All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This example using makeresults can show you a case statement | makeresults count=10 | eval _raw="message success job, processed job, completed job, failed job," | multikv forceheader=1 | eval st... See more...
This example using makeresults can show you a case statement | makeresults count=10 | eval _raw="message success job, processed job, completed job, failed job," | multikv forceheader=1 | eval status = case( like(message, "%success%") OR like(message, "%processed%") OR like(message, "%completed%"), "success", like(message, "%failed%") OR like(message, "%failure%"), "failure", true(), "other" ) | table _time, message, status
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be g... See more...
I have a status field with two string values Dropped and Notdropped. If the value comes as Dropped, I want to show the background color as Green and if the value comes as Notdropped color should be green.  How can i achive in single card value in splunk studio. 
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close k... See more...
Hello, If possible, I need help on getting a Percentage of Uptime for a Transaction overtime.  I have a Search created that creates a Transaction, it's based on: startwith=Create endswith=Close keepevicted=true The events are coming from OpsGenie for when an alert is created and closed.  Is there anyway to take the time from either between Create/Close or Close/Create for a one week timeframe to obtain the percentage? Thanks for all of the help, let me know if any more details are needed. Tom    
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actio... See more...
Afternoon All i'd like some help please with some SPL logic that i just cant crack   I have data on some user in our Active Directory system and i am trying to: create a new column with actions identify those who have no logged in for more than 61 days and is so the action should return "reset password" here's the part that i am having an issue with below. the first two lines are working as expected returning last_logon_total  day, month, year i have a new field i created called 'action' that i want to return a value in of those users who have not logged in for more than 61 days.. but i cant get the spl right. | eval epoch_lastLogonTimestamp_date = strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S") | eval last_logon_total = strftime(epoch_lastLogonTimestamp_date, "%d/%m/%Y") | eval action = if(last_logon_total = relative_time(), "-61d@d", "reset password")   any ideas ?   Thanks Paula    
the mvjoin line was only one way I tried to add all the host together to get it to look like (host1,host2,host3) are not coming in on the description. I am having difficult getting it to be side by s... See more...
the mvjoin line was only one way I tried to add all the host together to get it to look like (host1,host2,host3) are not coming in on the description. I am having difficult getting it to be side by side any of the results separated by a comma. that is why I am on here. I have looked thru so much documentation and cannot get my results for the hosts to go into one event that looks like (host1, host2, host3).  You stated to use a foreach command. I am not quite sure how that would look to get it to put the host in one event side by side.
The information you seek is available on splunkbase at https://splunkbase.splunk.com/app/7245.  Splunk AI Assistance is in preview so you must request access before you can download it.  Details are ... See more...
The information you seek is available on splunkbase at https://splunkbase.splunk.com/app/7245.  Splunk AI Assistance is in preview so you must request access before you can download it.  Details are on the splunkbase page.
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For e... See more...
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For example the message contain multiple values like(success,processed,completed) then i want to label the corresponding file as success,if it contains like(failed,failure) i want to label as failure file.How to implement this using SPL query.Below query i tried but i am not getting properly.     index=mulesoft environment=DEV applicationName="Test" |stats values(content.FileName) as Filename1 values(content.ErrorMsg) as errormsg values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId | eval SuccessFileName=case(match(message, "File put Succesfully*|Successfully created file data*|Archive file processed successfully*|Summary of all Batch*|processed successfully for file name*|SUCCESS") AND not match(priority,"ERROR|WARN"),FileName1,1=1,null()) | eval FailureFileName=case(match(message,"Failed to process file:"),FileName1,1=1,null()) |table SuccessFileName FailureFileName Response correlationId      
I should have said change to windows path as the command I gave is for Linux 
You Windows Hosts should have an output.conf that sends to the HF only, if this is how you want your data flow architecture. (You don’t need the 100_tenant_splunkcloud installed on the Windows UF's U... See more...
You Windows Hosts should have an output.conf that sends to the HF only, if this is how you want your data flow architecture. (You don’t need the 100_tenant_splunkcloud installed on the Windows UF's Unless you want to send from them directly to Splunk cloud, this is also a viable solution.   I'm starting to think you may have the 100_tenant_splunkcloud and configured outputs to the HF on the Windows hosts, you need to have one or the other for this setup. Run the btool outputs command on the Windows UF let’s see what that shows? /opt/splunkforwarder/bin/splunk btool outputs list –debug  
I'm looking for login attempts and the question is to identify new attempts from usernames that previously didn't try.    Day 1  = day count of new seen 3 bob sam steve Day 2      = day count o... See more...
I'm looking for login attempts and the question is to identify new attempts from usernames that previously didn't try.    Day 1  = day count of new seen 3 bob sam steve Day 2      = day count of new seen 2 sam  # because previously seen, exclude from count tom ralph
If there is a NLB in between UF/HF and indexing tier, you don't have to worry as DNS should return static IPs for NLB. If there is no NLB in between UF/HF and indexing tier and you are banking on DN... See more...
