Hello everyone ,   I need to onboard a huge amount of logs which the 90% of them is unnecessary . My goal is to ingest only some keywords like "Login Failed", "User Login " etc . I have seen other articles  explaining how you can filter events by exclusion using NullQueue . But that doesn't fit in my case because I only know which event I want to ingest using particular keywords.  I am looking forward for a hint on how can I procced on that if it's possible .  Thank you all 

As mentioned in the subject, help me with the keyboard shortcut to format html and xml code in dashboard source code editor. For example, I want below code to be formatted to the code as shown in "To" section: <dashboard version="1.1"> <label>Test Dashboard</label> <row> <panel> <html> <h1> <b>Some bold text</b> </h1> </html> </panel> </row> </dashboard>   To: <dashboard version="1.1"> <label>Test Dashboard</label> <row> <panel> <html> <h1> <b>Some bold text</b> </h1> </html> </panel> </row> </dashboard>   I tried using Ctrl+Shift+F but it is only formatting the XML code in the dashboard source code editor and html code in the dashboard source code editor is not getting formatted and remaining as is.

Hi Splunkers,   i already done configuration of HF and install uf credentials. but i can't see the logs of palo alto in Splunk Cloud    for HF   Inputs.conf [udp://5000] index = xxxxx_pan disabled = false sourcetype = pan_log   but HF and Splunk Cloud instance have communicating.    please help me 

Hi All, I've been exploring various documentation and tutorials, but I'd love to hear from those who have hands-on experience. What are the best practices and recommended steps for configuring Kubernetes logs to seamlessly integrate with Splunk Enterprise? Are there any specific considerations or challenges I should be aware of during the setup process? Thanks in advance for sharing your expertise!

Hi Mentors, I have searched in youtube, external sources to check for usecase creation. i could see by using splunk essential we could create the usecase but i am new to the splunk and know about only the basics of splunk like fields and commands etc. i have asked even literally everyone treated me in a bad way when i ask them to teach me how to create the usecase even my team leader is also not ready to teach me but he got learned in the institution 5 years back. i dont have any friends who has knowledge in splunk.  I beg u please any one please teach me how to create the usecase in splunk and what is the basic of creating the usecase. i need this ......i am a first graduate from my family and i cannot afford huge amount of fees to learn splunk. Any mentors please help me i want to learn splunk and i want to teach the same to my team members in a simple in which way they could understand....... Please help me Mentors....

We are looking into Splunk Cloud as a solution, instead of our regular Splunk Enterprise (On Premise) Setup. To be able to test the feasibility of sending data from external sources (Jira Cloud, Redmine) , I wanted to install our own Custom App for testing. Unfortunately, there is no current way for us to do that in the Free Trial I have. We simply want to test if we can index data from Jira Cloud to Splunk Cloud, without having to use a Heavy Forwarder or Universal Forwarder. Ways to replicate: Splunk Cloud Login > Manage Apps > No button for uploading a custom app / add-on. Questions:  1. Is there a way to directly install Custom Apps / Add-ons (that are originally built for Splunk Enterprise), in Splunk Cloud? We were thinking about compatibility issues, and if the apps would work the same way.  2. Is there a way to gauge whether or not the quantity of data that we want to send from external sources, would require us to install a Heavy / Universal Forwarder? (We are trying to avoid additional costs by taking Splunk Cloud, so we were wondering if we could do without them)  

Hi all, I have read through the splunk documentation for session timeout here, but these seems to be for splunk overall. Configure user session timeouts - Splunk Documentation However I am not able to make the user timeout to be user or role specific. Is there any solution for that? I read in one of the posts previously that someone is able to perform such role-specific wise which also works for me if it can be done: Session timeout for a Single username (not group) ... - Splunk Community However there wasn't much information on how he/she was able to do so. The main intent for me is to set admin users / normal users the usual timeout eg 1 hour, and dashboard accounts to not be logged out on the other hand. Any possible advice, as it seems to be doable.

How to correlate index with dbxquery with condition or interation? See the sample below.   Thank you for your help. index=company CompanyID CompanyName Revenue A CompanyA 3,000,000 B CompanyB 2,000,000 C CompanyC 1,000,000 |  dbxquery query="select * from employee where companyID in (A,B,C)" OR  Iteration: |  dbxquery query="select * from employee where companyID ='A' |  dbxquery query="select * from employee where companyID ='B' |  dbxquery query="select * from employee where companyID ='B' CompanyID EmployeeName EmployeeEmail A EmployeeA1 empA1@email.com A EmployeeA2 empA2@email.com A EmployeeA3 empA2@email.com B EmployeeB1 empB1@email.com B EmployeeB2 empB2@email.com B EmployeeB3 empB3@email.com C EmployeeC1 empC1@email.com C EmployeeC2 empC2@email.com C EmployeeC3 empC3@email.com Expected result: CompanyID CompanyName Revenue EmployeeName EmployeeEmail A CompanyA 3,000,000 EmployeeA1 empA1@email.com A CompanyA 3,000,000 EmployeeA2 empA2@email.com A CompanyA 3,000,000 EmployeeA3 empA2@email.com B CompanyB 2,000,000 EmployeeB1 empB1@email.com B CompanyB 2,000,000 EmployeeB2 empB2@email.com B CompanyB 2,000,000 EmployeeB3 empB3@email.com C CompanyC 1,000,000 EmployeeC1 empC1@email.com C CompanyC 1,000,000 EmployeeC2 empC2@email.com C CompanyC 1,000,000 EmployeeC3 empC3@email.com OR  CompanyID CompanyName Revenue EmployeeName EmployeeEmail A CompanyA 3,000,000 EmployeeA1, EmployeeA2, EmployeeA3 empA1@email.com, empA2@email.com, empA2@email.com B CompanyB 2,000,000 EmployeeB1, EmployeeB2, EmployeeB3 empB1@email.com, empB2@email.com, empB3@email.com C CompanyC 1,000,000 EmployeeC1, EmployeeC2, EmployeeC3 empC1@email.com, empC2@email.com, empC3@email.com