>>> This is my first post here to ask for help Welcome to Splunk Community. here you can find almost 90 % of everybody's splunk issues will be solved, your issue is definitely one inside that 90%.  >>> How can I extract trace_id, event, program_run_sec, and status from the log section automatically by setting up a sourcetype? Is it doable? it is very much doable. as updated by bowesmana , you should just update one or two config files. thats all. we will guide you on this task step by step. please update us more details on which stage/step you are currently into.  As u r a new member, i thought to tell you, upvotes / karma points are appreciated by everyone. kindly help those who help you with your karma points, thanks. 

>>> Yes i have identified the dashboards and updated those by removing the get_tenable_sourcetype but i am still seeing these errors.   did you select the correct timepicker? (i mean, if you edited just within last 30 mins ago.. search the internal logs only for last 20 or 25 mins)..  is it a production system? do you have any weekly service restarts?   upvotes / Karma points are appreciated by everybody, thanks. 

Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup. Your pattern is a bit odd in that it has C:\\Windows\\system32\\cmd\.exe*C:\\P... where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times. If your process field contains C:\Windows\system32\cmd.exe ...  then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data. That * wildcarding is all that is supported in lookups.

Thanks @inventsekar  I tried but no luck, Can you help me with the query to find out the search query/report/alert/dashboard where this lookup is used? May be I am doing wrong, please help me with the query.    

Thanks for your response @inventsekar  Yes i have identified the dashboards and updated those by removing the get_tenable_sourcetype but i am still seeing these errors. I have updated those from GUI.    

You want to create a transforms entry that has something along the lines of trace_id=\\\\\"(?<trace_id>\w+)\\\\\" event=\\\\\"(?<event>[^\\\\\"]*)\\\\\" program_run_sec=(?<program_run_sec>[\d\.]*) status=\\\\\"(?<status>\w+) using the source field log, which must have already been extracted. Then create a field extraction using that transforms entry against the sourcetype for this data. Then you will get the 4 fields wanted automatically in your data.

Hi All... Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have created around 30 small videos on rex particularly.. pls check the playlist, thanks. 

Here's a couple of ways of getting a list of Windows services and the status of these services into Splunk: Windows Host Monitoring In the inputs.conf file add a stanza like this: [WinHostMon://Service] interval = 600 disabled = 0 type = Service index = windows This will collect a list of services, and status, every 10 minutes, from the system running the Splunk Forwarder. More documentation here: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Inputsconf#Windows_Host_Monitoring WMI Create a WMI.conf file and add the following stanza: [WMI:WindowsServiceState] interval = 600 wql = select Name, DisplayName, Description, State from Win32_Service disabled = 0 index = windows This will collect the same data as the previous example, however its more customisable - for example you can use WMI to narrow down to collecting data on only specific services, or even querying a remote server. More documentation here: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wmiconf

Hi @Roy_9 ... same like that other macro issue... you should try to find out which search query/report/alert/dashboard is using that lookup's name and update that.  let us know if you are unable to find out that  search query/report/alert/dashboard, thanks. 

Around when ServiceNow and Splunk integration was done? recent or long back? Long back    the servicenow tickets auto cut(incident creation) was working fine previously Yes it was working fine  did you do any upgrades recently?(on SH, indexers, the apps, etc) No recent upgraded

so, you are having the macro.. 'get_tenable_index'  and some search queries are using the macro 'get_tenable_sourcetype'   so, please try to find out the search query/report/alert/dashboard which is using the macro 'get_tenable_sourcetype' and edit/update that one. that should help you to remove all these internal errors. 

One problem is the CM does not manage indexes.  It manages indexers (search peers), buckets, and apps.  To disable an index you need to modify indexes.conf in an app in $SPLUNK_HOME/etc/cluster/apps and then apply the cluster bundle. There is a REST endpoint for applying the bundle (cluster/manager/control/default/apply).  There also is a REST endpoint for installing and updating apps (apps/local), but it can't touch the etc/cluster/apps directory.

Hi @vishwa ...  Around when ServiceNow and Splunk integration was done? recent or long back? the servicenow tickets auto cut(incident creation) was working fine previously did you do any upgrades recently?(on SH, indexers, the apps, etc)  

HI @inventsekar, I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at the start and end of a string and does not function when the wildcard is placed within the string. Exmaple below where it is working  * webex.com office* Example below where it is not working abc*def*ghi*