If there is a NLB in between UF/HF and indexing tier, you don't have to worry as DNS should return static IPs for NLB. If there is no NLB in between UF/HF and indexing tier and you are banking on DNS to return dynamic IPs and your possible outputs.conf config is   server=<DNS alias for dynamic idx IPs>:<splunktcp port>   you must reduce dnsResolutionInterval in outputs.conf as low as possible. It will decide how fast new dynamic IPs picked by UF/HF.
/opt/splunk/etc/system/default/outputs.conf [rfs] /opt/splunk/etc/system/default/outputs.conf batchSizeThresholdKB = 131072 /opt/splunk/etc/system/default/outputs.conf batchTimeout = 30 /opt/splun... See more...
/opt/splunk/etc/system/default/outputs.conf [rfs] /opt/splunk/etc/system/default/outputs.conf batchSizeThresholdKB = 131072 /opt/splunk/etc/system/default/outputs.conf batchTimeout = 30 /opt/splunk/etc/system/default/outputs.conf compression = zstd /opt/splunk/etc/system/default/outputs.conf compressionLevel = 3 /opt/splunk/etc/system/default/outputs.conf dropEventsOnUploadError = false /opt/splunk/etc/system/default/outputs.conf format = json /opt/splunk/etc/system/default/outputs.conf format.json.index_time_fields = true /opt/splunk/etc/system/default/outputs.conf format.ndjson.index_time_fields = true /opt/splunk/etc/system/default/outputs.conf partitionBy = legacy /opt/splunk/etc/system/default/outputs.conf [syslog] /opt/splunk/etc/system/default/outputs.conf maxEventSize = 1024 /opt/splunk/etc/system/default/outputs.conf priority = <13> /opt/splunk/etc/system/default/outputs.conf type = udp /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf [tcpout] /opt/splunk/etc/system/default/outputs.conf ackTimeoutOnShutdown = 30 /opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf autoLBFrequencyIntervalOnGroupFailure = -1 /opt/splunk/etc/system/default/outputs.conf autoLBVolume = 0 /opt/splunk/etc/system/default/outputs.conf blockOnCloning = true /opt/splunk/etc/system/default/outputs.conf blockWarnThreshold = 100 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelReapInterval = 60000 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelReapLowater = 10 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf channelTTL = 300000 /opt/splunk/etc/system/default/outputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 /opt/splunk/etc/system/default/outputs.conf compressed = false /opt/splunk/etc/system/default/outputs.conf connectionTTL = 0 /opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20 /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf connectionsPerTarget = 0 /opt/splunk/etc/system/local/outputs.conf defaultGroup = splunkcloud_20231028_9aaa4b04216cd9a0a4dc1eb274307fd1 /opt/splunk/etc/system/default/outputs.conf disabled = false /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf dnsResolutionInterval = 300 /opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5 /opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1 /opt/splunk/etc/system/default/outputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/default/outputs.conf enableOldS2SProtocol = false /opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.0.whitelist = .* /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.1.blacklist = _.* /opt/splunk/etc/apps/SplunkDeploymentServerConfig/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent) /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.filter.disable = false /opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30 /opt/splunk/etc/system/local/outputs.conf indexAndForward = 1 /opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2 /opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2 /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf maxQueueSize = 500KB /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf negotiateNewProtocol = true /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf polling_interval = 5 /opt/splunk/etc/system/default/outputs.conf readTimeout = 300 /opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1 /opt/splunk/etc/system/default/outputs.conf sendCookedData = true /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf socksResolveDNS = false /opt/splunk/etc/apps/100_tenant_splunkcloud/local/outputs.conf sslPassword = /opt/splunk/etc/system/default/outputs.conf sslQuietShutdown = false /opt/splunk/etc/system/default/outputs.conf sslVersions = tls1.2 /opt/splunk/etc/system/default/outputs.conf tcpSendBufSz = 0 /opt/splunk/etc/system/local/outputs.conf useACK = true /opt/splunk/etc/system/default/outputs.conf useClientSSLCompression = true /opt/splunk/etc/system/default/outputs.conf writeTimeout = 300 /opt/splunk/etc/system/local/outputs.conf [tcpout:scs] /opt/splunk/etc/system/local/outputs.conf autoLBFrequency = 120 /opt/splunk/etc/system/local/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem /opt/splunk/etc/system/local/outputs.conf compressed = true /opt/splunk/etc/system/local/outputs.conf disabled = 1 /opt/splunk/etc/system/local/outputs.conf server = tenant.forwarders.scs.splunk.com:9997 /opt/splunk/etc/system/local/outputs.conf sslAltNameToCheck = *.forwarders.scs.splunk.com /opt/splunk/etc/system/local/outputs.conf sslVerifyServerCert = true /opt/splunk/etc/system/local/outputs.conf useClientSSLCompression = false /opt/splunk/etc/system/local/outputs.conf [tcpout:splunkcloud_] /opt/splunk/etc/system/local/outputs.conf autoLBFrequency = 120 /opt/splunk/etc/system/local/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/100_tenant_splunkcloud/default/tenant_server.pem /opt/splunk/etc/system/local/outputs.conf compressed = false /opt/splunk/etc/system/local/outputs.conf server = inputs1.tenant.splunkcloud.com:9997, inputs2.tenant.splunkcloud.com:9997, inputs3.tenant.splunkcloud.com:9997, inputs4.tenant.splunkcloud.com:9997, inputs5.tenant.splunkcloud.com:9997, inputs6.tenant.splunkcloud.com:9997, inputs7.tenant.splunkcloud.com:9997, inputs8.tenant.splunkcloud.com:9997, inputs9.tenant.splunkcloud.com:9997, inputs10.tenant.splunkcloud.com:9997, inputs11.tenant.splunkcloud.com:9997, inputs12.tenant.splunkcloud.com:9997, inputs13.tenant.splunkcloud.com:9997, inputs14.tenant.splunkcloud.com:9997, inputs15.tenant.splunkcloud.com:9997 /opt/splunk/etc/system/local/outputs.conf sslCommonNameToCheck = *.tenant.splunkcloud.com /opt/splunk/etc/system/local/outputs.conf sslVerifyServerCert = true /opt/splunk/etc/system/local/outputs.conf sslVerifyServerName = true /opt/splunk/etc/system/local/outputs.conf useClientSSLCompression = true
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnS... See more...
