All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@nopera  The props.conf configuration is specific to the sourcetype MSExchange:2013:MessageTracking. Please ensure that the corresponding add-on is installed on your heavy forwarder to enable proper... See more...
@nopera  The props.conf configuration is specific to the sourcetype MSExchange:2013:MessageTracking. Please ensure that the corresponding add-on is installed on your heavy forwarder to enable proper parsing of the data.  [MSExchange:2013:MessageTracking] CHARSET = UTF-8 SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false REPORT-fields = msexchange2013msgtrack-fields, msgtrack-extract-psender, msgtrack-psender, msgtrack-sender, msgtrack-recipients, msgtrack-recipient TRANSFORMS-comments = ignore-comments FIELDALIAS-server_hostname_as_dest = server_hostname AS dest FIELDALIAS-host_as_dvc = host AS dvc EVAL-src=coalesce(original_client_ip,cs_ip) EVAL-product = "Exchange" EVAL-vendor = "Microsoft" EVAL-sender = coalesce(PurportedSender,sender) EVAL-src_user = coalesce(PurportedSender,sender) EVAL-sender_username = coalesce(psender_username,sender_username) EVAL-sender_domain = coalesce(psender_domain,sender_domain) LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action TIME_PREFIX = ^\d\d MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %y-%m-%dT%H:%M:%S.%QZ   
@nopera  You have to install this add-on https://splunkbase.splunk.com/app/3225 and match the exact sourcetype for the parsing.  Example:  [monitor://C:\Program Files\Microsoft\Exchange Server\V15... See more...
@nopera  You have to install this add-on https://splunkbase.splunk.com/app/3225 and match the exact sourcetype for the parsing.  Example:  [monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking] whitelist=\.log$|\.LOG$ time_before_close = 0 sourcetype=MSExchange:2013:MessageTracking queue=parsingQueue index=msexchange disabled=false  
This is a new installation. So, no, no Windows Security events onboarded in the past. Thank you.
I appreciate the help, but this is not what I'm looking to do. I want to create the new fields so they could be used for searching. I already have a field using the mvzip command. Thanks again.
@tsocyberoperati  Has this forwarder ever successfully onboarded Windows Security events into Splunk in the past?    
Hi, Could you help me retrieve message-tracking logs from our on-premises Exchange server? I added the following lines to inputs.conf, but the data still isn’t being parsed. I guess smt is missing o... See more...
Hi, Could you help me retrieve message-tracking logs from our on-premises Exchange server? I added the following lines to inputs.conf, but the data still isn’t being parsed. I guess smt is missing or incorrect. I’m also unsure how to set up the Exchange add-on and haven’t found clear documentation. Any guidance would be greatly appreciated   [monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\] disabled = false sourcetype = exchange_messagetracking index = exchange host_segment = 4 [monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.log] disabled = false sourcetype = exchange_messagetracking index = exchange    
Hello All, We have a Splunk Universal Forwarder 9.4.0 (then 9.4.3) installed on a Windows 2022 box to which we don't have direct access. We have deployed some apps and the forwarder manages to se... See more...
Hello All, We have a Splunk Universal Forwarder 9.4.0 (then 9.4.3) installed on a Windows 2022 box to which we don't have direct access. We have deployed some apps and the forwarder manages to send us its splunkd.log and some other monitor inputs but we are not able to get the WinEvents (Applications/System/Security) using the specific stanzas.  The host is more hardened that usual,  but the Admins managed to configure what they believe are the EventLog permissions, to no avail. Something like this, never happened to us. We tried updating the agent version and configuring the installation both with LOCAL System permissions and Virtual Account permissions, but still no success. We don't see any relevant internal info regarding some problem with Permissions or EventLog access.  - is there any event we should look for on Windows Logs or UFW logs to undertand this problem? - Is there anything we can activate in the UFW to get more info about this limitation?  Thank you
I have a field called key. key has multivalues that are also dynamic. I have another field called values, that is also multivalued and dynamic. The values in "values" line-up with the values in "key"... See more...
I have a field called key. key has multivalues that are also dynamic. I have another field called values, that is also multivalued and dynamic. The values in "values" line-up with the values in "key". Example: key values AdditionalInfo user has removed device with id alpha_numeric_field" in area "alpha_numeric_field" for user "alpha_numeric_field". DeviceID alpha_numeric_field DeviceType mobile_device OS Windows   Thanks in advance and I hope this makes sense. I want to create a new field using the values from the field "key" and have the values be the values from "values". The oucome would be: AdditionalInfo user has removed device with id alpha_numeric_field" in area "alpha_numeric_field" for user "alpha_numeric_field". DeviceID alpha_numeric_field DeviceType mobile_device OS Windows
Hello folks,  thanks for all of the feedback!!  When I tried the offered suggestion, I got results that included Started and Success, but I still didn't get results from Blocked.  index=security act... See more...
Hello folks,  thanks for all of the feedback!!  When I tried the offered suggestion, I got results that included Started and Success, but I still didn't get results from Blocked.  index=security action IN ("Blocked", "Started", "Success") Splunk for Unix and Linux add-on will not load. I get an error stating the system it is trying to load does not run on either of the OS's.  It makes sense that I don't have the proper Add-on loaded but I am unable to figure which it is. I appreciate all of your help, folks. I am trying to learn this tool and am in training. This is not a job related query. I do not want to waste your time. Thanks again!  
Hello @EdgarF, The link you have shared ends up in 404. I assume that's because Splunk might have intended to release it earlier, but it seems to have been pushed back. Currently, there's no option ... See more...
