@harshal_chakran @suresh401    One of our salesforce security guys found a workaround that involves modifying a few python scripts under the lib folder. There are two methods, long polling and web sockets. Long polling was applicable to us so we just fixed that. Some information on the usage of proxy settings in aiohttp can be found here: Advanced Client Usage — aiohttp 3.9.3 documentation The fixes can be applied to the TA-sfdc-streaming-api pack and below is what we modified to successfully subscribe via a proxy.   1. Modify /opt/splunk/etc/apps/TA-sfdc-streaming-api/lib/aiocometd/transports/long_polling.py search for one instance of "session.post" and add  ,proxy="http://<proxyip>:<port>" 2. Modify /opt/splunk/etc/apps/TA-sfdc-streaming-api/lib/aiosfstream/auth.py search for two instances of "session.post" and add ,proxy="http://<proxyip>:<port>"     Hope this helps!   ... View more

FYI, for those seeking a workaround:   One of our salesforce security guys found a workaround that involves modifying a few python scripts under the lib folder.  There are two methods, long polling and web sockets. Long polling was applicable to us so we just fixed that. Some information on the usage of proxy settings in aiohttp can be found here: Advanced Client Usage — aiohttp 3.9.3 documentation The fixes can be applied to the TA-sfdc-streaming-api pack and below is what we modified to successfully subscribe via a proxy.   1. Modify /opt/splunk/etc/apps/TA-sfdc-streaming-api/lib/aiocometd/transports/long_polling.py search for one instance of "session.post" and add  ,proxy="http://<proxyip>:<port>" 2. Modify /opt/splunk/etc/apps/TA-sfdc-streaming-api/lib/aiosfstream/auth.py search for two instances of "session.post" and add ,proxy="http://<proxyip>:<port>"     Hope this helps!   ... View more

@yeahnah    One of our salesforce security guys found a workaround that involves modifying a few python scripts under the lib folder. There are two methods, long polling and web sockets. Long polling was applicable to us so we just fixed that. Some information on the usage of proxy settings in aiohttp can be found here: Advanced Client Usage — aiohttp 3.9.3 documentation The fixes can be applied to the TA-sfdc-streaming-api pack and below is what we modified to successfully subscribe via a proxy.   1. Modify /opt/splunk/etc/apps/TA-sfdc-streaming-api/lib/aiocometd/transports/long_polling.py search for one instance of "session.post" and add  ,proxy="http://<proxyip>:<port>" 2. Modify /opt/splunk/etc/apps/TA-sfdc-streaming-api/lib/aiosfstream/auth.py search for two instances of "session.post" and add ,proxy="http://<proxyip>:<port>"     Hope this helps!   ... View more

@mdsnmss wrote: We recently upgraded our test environment from 6.4.2 to 6.5.2 and upon attempting to deploy a new search head cluster bundle (shcluster-bundle), we are getting the following error: Error while deploying apps to first member: Error while fetching apps baseline on target=<shcluster-captain>: Error in JSON response: Unexpected EOF The only thing that I believe has recently changed in the bundle was adding some database drivers to Splunk DB Connect to be deployed to the cluster. Any ideas what might be causing the unexpected end of file error? I also got this error when upgrading from 9.0.0 to 9.0.2. The problem however for me was as simple as restarting each search head. My apply bundle command was always referencing 8089. ... View more

I guess Splunk don't support Splunk or Splunk Works developed apps now. ... View more

I can confirm this was affecting version 2.0.1 and 2.0.0 and appeared to break around 7/Sept/2022 for us. Modifying the following two files resolved the issue (grep "microsoft_trace_url =" /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/*.py) OR /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py Changing the URL (to include a backslash) from https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter to https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter Will lodge a splunk support ticket now. Cheers ... View more

Thanks @jconger  The update is working well. My only issue was getting server 500 from reports.office365.com when stipulating a 30 day window to sync. I was able to get it going by not specifying a start date/time. ... View more

@jconger Hi , are there any further updates on this? Thanks ... View more

Thanks for the reply c.boggs. I have just updated to 8.0.3. Admittedly I haven't used script stanza's before so unsure what to expect or if it affected our 7.3.1.1 fleet. All the scripts run flawlessly through a PowerShell CLI, but not all function when executed by Splunk. Sysmon doesnt seem to generate many Process Creation events so at least that is one consolation. Pipeline execution details for command line: start-sleep -m 200 . Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=570469 UserId=DOMAIN\SYSTEM HostName=ConsoleHost HostVersion=5.1.14409.1018 HostId=9db3f578-72c9-4efe-8ec5-2987f958b4a0 HostApplication=powershell.exe -command & {get-content C:\WINDOWS\TEMP\\input78ad6966241a2009.tmp | C:\Program` Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1 C:\Program` Files\SplunkUniversalForwarder 78ad6966241a2009} EngineVersion=5.1.14409.1018 RunspaceId=91737811-5a9e-430a-9462-cdb540f6e006 PipelineId=1 ScriptName= CommandLine= start-sleep -m 200 Details: CommandInvocation(Start-Sleep): "Start-Sleep" ParameterBinding(Start-Sleep): name="Milliseconds"; value="200" ... View more

Did you solve this issue? ... View more