may need to read about them on spec file & Splunk docs. Also, I'm not sure how metrics based queries will be used for role based restriction.   # props.conf.example [em_metrics] METRICS_PROTOCOL = statsd STATSD-DIM-TRANSFORMS = user, queue, app_id, state # transforms.conf.example [statsd-dims:user] REGEX = (\Quser:\E(?<user>.*?)[\Q,\E\Q]\E])   I hope this helps!!! Kindly upvote if it does!!! ... View more

@davidco- Did you check connectivity from Spark server to Splunk service on splunk HEC port? * via telnet or curl     ... View more

@gn694- I don't think there is any direct way or internal logs you can use this for this what you need. Unless you can see the difference in data in terms of fields indexed OR you check on the source side.   ... View more

@marisstella- Kindly please accept the answer @isoutamo if that help you resolve/understand your query by clicking on "Accept as Solution" so future Splunk Community users will get benefited from your question as well. ... View more

@ramuzzini- Glad to hear that you are able to resolve the issue. Please kindly click on my answer with "Accept as Solution" so that future Splunk users can get benefited from it as they see it solution that worked for you. ... View more

@KKuser- I don't know if it would be possible to get the first request, rest of the requests mostly available by default on latest Enterprise Securities default dashboards. You can get the queries for the reports from these default Enterprise Security dashboards.   I hope this helps!!! ... View more

@romedawg- Great to hear that you fixed the issue and thank you for writing up your solution on Splunk community. Kindly accept your answer (your last msg here) by clicking on "Accept as Solution" so future Splunk Community users will also get benefited from your answer. ... View more

@ahmsid- ML toolkit is additional tool. You can use to write more rules. No relation with your current stuff.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@splunklearner- If your Splunk cannot reach and collect the Akamai logs directly that means your Splunk machine don't have direct internet connectivity and it needs to use some kind of proxy. Regardless of whether its a sidecar proxy or whatever, you can just ask the team for the proxy details & configure inside the Add-on configuration for the Add-on to use it to reach to the right destination.   ... View more

@romedawg- I'm not 100% if your configuration is correct or not. But I would suggest you to go through this two articles as it suggest something regarding what you are having, and I personally faced KVstore issue regarding SSL certificate. https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/MeetSplunk https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/MigrateKVstore   ... View more

@maixuany- Can you please refactor your question please?? Not sure where you have question here. ... View more

@scottmkirkland- In your latest query you can just drop all millisecond zeros with the help of substr. Example: | eval secondsToAtScene = tonumber(substr(secondsToAtScene, 1, len(secondsToAtScene)-7)) This will just remove last 7 characters which will remove milliseconds part from it. And you can apply this to any fields the same way.   ... View more

|geostats values(Good) as Good values(Resetting) as Resetting values(Starting) as Starting values(Unknown) as Unknown values(Faulty) as Faulty latfield=lat longfield=lon * How would you put values on Map visualization? ... View more

@SplunkExplorer- Just to be clear SSL offers compression but during the data transit only. So Let's say If you are sending SSL compressed data from UF to HF. As soon as HF receives the data it unencrypt & uncompress it. Now if you apply the SSL compression again between HF to IDX then only HF will compress the data & forward it to IDX.   I hope this helps!!! Kindly upvote if it does!!! ... View more

@Joei- I'm not sure if there is any direct connector for Splunk which updates lookup in Splunk. But here is an alternative you can try if you are a developer or someone in your team is a developer and can create a custom Python playbook in SOAR.   Splunk offers rest-endpoint to update the lookup which can be leveraged in Python SOAR Playbook to update the lookup. https://docs.splunk.com/Documentation/Splunk/9.4.0/RESTREF/RESTknowledge#data.2Flookup-table-files.2F.7Bname.7D   I hope this helps!!! Kindly upvote if it does!!! ... View more

@SHEBHADAYANA  - Can you please share the details on what you configured exactly and what alert did you receive??   ... View more

@secure- Probably custom command from this App might help. https://splunkbase.splunk.com/app/4297   Kindly upvote if it helps!!! ... View more

@Wiessiet- Thanks for posting your findings on Splunk community.   Though I have a suggestion for you. If you already have a solution to the problem. What I would do is post a question and post a reply to your question & accept your answer. This way other people see that question as resolved & available with solution straightaway.   I hope this make sense!! ... View more

@Anit_Mathew- If it is Splunk ES default dashboard without any change in it and if it is still giving you error you can raise Splunk support ticket for it.   ... View more