All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I should have said change to windows path as the command I gave is for Linux 
You Windows Hosts should have an output.conf that sends to the HF only, if this is how you want your data flow architecture. (You don’t need the 100_tenant_splunkcloud installed on the Windows UF's U... See more...
You Windows Hosts should have an output.conf that sends to the HF only, if this is how you want your data flow architecture. (You don’t need the 100_tenant_splunkcloud installed on the Windows UF's Unless you want to send from them directly to Splunk cloud, this is also a viable solution.   I'm starting to think you may have the 100_tenant_splunkcloud and configured outputs to the HF on the Windows hosts, you need to have one or the other for this setup. Run the btool outputs command on the Windows UF let’s see what that shows? /opt/splunkforwarder/bin/splunk btool outputs list –debug  
I'm looking for login attempts and the question is to identify new attempts from usernames that previously didn't try.    Day 1  = day count of new seen 3 bob sam steve Day 2      = day count o... See more...
I'm looking for login attempts and the question is to identify new attempts from usernames that previously didn't try.    Day 1  = day count of new seen 3 bob sam steve Day 2      = day count of new seen 2 sam  # because previously seen, exclude from count tom ralph
If there is a NLB in between UF/HF and indexing tier, you don't have to worry as DNS should return static IPs for NLB. If there is no NLB in between UF/HF and indexing tier and you are banking on DN... See more...
If there is a NLB in between UF/HF and indexing tier, you don't have to worry as DNS should return static IPs for NLB. If there is no NLB in between UF/HF and indexing tier and you are banking on DNS to return dynamic IPs and your possible outputs.conf config is   server=<DNS alias for dynamic idx IPs>:<splunktcp port>   you must reduce dnsResolutionInterval in outputs.conf as low as possible. It will decide how fast new dynamic IPs picked by UF/HF.
/opt/splunk/etc/system/default/outputs.conf [rfs] /opt/splunk/etc/system/default/outputs.conf batchSizeThresholdKB = 131072 /opt/splunk/etc/system/default/outputs.conf batchTimeout = 30 /opt/splun... See more...
/opt/splunk/etc/system/default/outputs.conf [rfs] /opt/splunk/etc/system/default/outputs.conf batchSizeThresholdKB = 131072 /opt/splunk/etc/system/default/outputs.conf batchTimeout = 30 /opt/splunk/etc/system/default/outputs.conf compression = zstd /opt/splunk/etc/system/default/outputs.conf compressionLevel = 3 /opt/splunk/etc/system/default/outputs.conf dropEventsOnUploadError = false /opt/splunk/etc/system/default/outputs.conf format = json /opt/splunk/etc/system/default/outputs.conf format.json.index_time_fields = true /opt/splunk/etc/system/default/outputs.conf format.ndjson.index_time_fields = true /opt/splunk/etc/system/default/outputs.conf partitionBy = legacy /opt/splunk/etc/system/default/outputs.conf [syslog] /opt/splunk/etc/system/default/outputs.conf maxEventSize = 1024 /opt/splunk/etc/system/default/outputs.conf priority = <13> /opt/splunk/etc/system/default/outputs.conf type = udp /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf [tcpout] /opt/splunk/etc/system/default/outputs.conf ackTimeoutOnShutdown = 30 /opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf autoLBFrequencyIntervalOnGroupFailure = -1 /opt/splunk/etc/system/default/outputs.conf autoLBVolume = 0 /opt/splunk/etc/system/default/outputs.conf blockOnCloning = true /opt/splunk/etc/system/default/outputs.conf blockWarnThreshold = 100 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelReapInterval = 60000 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelReapLowater = 10 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelTTL = 300000 /opt/splunk/etc/system/default/outputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 /opt/splunk/etc/system/default/outputs.conf compressed = false /opt/splunk/etc/system/default/outputs.conf connectionTTL = 0 /opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf connectionsPerTarget = 0 /opt/splunk/etc/system/local/outputs.conf defaultGroup = splunkcloud_20231028_9aaa4b04216cd9a0a4dc1eb274307fd1 /opt/splunk/etc/system/default/outputs.conf disabled = false /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf dnsResolutionInterval = 300 /opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5 /opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1 /opt/splunk/etc/system/default/outputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/default/outputs.conf enableOldS2SProtocol = false /opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.0.whitelist = .* /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.1.blacklist = _.* /opt/splunk/etc/apps/SplunkDeploymentServerConfig/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent) /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.filter.disable = false /opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30 /opt/splunk/etc/system/local/outputs.conf indexAndForward = 1 /opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2 /opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2 /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf maxQueueSize = 500KB /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf negotiateNewProtocol = true /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf polling_interval = 5 /opt/splunk/etc/system/default/outputs.conf readTimeout = 300 /opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1 /opt/splunk/etc/system/default/outputs.conf sendCookedData = true /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf socksResolveDNS = false /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf sslPassword = /opt/splunk/etc/system/default/outputs.conf sslQuietShutdown = false /opt/splunk/etc/system/default/outputs.conf sslVersions = tls1.2 /opt/splunk/etc/system/default/outputs.conf tcpSendBufSz = 0 /opt/splunk/etc/system/local/outputs.conf useACK = true /opt/splunk/etc/system/default/outputs.conf useClientSSLCompression = true /opt/splunk/etc/system/default/outputs.conf writeTimeout = 300 /opt/splunk/etc/system/local/outputs.conf [tcpout:scs] /opt/splunk/etc/system/local/outputs.conf autoLBFrequency = 120 /opt/splunk/etc/system/local/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem /opt/splunk/etc/system/local/outputs.conf compressed = true /opt/splunk/etc/system/local/outputs.conf disabled = 1 /opt/splunk/etc/system/local/outputs.conf server = tenant.forwarders.scs.splunk.com:9997 /opt/splunk/etc/system/local/outputs.conf sslAltNameToCheck = *.forwarders.scs.splunk.com /opt/splunk/etc/system/local/outputs.conf sslVerifyServerCert = true /opt/splunk/etc/system/local/outputs.conf useClientSSLCompression = false /opt/splunk/etc/system/local/outputs.conf [tcpout:splunkcloud_] /opt/splunk/etc/system/local/outputs.conf autoLBFrequency = 120 /opt/splunk/etc/system/local/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem /opt/splunk/etc/system/local/outputs.conf compressed = false /opt/splunk/etc/system/local/outputs.conf server = inputs1.tenant.splunkcloud.com:9997, inputs2.tenant.splunkcloud.com:9997, inputs3.tenant.splunkcloud.com:9997, inputs4.tenant.splunkcloud.com:9997, inputs5.tenant.splunkcloud.com:9997, inputs6.tenant.splunkcloud.com:9997, inputs7.tenant.splunkcloud.com:9997, inputs8.tenant.splunkcloud.com:9997, inputs9.tenant.splunkcloud.com:9997, inputs10.tenant.splunkcloud.com:9997, inputs11.tenant.splunkcloud.com:9997, inputs12.tenant.splunkcloud.com:9997, inputs13.tenant.splunkcloud.com:9997, inputs14.tenant.splunkcloud.com:9997, inputs15.tenant.splunkcloud.com:9997 /opt/splunk/etc/system/local/outputs.conf sslCommonNameToCheck = *.tenant.splunkcloud.com /opt/splunk/etc/system/local/outputs.conf sslVerifyServerCert = true /opt/splunk/etc/system/local/outputs.conf sslVerifyServerName = true /opt/splunk/etc/system/local/outputs.conf useClientSSLCompression = true
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnS... See more...
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf sourcetype = MSAD:NT6:DNS /opt/splunk/etc/system/default/inputs.conf [SSL] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf allowSslRenegotiation = true /opt/splunk/etc/system/default/inputs.conf certLogMaxCacheEntries = 10000 /opt/splunk/etc/system/default/inputs.conf certLogRepeatFrequency = 1d /opt/splunk/etc/system/default/inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 /opt/splunk/etc/system/default/inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf logCertificateData = true /opt/splunk/etc/system/default/inputs.conf sslQuietShutdown = false /opt/splunk/etc/system/default/inputs.conf sslVersions = tls1.2 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://Application] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://DFS Replication] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://DNS Server] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://Directory Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://File Replication Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://ForwardedEvents] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf host = WinEventLogForwardHost /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://Key Management Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://Security] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf evt_resolve_ad_obj = 1 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://System] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Computer] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Computer /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Disk] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Disk /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Driver] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Driver /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://NetworkAdapter] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = NetworkAdapter /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://OperatingSystem] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = OperatingSystem /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Process] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Process /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Processor] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Processor /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Roles] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Roles /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Service /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinNetMon://inbound] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf direction = inbound /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinNetMon://outbound] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf direction = outbound /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://driver] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = driver /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://port] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = port /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://printer] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = printer /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://default] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = .* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = rename|set|delete|create /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://hkcu_run] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = set|create|delete|rename /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://hklm_run] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = set|create|delete|rename /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [admon://default] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf monitorSubtree = 1 /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/run/splunk/search_telemetry/*search_telemetry.json] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _introspection /opt/splunk/etc/system/default/inputs.conf log_on_completion = 0 /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = search_telemetry /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_hec] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = stash_hec /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_new] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864   and many lines below /opt/splunk/etc/apps/launcher/local/inputs.conf [splunktcp://9997]
I have tried what @gcusello said, but it did not work.   Now I suspect that maybe they are not sending anything to the HF, because checking the connections with tcpdump to port 9997, I have seen th... See more...
