What is the fastest way to run a query to get an event count on a timechart per host? This is for windows events and I want to get a list of how many events each device is logging per month so that I can identify the increase/decrease. They are all ingested in one index. A query like this will take a while to run if run for about a year. Is there a faster way to get this data? index=<index_name> | timechart count by Computer span=1mon Thanks.

I'm using the rex command to parse a value out of the results of a transaction command. Is there an easy way to restrict the resulting capture from searching either the start or end block of the transaction? This would be much easier than doing it in the regex itself, since both blocks of text returned are very similar. Thanks! Jonathan

I have event Logs Similar to this. {Level: Information MessageTemplate: Received Post Method for activity: {Activity} Properties: { [-] ActionId: 533b531b-3078-448f-a054-7f54240962af ActionName: Pcm.ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController.Post (Pcm.ActivityLog.ActivityReceiver) Activity: {"ClientId":"1126","TenantCode":"BL.Activities","ActivityType":"CreateCashTransactionType","Source":"Web Entry Form","SourcePath":null,"TenantContextId":"00-9b57deb074fd41df69f90226cb03f499-353e17ffab1a6d25-01","ActivityStatus":"COMPLETE","OriginCreationTimestamp":"2023-09-28T11:39:48.4840749+00:00","Data":{"traceId":"9b57deb074fd41df69f90226cb03f499","parentSpanId":"88558259300b25e5","pcm.user_id":2,"pcm.name":"Transaction_Type_2892023143936842"}} Application: ActivityLogActivityReceiver ConnectionId: 0HMU00KGAKUBJ CurrentCorrelationId: 95c2f966-1110-405b-ae9a-47a024343b6c Environment: AWS-OB-DEV5 OriginCorrelationId: 95c2f966-1110-405b-ae9a-47a024343b6c ParentCorrelationId: 95c2f966-1110-405b-ae9a-47a024343b6c RequestId: 0HMU00KGAKUBJ:00000003 RequestPath: /api/activitylog/v1/activities SourceContext: ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController TenantContextId: 00-9b57deb074fd41df69f90226cb03f499-353e17ffab1a6d25-01 XRequestId: 3ba2946fa8cc0e5d5e3e82f27f566dd4 } }   I want to create a table from Properties.Activity with some specific fields. "ActivityType", "Source","OriginCreationTimestamp" "CreateCashTransactionType","Web Entry Form","2023-09-28T11:39:48.4840749+00:00" Can you help me to write the query, I tried spath/mvexpand but was not able to find it. 

To start with, I am very new to Splunk and I've been stumbling my way through this with varying degrees of success.  We recently upgraded Splunk from 8.2 to 9.1.2. We noticed the new SSL requirements but went we have a self-signed cert but the website shows as not secure. We wanted to make sure everything was as secure as possible. We created an actual CA Cert chain and redirected the web.conf to the cert along with the key. I had issues with this at first because we weren't using a passphrase on the cert creation but we fixed that and it seems to accept it. Now the webpage seems to load, but it takes an incredibly long time. Once loaded, we should be able to login with LDAP. That's no longer working. I tried the local admin and it thinks for a while and then goes to a "Oops. The server encountered an unexpected condition which prevented it from fulfilling the request. Click here to return to Splunk homepage." page.  This is on the deploy server.  I changed the server.conf to use the cert as well though that doesn't appear to make a difference. I checked the openldap.conf and added the cert to that but then the page wouldn't load anymore. (doing a splunk restart between each change).  I'm not sure which logs to even look at to find the problem. I have gone through the documentation to setup the TLS which we want to do for interserver communication and for the webpage. the forwarders aren't necessary right now. Can anyone give me a clue what I might be doing wrong? EDIT: I did discover this error in the splunkd.log relating to my cert. Only post I've found so far says to combine the key and pem into a single file it can use. message="error:0906D06C:PEM routines:PEM_read_bio:no start line Here's my config files server.conf       [general] serverName = servername.com [changed for privacy reason] pass4SymmKey =[redacted] [sslConfig] # turns on TLS certificate host name validation sslVerifyServerName = true serverCert = /opt/splunk/etc/auth/servername.com.pem #sslPassword =[redacted] #SSL No longer valid option # sslPassword = [redacted] # turns on TLS certificate host name validation cliVerifyServerName = true sslPassword = [redacted] # Reference the file that contains all root certificate authority certificates combined together sslRootCAPath = /opt/splunk/etc/auth/servername.com.pem sslCommonNameList = servername.com, servername [pythonSslClientConfig] #sslVerifyServerCert = true #sslVerifyServerName = true [lmpool:auto_generated_pool_download-trial] description = auto_generated_pool_download-trial quota = MAX slaves = * stack_id = download-trial [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder quota = MAX slaves = * stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free quota = MAX slaves = * stack_id = free [lmpool:auto_generated_pool_enterprise] description = auto_generated_pool_enterprise quota = MAX slaves = * stack_id = enterprise [license] active_group = Enterprise [kvstore] storageEngineMigration = true         web.conf       [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/myprivate.key serverCert = /opt/splunk/etc/auth/servername.com.pem sslPassword =[redacted]         authentication.conf [authentication] authSettings = ldapserver.com authType = LDAP [roleMap_ldapserver.com] admin = SplunkAdmins [ldapserver.com] SSLEnabled = 1 anonymous_referrals = 1 bindDN = CN=ServiceAccount,CN=AccountFolder,DC=SubOrg,DC=Org,DC=com bindDNpassword = [redacted] charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=Groups,OU=Users & Computers,OU=MainFolder,DC=SubOrg,DC=Org,DC=com groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldapserver.SubOrg.Org.Com nestedGroups = 0 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = displayname sizelimit = 1000 timelimit = 15 userBaseDN = OU=Users,OU=Users & Computers,OU=MainFolder,DC=SubOrg,DC=Org,DC= com userNameAttribute = samaccountname   ldap.conf # See ldap.conf(5) for details # This file should be world readable but not world writable. ssl start_tls TLS_REQCERT demand TLS_CACERT /opt/splunk/etc/auth/ldapserver.pem # The following provides modern TLS configuration that guarantees forward- # secrecy and efficiency. This configuration drops support for old operating # systems (Windows Server 2008 R2 and earlier). # To add support for Windows Server 2008 R2 set TLS_PROTOCOL_MIN to 3.1 and # add these ciphers to TLS_CIPHER_SUITE: # ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA: # ECDHE-RSA-AES128-SHA # TLS_PROTOCOL_MIN: 3.1 for TLSv1.0, 3.2 for TLSv1.1, 3.3 for TLSv1.2. TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256> #TLS_CACERT absolute path to trusted certificate of LDAP server. For example /opt/splunk/etc/openldap/certs/mycertificate.pem #TLS_CACERTDIR absolute path to directory that contains trusted certificates of LDAP server. For example /opt/splunk/etc/openldap/certs