All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

In Splunk Cloud - Settings, Server Settings, Email settings. Look for this section. Here's more information at Splunk's docs for PDF generation.
If now is no longer an option, there should be no reason to check for it! Try something like this <eval token="latest_Time">relative_time($time.latest$, $timedrop$)</eval> Don't forget to change t... See more...
If now is no longer an option, there should be no reason to check for it! Try something like this <eval token="latest_Time">relative_time($time.latest$, $timedrop$)</eval> Don't forget to change the default for the dropdown to something other than now
There were a few errors, but this should work.  Note I broke out the comparison_date calculation from the eval where you decide if they need to reset or not, to a) make it more clear and b) so you ca... See more...
There were a few errors, but this should work.  Note I broke out the comparison_date calculation from the eval where you decide if they need to reset or not, to a) make it more clear and b) so you can see the dates/strings it's comparing with. | makeresults format="CSV" data="date 2024-05-09T08:05:00 2024-02-09T08:05:00" | eval epoch_lastLogonTimestamp_date = strptime(date, "%Y-%m-%dT%H:%M:%S") | eval last_logon_total = strftime(epoch_lastLogonTimestamp_date, "%d/%m/%Y") | eval comparison_date = relative_time(now(),"-61d@d") | eval action = if(epoch_lastLogonTimestamp_date <= comparison_date, "reset password", "no change needed")   I think the biggest issue was that the epoch date is the only one you need.  Do your math on it, work with it.  If you need to see it in a more human readable version, you can convert it back at the end.  In this case, 'last_logon_total' is simply unused after you build it.   Happy splunking, and if this helped karma would be appreciated! -Rich
How do you determine what the day is because in your example DT doesn't always equate to the date shown in _time?
Hello All, I have an LDAPsearch app installed in one of the onprem Heavy Forwarders and I need to index the search out put into an index we have created. Our IDX and SH are on splunk cloud. Would a... See more...
Hello All, I have an LDAPsearch app installed in one of the onprem Heavy Forwarders and I need to index the search out put into an index we have created. Our IDX and SH are on splunk cloud. Would appreciate all the suggestions Thanks in advance. Murali
gcusello, what I meant to do is using: index=xta then I want to pull fma_id, Org_unify, description, AH tag and the ISO name. Using fma_id that is pulled from xta example index=*OS-001* and report ... See more...
gcusello, what I meant to do is using: index=xta then I want to pull fma_id, Org_unify, description, AH tag and the ISO name. Using fma_id that is pulled from xta example index=*OS-001* and report all index that have that fma_id as part of the string then run a count on all hosts/systems that have the UF installed and register to that fma_id by type (windows vs Linux) then I have to check the available data sets to look for the host in by checking the hosts under fma ID exist in AD, Defender, Big Fix, and Tenable and when they were last detected. Thanks a lot for your help on this matter.
I think we're missing some details to be able to provide *the answer* for you, but I can certainly point you in the right direction! You have a transaction, so you have duration for each transaction... See more...
I think we're missing some details to be able to provide *the answer* for you, but I can certainly point you in the right direction! You have a transaction, so you have duration for each transaction. So you'll want to sum those durations using stats, then do some division to get your uptime.  Something like (pseudocode only) ... your base search here | transaction ... | stats sum(duration) as total_uptime [by something?] | eval percent_uptime = total_uptime / (86400*7) that's assuming a 1 week period and that your durations are in seconds (I'm pretty sure that's what pops out of transaction), so 86400 seconds per day times 7 days. Give that a try, and if you have any further problems or questions about this, reply back with a bit more information (like the search involved, a bit of the sample output from that search, etc...) Also if this helps, karma would be appreciated! Happy Splunking, Rich
This example using makeresults can show you a case statement | makeresults count=10 | eval _raw="message success job, processed job, completed job, failed job," | multikv forceheader=1 | eval st... See more...
This example using makeresults can show you a case statement | makeresults count=10 | eval _raw="message success job, processed job, completed job, failed job," | multikv forceheader=1 | eval status = case( like(message, "%success%") OR like(message, "%processed%") OR like(message, "%completed%"), "success", like(message, "%failed%") OR like(message, "%failure%"), "failure", true(), "other" ) | table _time, message, status
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be g... See more...