I have tried what @gcusello said, but it did not work.   Now I suspect that maybe they are not sending anything to the HF, because checking the connections with tcpdump to port 9997, I have seen that they are only with the splunk tenant. Can they use the same port to receive and make connections to the indexers (9997) and to receive logs from the UF (9997)? Do you recommend any other test?    
Can anyone help me to provide the URL to download or steps of how to use Splunk AI. 
Thanks for the reply @deepakc  , but that didn't work for me
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk ... See more...
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk cmd openssl genrsa -aes256 -out SplunkPrivateKey.key 2048 splunk cmd openssl rsa -in SplunkPrivateKey.key -out splunk_key.key   To obtain "serverCert" in web.conf I have used below two commands. splunk cmd openssl x509 -in splunk.cer -out splunk.pem Note : splunk.cer  is with me ( Provided by organization so I am obtaining self signed certificate) [settings] enableSplunkWebSSL = 1 privKeyPath = D:\Splunk\etc\auth\mycert\splunk_key.key serverCert = D:\Splunk\etc\auth\mycert\splunk.pem I have used all the above commands and configure the certificate under the paths but still Splunk web is not working securely. Please suggest me any other modification or alteration I need to do ?  Thanks in advance !!
Hi, dataisbeautiful , this worked. Thanks
Have a look ta the transpose command, see the examples, this may work for you.    https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Transpose  
Ciao @Jamietriplet , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
If Warningcount is high, then I would like to see if target receiver/indexer is putting back-pressure. Check if queues blocked on target. If queues not blocked, check on target using netstat     n... See more...
If Warningcount is high, then I would like to see if target receiver/indexer is putting back-pressure. Check if queues blocked on target. If queues not blocked, check on target using netstat     netstat -an|grep <splunktcp port>     and see RECV Q, if it's high. If receiver queues are not blocked, but netstat shows RECV Q is full, then receiver need additional pipelines. If Warningcount is high because there was rolling restart at indexing tier, then set maxSendQSize to some 5% value of maxQueueSize. Example     maxSendQSize=2000000 maxQueueSize=50MB     If using autoLBVolume, then have maxQueueSize > 5 x autoLBVolume autoLBVolume > maxSendQSize Example     maxQueueSize=50MB autoLBVolume=5000000 maxSendQSize=2000000     maxSendQSize is total outstanding raw size of events/chunks in connection queue that needs to be sent to TCP Send-Q. This happens generally when TCP Send-Q is already full. autoLBVolume is minimum total raw size of events/chunks to be sent to a connection.
Thanks @gcusello 
thanks for the reply can you tell me how can i do that
Hi @Siddharthnegi, yes, it's unusual (usual logs are read by Universal or Heavy Forwarders), but it's possible. Remember that anyway, it's a best practice to forward all SH logs to the Indexers, so... See more...
Hi @Siddharthnegi, yes, it's unusual (usual logs are read by Universal or Heavy Forwarders), but it's possible. Remember that anyway, it's a best practice to forward all SH logs to the Indexers, so for this reason it's possible. Ciao. Giuseppe
Can i monitor a file in search head?
Hi team, I had upgraded from 9.0.5 version to 9.1.2 and upgradation successfully completed, but splunk web page can't reach this page  window displayed. and verified the bin  directory E:\splunk\... See more...
Hi team, I had upgraded from 9.0.5 version to 9.1.2 and upgradation successfully completed, but splunk web page can't reach this page  window displayed. and verified the bin  directory E:\splunk\bin>openssl s_client -connect simdoowwww:443 WARNING: can't open config file: ::::::/openssl.cnf connect: No such file or directory connect:errno=0     web.conf   [settings] enableSplunkWebSSL = 1 privKeyPath =a $SPLUNK_HOME\etc\auth\custom\myServerPrivateKey.key serverCert = $SPLUNK_HOME\etc\auth\custom\gddjkowww.ap.kinely.com.pem httpport = 443     The above configuration  in back end system, but page can't read this page displayed please help me on that.    
Hi @Jamietriplet  Sounds like _time is being read as a string not as epochtime, try this | eval _time = strptime(_time, "%Y-%m-%dT%H:%M:%S.%N")