All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@NoSpaces  Yes, the behavior you're observing with CLONE_SOURCETYPE is expected. When you use CLONE_SOURCETYPE in Splunk, it creates a duplicate of every event that matches the props.conf stanza, re... See more...
@NoSpaces  Yes, the behavior you're observing with CLONE_SOURCETYPE is expected. When you use CLONE_SOURCETYPE in Splunk, it creates a duplicate of every event that matches the props.conf stanza, regardless of the REGEX specified in the corresponding transforms.conf stanza. The REGEX is applied to the cloned event, not to determine whether an event should be cloned in the first place. This means that all events are cloned, and then the REGEX is used to modify or route the cloned events as specified. https://community.splunk.com/t5/Getting-Data-In/Priority-precedence-in-props-conf/m-p/669047  https://community.splunk.com/t5/Getting-Data-In/Can-I-use-CLONE-SOURCETYPE-to-send-events-to-multiple-indexes/td-p/300277  To clone only the events matching the REGEX to the new sourcetype and redirect them to the general index, while keeping all original events in the original index under the original sourcetype, you need to filter events before cloning. Unfortunately, Splunk’s CLONE_SOURCETYPE doesn’t natively support filtering during cloning.   You can use two transforms: one to filter out events that don’t match the REGEX and send them to nullQueue (discarding them from cloning), and another to clone and redirect the matching events.    Events matching FIREWALL-PKTLOG: are cloned and routed to the general index. The same matching events are dropped from the original index using nullQueue.
Hi all, I’ve recently encountered several challenges since migrating to Splunk Mission Control (MS) and would appreciate any guidance or insights. Summary of Issues: We had a dashboard set up ... See more...
Hi all, I’ve recently encountered several challenges since migrating to Splunk Mission Control (MS) and would appreciate any guidance or insights. Summary of Issues: We had a dashboard set up to pull all the data needed for our monthly report. Since switching to MS, all those dashboards are broken with errors like: "Could not find object id="*. I recreated the dashboard with new searches, which initially worked fine and allowed report creation. However, when revisiting the new dashboard, most searches now fail or return no results within the expected time frame, despite previously working and being used in the latest report. Several items such as charts for "top hosts (consolidated)" and "top hosts" that were available under Security Domain > Network > Exec View are now missing post-migration. Search Aborts and Resource Issues: One major problem is searches being aborted with SVC errors. After contacting the customer, workload restrictions on my account were lifted, but searches still fail due to resource usage. Even limiting searches to a single day results in failures, and this has become quite frustrating. Example Problem with Macros and Searches: The macro sim_licensing_summary_base appears to be missing since moving to MS, and even the customer cannot locate it. The following search, intended to replicate the macro’s function, returns incomplete results after 2025-04-10 without any errors in the job manager:   (host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=true | eval GB=round((volume / 1073741824),3) | fields - b, volume | stats avg/max(GB) Additional Notes: We’ve also noticed missing dashboards and objects that were previously part of Enterprise Security views. Searches aborting due to resource limits remain an issue despite workload adjustments. Has anyone else experienced similar problems after switching to Mission Control? Any advice on troubleshooting these dashboard errors, missing macros, or search aborts would be greatly appreciated.  
For some reason, I needed to share some data from an index with a different set of permissions. After a bit of research, I found that the CLONE_SOURCETYPE option could help me with this stuff. I cr... See more...
For some reason, I needed to share some data from an index with a different set of permissions. After a bit of research, I found that the CLONE_SOURCETYPE option could help me with this stuff. I created the required settings in props.conf and transforms.conf, and then pushed them to the IDXC layer. At first glance, everything seemed fine, but then I discovered that CLONE_SOURCETYPE clones all events from the original sourcetype and redirects only a few to the new one. Is that the intended behavior, or did I make serious mistakes in the configuration? I expected to see only the events matching the REGEX in the original index.   props.conf [vsi_file_esxi-syslog] LINE_BREAKER = (\n) MAX_TIMESTAMP_LOOKAHEAD = 24 SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = false BREAK_ONLY_BEFORE = \d{1,3} TIME_PREFIX = ^<\d{1,3}> TRANSFORMS-remove_trash = vsi_file_esxi-syslog_rt0, vsi_file_esxi-syslog_ke0 TRANSFORMS-route_events = general_file_esxi-syslog_re0 transforms.conf [general_file_esxi-syslog_re0] CLONE_SOURCETYPE = general_re_esxi-syslog REGEX = FIREWALL-PKTLOG: DEST_KEY = _MetaData:Index FORMAT = general WRITE_META = true    
Sure we have some Azure functions running with C# or Java code there for we have some custom log statements they go into the Eventhub and than to Splunk but Splunk have a problem with the format whic... See more...
Sure we have some Azure functions running with C# or Java code there for we have some custom log statements they go into the Eventhub and than to Splunk but Splunk have a problem with the format which comes from the Eventhub (nested jsons) eventhough the log messages are microsoft standard...
The first thing would be to verify whether the scheduled searches were run in the first place. If they were and triggered alert actions, you should verify whether the emails were correctly sent (Ismo... See more...
