Hello, Thanks for the reply, will try coalesce(). In my case "create additional indexed fields " improves a search speed without giving headache to non regular splunk users. Apart from the storage, is there any other drawbacks to consider ?  

Hi here is explained how to emulate joins in  SQL in SPL. https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391290/highlight/true#M113950 There is also several conf presentations how to join datasets without command join e.g. https://conf.splunk.com/files/2019/slides/FNC2751.pdf r. Ismo

As Ismo said - make sure which license you have. By default Splunk installs with a trial license wich most of the features (apart from clustering related ones as far as I remember) which is valid for 60 days. After that time you have an option to either use your installation with a Splunk Free license (which is limited - doesn't contain ability to create multiple users, doesn't run scheduled searches, doesn't have forwarder management...) or provide a purchased commercial license/dev license/any other license. So if you open your Splunk's web interface and it doesn't let you provide user/password to log you in and your web interface doesn't contain the whole "Users and authentication" section, you're most probably using the Free license, not the Trial one. You can check which license you have by going to Settings -> System/Licensing

Hi are you sure that you have Trial license not a Free license? Splunk Free don't contains  user license (Auth). There is only system user in internal use but no real user like admin.  Splunk Enterprise Trial license (valid for 60d after installation) have (at least one) user license (Auth option in lic file).  Based on documentation, it have all all features allowed as normal license has, except it's just for single-instance, standalone version (e.g. no LM or any cluster features).  <features> <feature>Auth</feature> <feature>FwdData</feature> <feature>RcvData</feature> <feature>LocalSearch</feature> <feature>DistSearch</feature> <feature>RcvSearch</feature> <feature>ScheduledSearch</feature> <feature>Alerting</feature> <feature>DeployClient</feature> <feature>DeployServer</feature> <feature>SplunkWeb</feature> <feature>SigningProcessor</feature> <feature>SyslogOutputProcessor</feature> <feature>AllowDuplicateKeys</feature> </features> See more about those licenses https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/TypesofSplunklicenses r. Ismo

I also tried it using the CMI, with the splunk add user -password -role -auth,  But I got a error there also. "WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Requires license feature='Auth'" How can I solve the problem?

Hi I'm not sure if I understood your question correctly ;-( As long as you have your license in one LM and you could connect all search peers (even from several indexer clusters) to this same LM it's ok. But you cannot install the same license file into several LMs. If that is needed then you need to ask Splunk support to split that license into several license files are delete the original. r. Ismo

Hi as @PickleRick already said, you must have a plan and test it before do it with production server! Here is some old posts which told how you could do it. But if/when you already have done it these is just for next time Some of those also discuss what has done wrongly and how it could be fixed. But as said, it's really hard to guess what is the issue without seeing your environment. I also prefer to use rpm instead of tar on RH systems. https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true https://community.splunk.com/t5/Installation/What-are-the-steps-for-Splunk-enterprise-migration-physical-to/m-p/648565/highlight/true r. Ismo

Hi that "earliest=-1w@w" is correctly to get all events from 1 week backwards and starting from first day of that week. Based on that you should get those events what you want. Have you look from _internal that this report hasn't run or is it just your email systems which cannot manage it due for amount of events or something else? BUT you have this "stats count by user _time" which calculates how many times user existed in particular time which can be e.g. millisecond. That could leads you to calculate every event separately, which probably is not what you are looking for? Maybe you want to those events e.g. daily base (add "|bin span=1d _time" before stats)? r. Ismo

Hi getting exact retention time for e.g. 1y in splunk could be almost mission impossible There is several parameters how splunk define when it removes those buckets, which has all events older than your defined retention time! You must understand than when splunk calculate retention in reality it's for all events in bucket! It's not event based, as a smallest storage unit is a bucket not an event. Practically this means that splunk can remove bucket, when all events in that bucket has older than your defined retention. In your case, you have quite low event volume, which means that you could have one bucket, which contains events from several months max(15GB divide 30MB divided by #hot buckets for that index ). Usually you have several (default is 3) active hot buckets (per search peer) at same time, where splunk can write new events. Default for keeping a bucket as hot is 90d or when it's come full or when you restart splunk. There are also some other parameters which could affect this! Here is some links where you could learn more how this is actually working: https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Bucketsandclusters https://community.splunk.com/t5/Splunk-Search/How-can-I-find-the-data-retention-and-indexers-involved/m-p/645365/highlight/true https://community.splunk.com/t5/Getting-Data-In/Indexes-configuration/m-p/564276 https://community.splunk.com/t5/Splunk-Enterprise/Splunk-shows-only-9-months-270-days-data-How-do-I-increase-the/m-p/624944#M14863 https://community.splunk.com/t5/Getting-Data-In/What-counts-for-Splunk-retention-time-if-events-come-in-with-a/td-p/601655 r. Ismo

Hi @jbates58 , at first on the server containin the indexes, don't use the main index, but create a custom index (e.g. firewalls) then for this new index define the retention you want (one year). Then assign the new index name to the inputs that you should have on your Forwarders. At least, when you'll ingest more logs, you should monitor your index to undertand if the dimension you configured is correct or if you need to enlarge it. Ciao. Giuseppe

Ok. To put it bluntly - if you don't want to put any effort into it and have it done, pay someone to it for you - Splunk Professional Services or you local friendly Splunk Partner. I don't think you understand what this community is. It's not "someone at Splunl". This is a forum where voluteers, not affiliated with Splunk as a company, choose to give their time and effort to _help_ other people, no to do someone else]s job for free.

AdLdapConnector :Saving state: { "app_version": "2.2.1" } {"identifier": "set_password", "result_data": [{"data": [{"user_dn": "cn=uba,ou=sec-user,dc=seclab,dc=lab", "samaccountname": "uba", "set": false}], "extra_data": [], "summary": {"set": false}, "status": "failed", "message": "unwillingToPerform: Make sure account in asset has permissions to Set\n Password and password meets complexity requirements", "parameter": {"use_samaccountname": true, "user": "uba", "password": "ubapass", "confirm_password": "ubapass"}, "context": {}}], "result_summary": {"total_objects": 1, "total_objects_successful": 0}, "status": "failed", "message": "1 action failed", "exception_occured": false, "action_cancelled": false} Traceback (most recent call last): File "/opt/phantom/apps/adldap_*.py", line 32, in <module> raise Exception("Action Failed") Exception: Action Failed