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be green.  How can i achive in single card value in splunk studio. 
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close k... See more...
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close keepevicted=true The events are coming from OpsGenie for when an alert is created and closed.  Is there anyway to take the time from either between Create/Close or Close/Create for a one week timeframe to obtain the percentage? Thanks for all of the help, let me know if any more details are needed. Tom    
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actio... See more...
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actions identify those who have no logged in for more than 61 days and is so the action should return "reset password" here's the part that i am having an issue with below. the first two lines are working as expected returning last_logon_total  day, month, year i have a new field i created called 'action' that i want to return a value in of those users who have not logged in for more than 61 days.. but i cant get the spl right. | eval epoch_lastLogonTimestamp_date = strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S") | eval last_logon_total = strftime(epoch_lastLogonTimestamp_date, "%d/%m/%Y") | eval action = if(last_logon_total = relative_time(), "-61d@d", "reset password")   any ideas ?   Thanks Paula    
the mvjoin line was only one way I tried to add all the host together to get it to look like (host1,host2,host3) are not coming in on the description. I am having difficult getting it to be side by s... See more...
the mvjoin line was only one way I tried to add all the host together to get it to look like (host1,host2,host3) are not coming in on the description. I am having difficult getting it to be side by side any of the results separated by a comma. that is why I am on here. I have looked thru so much documentation and cannot get my results for the hosts to go into one event that looks like (host1, host2, host3).  You stated to use a foreach command. I am not quite sure how that would look to get it to put the host in one event side by side.
The information you seek is available on splunkbase at https://splunkbase.splunk.com/app/7245.  Splunk AI Assistance is in preview so you must request access before you can download it.  Details are ... See more...
The information you seek is available on splunkbase at https://splunkbase.splunk.com/app/7245.  Splunk AI Assistance is in preview so you must request access before you can download it.  Details are on the splunkbase page.
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For e... See more...
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For example the message contain multiple values like(success,processed,completed) then i want to label the corresponding file as success,if it contains like(failed,failure) i want to label as failure file.How to implement this using SPL query.Below query i tried but i am not getting properly.     index=mulesoft environment=DEV applicationName="Test" |stats values(content.FileName) as Filename1 values(content.ErrorMsg) as errormsg values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId | eval SuccessFileName=case(match(message, "File put Succesfully*|Successfully created file data*|Archive file processed successfully*|Summary of all Batch*|processed successfully for file name*|SUCCESS") AND not match(priority,"ERROR|WARN"),FileName1,1=1,null()) | eval FailureFileName=case(match(message,"Failed to process file:"),FileName1,1=1,null()) |table SuccessFileName FailureFileName Response correlationId      
I should have said change to windows path as the command I gave is for Linux 
You Windows Hosts should have an output.conf that sends to the HF only, if this is how you want your data flow architecture. (You don’t need the 100_tenant_splunkcloud installed on the Windows UF's U... See more...
You Windows Hosts should have an output.conf that sends to the HF only, if this is how you want your data flow architecture. (You don’t need the 100_tenant_splunkcloud installed on the Windows UF's Unless you want to send from them directly to Splunk cloud, this is also a viable solution.   I'm starting to think you may have the 100_tenant_splunkcloud and configured outputs to the HF on the Windows hosts, you need to have one or the other for this setup. Run the btool outputs command on the Windows UF let’s see what that shows? /opt/splunkforwarder/bin/splunk btool outputs list –debug  
I'm looking for login attempts and the question is to identify new attempts from usernames that previously didn't try.    Day 1  = day count of new seen 3 bob sam steve Day 2      = day count o... See more...
I'm looking for login attempts and the question is to identify new attempts from usernames that previously didn't try.    Day 1  = day count of new seen 3 bob sam steve Day 2      = day count of new seen 2 sam  # because previously seen, exclude from count tom ralph
If there is a NLB in between UF/HF and indexing tier, you don't have to worry as DNS should return static IPs for NLB. If there is no NLB in between UF/HF and indexing tier and you are banking on DN... See more...
If there is a NLB in between UF/HF and indexing tier, you don't have to worry as DNS should return static IPs for NLB. If there is no NLB in between UF/HF and indexing tier and you are banking on DNS to return dynamic IPs and your possible outputs.conf config is   server=<DNS alias for dynamic idx IPs>:<splunktcp port>   you must reduce dnsResolutionInterval in outputs.conf as low as possible. It will decide how fast new dynamic IPs picked by UF/HF.
/opt/splunk/etc/system/default/outputs.conf [rfs] /opt/splunk/etc/system/default/outputs.conf batchSizeThresholdKB = 131072 /opt/splunk/etc/system/default/outputs.conf batchTimeout = 30 /opt/splun... See more...
/opt/splunk/etc/system/default/outputs.conf [rfs] /opt/splunk/etc/system/default/outputs.conf batchSizeThresholdKB = 131072 /opt/splunk/etc/system/default/outputs.conf batchTimeout = 30 /opt/splunk/etc/system/default/outputs.conf compression = zstd /opt/splunk/etc/system/default/outputs.conf compressionLevel = 3 /opt/splunk/etc/system/default/outputs.conf dropEventsOnUploadError = false /opt/splunk/etc/system/default/outputs.conf format = json /opt/splunk/etc/system/default/outputs.conf format.json.index_time_fields = true /opt/splunk/etc/system/default/outputs.conf format.ndjson.index_time_fields = true /opt/splunk/etc/system/default/outputs.conf partitionBy = legacy /opt/splunk/etc/system/default/outputs.conf [syslog] /opt/splunk/etc/system/default/outputs.conf maxEventSize = 1024 /opt/splunk/etc/system/default/outputs.conf priority = <13> /opt/splunk/etc/system/default/outputs.conf type = udp /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf [tcpout] /opt/splunk/etc/system/default/outputs.conf ackTimeoutOnShutdown = 30 /opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf autoLBFrequencyIntervalOnGroupFailure = -1 /opt/splunk/etc/system/default/outputs.conf autoLBVolume = 0 /opt/splunk/etc/system/default/outputs.conf blockOnCloning = true /opt/splunk/etc/system/default/outputs.conf blockWarnThreshold = 100 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelReapInterval = 60000 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelReapLowater = 10 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelTTL = 300000 /opt/splunk/etc/system/default/outputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 /opt/splunk/etc/system/default/outputs.conf compressed = false /opt/splunk/etc/system/default/outputs.conf connectionTTL = 0 /opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf connectionsPerTarget = 0 /opt/splunk/etc/system/local/outputs.conf defaultGroup = splunkcloud_20231028_9aaa4b04216cd9a0a4dc1eb274307fd1 /opt/splunk/etc/system/default/outputs.conf disabled = false /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf dnsResolutionInterval = 300 /opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5 /opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1 /opt/splunk/etc/system/default/outputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/default/outputs.conf enableOldS2SProtocol = false /opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.0.whitelist = .* /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.1.blacklist = _.* /opt/splunk/etc/apps/SplunkDeploymentServerConfig/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent) /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.filter.disable = false /opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30 /opt/splunk/etc/system/local/outputs.conf indexAndForward = 1 /opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2 /opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2 /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf maxQueueSize = 500KB /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf negotiateNewProtocol = true /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf polling_interval = 5 /opt/splunk/etc/system/default/outputs.conf readTimeout = 300 /opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1 /opt/splunk/etc/system/default/outputs.conf sendCookedData = true /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf socksResolveDNS = false /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf sslPassword = /opt/splunk/etc/system/default/outputs.conf sslQuietShutdown = false /opt/splunk/etc/system/default/outputs.conf sslVersions = tls1.2 /opt/splunk/etc/system/default/outputs.conf tcpSendBufSz = 0 /opt/splunk/etc/system/local/outputs.conf useACK = true /opt/splunk/etc/system/default/outputs.conf useClientSSLCompression = true /opt/splunk/etc/system/default/outputs.conf writeTimeout = 300 /opt/splunk/etc/system/local/outputs.conf [tcpout:scs] /opt/splunk/etc/system/local/outputs.conf autoLBFrequency = 120 /opt/splunk/etc/system/local/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem /opt/splunk/etc/system/local/outputs.conf compressed = true /opt/splunk/etc/system/local/outputs.conf disabled = 1 /opt/splunk/etc/system/local/outputs.conf server = tenant.forwarders.scs.splunk.com:9997 /opt/splunk/etc/system/local/outputs.conf sslAltNameToCheck = *.forwarders.scs.splunk.com /opt/splunk/etc/system/local/outputs.conf sslVerifyServerCert = true /opt/splunk/etc/system/local/outputs.conf useClientSSLCompression = false /opt/splunk/etc/system/local/outputs.conf [tcpout:splunkcloud_] /opt/splunk/etc/system/local/outputs.conf autoLBFrequency = 120 /opt/splunk/etc/system/local/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem /opt/splunk/etc/system/local/outputs.conf compressed = false /opt/splunk/etc/system/local/outputs.conf server = inputs1.tenant.splunkcloud.com:9997, inputs2.tenant.splunkcloud.com:9997, inputs3.tenant.splunkcloud.com:9997, inputs4.tenant.splunkcloud.com:9997, inputs5.tenant.splunkcloud.com:9997, inputs6.tenant.splunkcloud.com:9997, inputs7.tenant.splunkcloud.com:9997, inputs8.tenant.splunkcloud.com:9997, inputs9.tenant.splunkcloud.com:9997, inputs10.tenant.splunkcloud.com:9997, inputs11.tenant.splunkcloud.com:9997, inputs12.tenant.splunkcloud.com:9997, inputs13.tenant.splunkcloud.com:9997, inputs14.tenant.splunkcloud.com:9997, inputs15.tenant.splunkcloud.com:9997 /opt/splunk/etc/system/local/outputs.conf sslCommonNameToCheck = *.tenant.splunkcloud.com /opt/splunk/etc/system/local/outputs.conf sslVerifyServerCert = true /opt/splunk/etc/system/local/outputs.conf sslVerifyServerName = true /opt/splunk/etc/system/local/outputs.conf useClientSSLCompression = true
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnS... See more...
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf sourcetype = MSAD:NT6:DNS /opt/splunk/etc/system/default/inputs.conf [SSL] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf allowSslRenegotiation = true /opt/splunk/etc/system/default/inputs.conf certLogMaxCacheEntries = 10000 /opt/splunk/etc/system/default/inputs.conf certLogRepeatFrequency = 1d /opt/splunk/etc/system/default/inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 /opt/splunk/etc/system/default/inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf logCertificateData = true /opt/splunk/etc/system/default/inputs.conf sslQuietShutdown = false /opt/splunk/etc/system/default/inputs.conf sslVersions = tls1.2 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://Application] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://DFS Replication] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://DNS Server] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://Directory Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://File Replication Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://ForwardedEvents] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf host = WinEventLogForwardHost /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://Key Management Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://Security] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf evt_resolve_ad_obj = 1 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://System] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Computer] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Computer /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Disk] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Disk /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Driver] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Driver /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://NetworkAdapter] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = NetworkAdapter /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://OperatingSystem] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = OperatingSystem /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Process] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Process /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Processor] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Processor /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Roles] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Roles /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Service /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinNetMon://inbound] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf direction = inbound /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinNetMon://outbound] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf direction = outbound /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://driver] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = driver /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://port] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = port /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://printer] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = printer /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://default] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = .* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = rename|set|delete|create /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://hkcu_run] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = set|create|delete|rename /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://hklm_run] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = set|create|delete|rename /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [admon://default] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf monitorSubtree = 1 /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/run/splunk/search_telemetry/*search_telemetry.json] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _introspection /opt/splunk/etc/system/default/inputs.conf log_on_completion = 0 /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = search_telemetry /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_hec] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = stash_hec /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_new] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864   and many lines below /opt/splunk/etc/apps/launcher/local/inputs.conf [splunktcp://9997]