The first thing would be to verify whether the scheduled searches were run in the first place. If they were and triggered alert actions, you should verify whether the emails were correctly sent (Ismo already provided links to other similar threads). Then you'll know where to start troubleshooting - if it's a Splunk issue because the mails weren't sent or if you need to search on the receiving end why they weren't delivered.
It is expected. By default Splunk sends all data to all output groups. You'd need to fiddle with event routing which can be tricky since UF normally doesn't do transforms.
Can you open with some words what you are exactly trying to do?
Have you look from splunk's internal logs if those alerts has working and try to send emails? There are some links to old answers how you could try to figure out it. Solved: Splunk stopped sending... See more...
Have you look from splunk's internal logs if those alerts has working and try to send emails? There are some links to old answers how you could try to figure out it. Solved: Splunk stopped sending Email for alerts and report... - Splunk Community How to troubleshoot why I'm not getting email aler... - Splunk Community Re: Where are the failures of sendemail logged in? - Splunk Community Sendemail not working - Splunk Community After you have check those and look if you can find answer from those and it's still issue, please show what you have in your logs about those sendemail parts. Quite often situation is that splunk has sent those alerts, but those are vanished in somewhere else.
Hi @sreddem , I suppose that you know that Cisco CDR Reporting and Analytics is a commercial app, in other words, you have to pay for it! Anyway, in the Splunkbase site (https://splunkbase.splunk.c... See more...
Hi @sreddem , I suppose that you know that Cisco CDR Reporting and Analytics is a commercial app, in other words, you have to pay for it! Anyway, in the Splunkbase site (https://splunkbase.splunk.com/app/669) you can find all the instructions to install and configure it. In addition, you can find additional inforation at https://community.cisco.com/t5/unified-communications-infrastructure/sending-cucm-system-logs-to-syslog-splunk/td-p/4162264 Ciao. Giuseppe
This same information has said some other places in MS documentation too. Basically (almost) all logs have some delays when you try to get those via Azure own functionality. But if you install UF then... See more...
This same information has said some other places in MS documentation too. Basically (almost) all logs have some delays when you try to get those via Azure own functionality. But if you install UF then you get those immediately.
I know this thread is old, but this information may still help. As specified in Microsoft Learn portal, "Microsoft doesn't guarantee a specific time after an event occurs for the corresponding audit... See more...
I know this thread is old, but this information may still help. As specified in Microsoft Learn portal, "Microsoft doesn't guarantee a specific time after an event occurs for the corresponding audit record to be returned in the results of an audit log search. For core services (such as Exchange, SharePoint, OneDrive, and Teams), audit record availability is typically 60 to 90 minutes after an event occurs. For other services, audit record availability might be longer. However, some issues that are unavoidable (such as a server outage) might occur outside of the audit service that delays the availability of audit records. For this reason, Microsoft doesn't commit to a specific time."
Hello @Nawab , Did you find an answer?
Hi Team, Greetings !! This is Srinivasa, Could you please provide Splunk with Unified Applications (CUCM) On-prem , how to configure , install documents 
can you share the  support mail address or any contacts.Because, i have tried to raise a ticket in support, but its failed.
Did you find a solution @rallapallisagar ?
Someone got a solution? 
We followed the following documentation: https://docs.splunk.com/Documentation/ES/8.0.40/Install/UpgradetoNewVersion There is mentioned, that you need to updated the "Splunk_TA_ForIndexer" app.   ... See more...
We followed the following documentation: https://docs.splunk.com/Documentation/ES/8.0.40/Install/UpgradetoNewVersion There is mentioned, that you need to updated the "Splunk_TA_ForIndexer" app.   During our upgrade, the required indexes were deployed on one single searchhead in the cluster and we had to "move them" to our index cluster.  We did it by our internal procedures. I am not aware that there is a clear documentation what you have to do exactly if you have this issue too.
Hi @aravind  There isnt a suppression list which customers can access, however if you log a support ticket they are able to check the PostMark mail server logs to check if any emails bounced, this c... See more...
Hi @aravind  There isnt a suppression list which customers can access, however if you log a support ticket they are able to check the PostMark mail server logs to check if any emails bounced, this could help confirm that  a) If the alert actually fired correctly b) Email accepted by the mail relay c) If the relay had any issue sending on to the final destination. At a previous customer we had a number of issues with the customer email server detecting some of the Splunk Cloud alerts as spam and silently bouncing them. You can contact Support via https://www.splunk.com/support  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi, We are experiencing a critical issue where several scheduled alerts/reports are not being received by intended recipients. This issue affects both individual mailboxes and distribution lists. ... See more...
Hi, We are experiencing a critical issue where several scheduled alerts/reports are not being received by intended recipients. This issue affects both individual mailboxes and distribution lists. Initially, only a few users reported missing alerts. However, it has now escalated, with all members of the distribution lists no longer receiving several key reports. Only a few support team members  continue to receive alerts in their personal mailboxes, suggesting inconsistent delivery. Also just checking, is there is any suppression list blocking
Hi @livehybrid  Thanks a lot for your quick response, the solution worked nicely.   Regards, AKM