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf sourcetype = MSAD:NT6:DNS /opt/splunk/etc/system/default/inputs.conf [SSL] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf allowSslRenegotiation = true /opt/splunk/etc/system/default/inputs.conf certLogMaxCacheEntries = 10000 /opt/splunk/etc/system/default/inputs.conf certLogRepeatFrequency = 1d /opt/splunk/etc/system/default/inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 /opt/splunk/etc/system/default/inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf logCertificateData = true /opt/splunk/etc/system/default/inputs.conf sslQuietShutdown = false /opt/splunk/etc/system/default/inputs.conf sslVersions = tls1.2 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://Application] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://DFS Replication] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://DNS Server] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://Directory Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://File Replication Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://ForwardedEvents] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf host = WinEventLogForwardHost /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinEventLog://Key Management Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://Security] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf evt_resolve_ad_obj = 1 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf [WinEventLog://System] /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf checkpointInterval = 5 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf current_only = 0 /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 0 host = $decideOnStartup /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf index = mx_windows /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf renderXml = true /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf start_from = oldest /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Computer] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Computer /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Disk] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Disk /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Driver] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Driver /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://NetworkAdapter] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = NetworkAdapter /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://OperatingSystem] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = OperatingSystem /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Process] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Process /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Processor] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Processor /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Roles] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Roles /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinHostMon://Service] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = Service /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinNetMon://inbound] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf direction = inbound /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinNetMon://outbound] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf direction = outbound /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://driver] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = driver /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://port] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = port /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrintMon://printer] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = printer /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://default] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = .* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = rename|set|delete|create /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://hkcu_run] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = set|create|delete|rename /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinRegMon://hklm_run] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.* host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf proc = .* /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = set|create|delete|rename /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [admon://default] /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1 host = $decideOnStartup index = default /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf monitorSubtree = 1 /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/run/splunk/search_telemetry/*search_telemetry.json] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _introspection /opt/splunk/etc/system/default/inputs.conf log_on_completion = 0 /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = search_telemetry /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_hec] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = stash_hec /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_new] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864   and many lines below /opt/splunk/etc/apps/launcher/local/inputs.conf [splunktcp://9997]
I have tried what @gcusello said, but it did not work.   Now I suspect that maybe they are not sending anything to the HF, because checking the connections with tcpdump to port 9997, I have seen th... See more...
I have tried what @gcusello said, but it did not work.   Now I suspect that maybe they are not sending anything to the HF, because checking the connections with tcpdump to port 9997, I have seen that they are only with the splunk tenant. Can they use the same port to receive and make connections to the indexers (9997) and to receive logs from the UF (9997)? Do you recommend any other test?    
Can anyone help me to provide the URL to download or steps of how to use Splunk AI. 
Thanks for the reply @deepakc  , but that didn't work for me
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk ... See more...
Hello Splunkers!!   I want to configure SSL certificate in Splunk so that my Splunk web URL communicate over https. To obtain "privKeyPath" in web.conf I have used below two commands. splunk cmd openssl genrsa -aes256 -out SplunkPrivateKey.key 2048 splunk cmd openssl rsa -in SplunkPrivateKey.key -out splunk_key.key   To obtain "serverCert" in web.conf I have used below two commands. splunk cmd openssl x509 -in splunk.cer -out splunk.pem Note : splunk.cer  is with me ( Provided by organization so I am obtaining self signed certificate) [settings] enableSplunkWebSSL = 1 privKeyPath = D:\Splunk\etc\auth\mycert\splunk_key.key serverCert = D:\Splunk\etc\auth\mycert\splunk.pem I have used all the above commands and configure the certificate under the paths but still Splunk web is not working securely. Please suggest me any other modification or alteration I need to do ?  Thanks in advance !!
Hi, dataisbeautiful , this worked. Thanks
Have a look ta the transpose command, see the examples, this may work for you.    https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Transpose  
Ciao @Jamietriplet , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors