We have setup one alert which should trigger for every 1 hour When we run the alert query it is showing up the results but we did not received mail There is no diff in index and event time In scheduler logs it is showing status as success but i don't see python logs and alert did not get fired   What could be the issue for not receiving the mail from alert.

Dear Support, I have 2 indexes (indexA,  indexB) and one receiving server with 2 different ports (10.10.10.10:xx, 10.10.10.10:yy). I need my indexer to forward indexA to 10.10.10.10:xx and indexB to 10.10.10.10:yy. What is best way to achieve it? I did two different apps with outputs, props, transforms and it does not work. I tried one app with LB and it does not work either. Example of outputs.conf: [tcpout] defaultGroup = group1, group2 [tcpout:group1] server = 10.10.10.10:xx forwardedindex. = ??? [tcpout:group2] server = 10.10.10.10:yy forwardedindex. = ???   Is it a good way to do it? How should forwardedindexes config look like ? What about props and transforms?   I would appreciate any help.   thanks pawel

I have use case to use the ML feature to detect  the  anamoly in comm sent from each ID. I was trying to get the same from predict function, but there is multiple ID's and I can't set an alert/report individually for all ID's. How I can use the same, Please help. Query which I am trying: index=indexhc source=hcdriver sourcetype="assembly" appname="marketing" ID IN (abc,xyz,qtr,jyk,klo,mno,ghr)  | timechart span=1d count as commSent by ID | predict commSent as predicted_commSent algorithm=LLP holdback=0 future_timespan=24 | eval anamoly_score=if(isnull(predicted_commSent),0,abs(commSent - predicted_commSent)) |table _time,ID,commSent,predicted_commSent,anamoly_score Above query is not giving any output,it seems predict command doesnot work with multiple columns. Please suggest.

Hi. I've tried to get Splunk to understand syslog messages coming from a Cisco Mobility Express setup. Mobility Express (ME) is the built-in controller solution into, in this setup, 3 AP3802I access points running 8.10.171.0 I have been successful at getting and displaying data from a C2960L-8PS switch running IOS 15. But not from any access point (AP). I've setup syslogging from the ME directly to a single instance Splunk demo lab running on Ubuntu with rsyslog. I can see data being logged into /data/syslog/192.168.40.20/ -rw-r--r-- 1 syslog syslog 9690 Sep 4 15:54 20230904-15.log -rw-r--r-- 1 syslog syslog 41100 Sep 4 16:58 20230904-16.log -rw-r--r-- 1 syslog syslog 9192 Sep 4 17:53 20230904-17.log Example of syslog messages are: 2023-08-29T05:48:04.090627+00:00 <133>SampleSite: *emWeb: Aug 29 07:48:03.431: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:3334 Authentication succeeded for admin user 'example' on 100.40.168.192 2023-09-04T17:01:52.684140+02:00 <44>SampleSite: *apfMsConnTask_0: Sep 04 17:01 :52.495: %APF-4-PROC_ACTION_FAILED: apf_80211k.c:825 Could not process 802.11 Ac tion. Received RM 11K Action frame through incorrect AP from mobile station. Mob ile:1A:4A:FA:F9:BA:C6. 2023-09-04T17:01:52.718781+02:00 <44>SampleSite: *Dot1x_NW_MsgTask_0: Sep 04 17 :01:52.530: %LOG-4-Q_IND: apf_80211k.c:825 Could not process 802.11 Action. Rece ived RM 11K Action frame through incorrect AP from mobile station. Mobile:1A:4A: FA:F9:BA:C6. I've installed TA-cisco_ios from Splunkbase. In the top of my etc/apps/search/local/inputs.conf I've added: [monitor:///data/syslog/udp/192.168.40.20] disabled = false host = ciscome.example.net sourcetype = cisco:wlc #sourcetype = cisco:ap index = default For switches cisco:ios works fine, but I cannot get cisco:wlc or cisco:ap to process data it seems. Has anyone used Cisco Mobility Express with Splunk and gotten anything usefull out of the logs? Am I doing it right? Thanks for any tips.