Hello @EdgarF, The link you have shared ends up in 404. I assume that's because Splunk might have intended to release it earlier, but it seems to have been pushed back. Currently, there's no option such as custom button. However, you can work with icons as custom buttons and use drilldown links for interaction if it satisfies your use case. Thanks, Tejas. 
    I want to show the hyper link in the error message instead of showing the actual link. How to acheive it. im using splunk ucc framework in the confiugration page.
Hey @moriteza, I've seen this happen generally when there's a large deployment and the DS is unable to handle the load. I've come across one of the apps that we have developed which is quite fast an... See more...
Hey @moriteza, I've seen this happen generally when there's a large deployment and the DS is unable to handle the load. I've come across one of the apps that we have developed which is quite fast and easy to manage the deployment clients - https://splunkbase.splunk.com/app/7731. Please give it a try and let us know the feedback. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! 
Hello @Nawab, You might want to raise this as a new feature on ideas.splunk.com  Thanks, Tejas. 
Hey @AsmaF2025, Try using another name for the time token instead of global_time. And use the new name as a token to be passed to the other dashboard. I believe there's a conflict since both of the ... See more...
Hey @AsmaF2025, Try using another name for the time token instead of global_time. And use the new name as a token to be passed to the other dashboard. I believe there's a conflict since both of the dashboards have global_time present as a token already. Let us know if it works or not and we can troubleshoot further. Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated. 
Hi, Since one week, the service "splunk-otel-collector" does not start. Jul 21 14:00:22 svx-jsp-121i systemd[1]: Started Splunk OpenTelemetry Collector. Jul 21 14:00:22 svx-jsp-121i otelcol[408332... See more...
Hi, Since one week, the service "splunk-otel-collector" does not start. Jul 21 14:00:22 svx-jsp-121i systemd[1]: Started Splunk OpenTelemetry Collector. Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 2025/07/21 14:00:22 settings.go:483: Set config to /etc/otel/collector/agent_config.yaml Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 2025/07/21 14:00:22 settings.go:539: Set memory limit to 460 MiB Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 2025/07/21 14:00:22 settings.go:524: Set soft memory limit set to 460 MiB Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 2025/07/21 14:00:22 settings.go:373: Set garbage collection target percentage (GOGC) to 400 Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 2025/07/21 14:00:22 settings.go:414: set "SPLUNK_LISTEN_INTERFACE" to "127.0.0.1" Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 2025-07-21T14:00:22.250+0200#011warn#011envprovider@v1.35.0/provider.go:61#011Configuration references unset environment variable#011{"name": "SPLUNK_GATEWAY_URL"} Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: Error: failed to get config: cannot unmarshal the configuration: decoding failed due to the following error(s): Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 'service.telemetry.metrics' decoding failed due to the following error(s): Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: '' has invalid keys: address Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 2025/07/21 14:00:22 main.go:92: application run finished with error: failed to get config: cannot unmarshal the configuration: decoding failed due to the following error(s): Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: 'service.telemetry.metrics' decoding failed due to the following error(s): Jul 21 14:00:22 svx-jsp-121i otelcol[4083324]: '' has invalid keys: address Jul 21 14:00:22 svx-jsp-121i systemd[1]: splunk-otel-collector.service: Main process exited, code=exited, status=1/FAILURE Jul 21 14:00:22 svx-jsp-121i systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Jul 21 14:00:22 svx-jsp-121i systemd[1]: splunk-otel-collector.service: Service RestartSec=100ms expired, scheduling restart. Jul 21 14:00:22 svx-jsp-121i systemd[1]: splunk-otel-collector.service: Scheduled restart job, restart counter is at 5. Jul 21 14:00:22 svx-jsp-121i systemd[1]: Stopped Splunk OpenTelemetry Collector. Jul 21 14:00:22 svx-jsp-121i systemd[1]: splunk-otel-collector.service: Start request repeated too quickly. Jul 21 14:00:22 svx-jsp-121i systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Jul 21 14:00:22 svx-jsp-121i systemd[1]: Failed to start Splunk OpenTelemetry Collector. I need help Regards Olivier
Thank you for the answers, but I cannot make curl work in my Windows machine, so created a PowerShell script instead, which works as it supposed to be. I'm also looking forward for the option to run ... See more...
Thank you for the answers, but I cannot make curl work in my Windows machine, so created a PowerShell script instead, which works as it supposed to be. I'm also looking forward for the option to run a Test via just 1 API call, which obviously make the Post Deployment Checks for our CI/CD Pipeline easier. I also opened a ticket for the support and talking for that. Let's wait and see when Splunk can implement that to Observability API. Thanks for the answers, Best regards
Hello All,  Require guidance to pass the default  Global time token to be passed  from one studio dashboard to  another studio dashboard. Both dashboard have the same default global time token , n... See more...
Hello All,  Require guidance to pass the default  Global time token to be passed  from one studio dashboard to  another studio dashboard. Both dashboard have the same default global time token , no changes made. And the token used across the datasource of the respective panels..  i use the below custom url under drilldown to pass the token to another dashbaord. https://asdfghjkl:8000/en-US/app/app_name/dashboard_name?form.global_time.earliest=$global_time.earliest$&form.global_time.latest=$global_time.latest$ on the redirecting page , below is my input , on redirects it always loads the dashboard as per default value declare on the redirecitng dashbaord.  { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "0," }, "title": "Global Time Range" } kindly advice, the time range i select on main dashbaord , should be the same im passing to subdashbaord also. 
https://help.splunk.com/en/splunk-enterprise/administer/manage-and-update-deployment-servers/staging-draft/configure-the-deployment-system/upgrade-pre-9.2-deployment-servers
This is the issue when you connect splunk with AD splunk will not store authentication logs locally and you will not be able to find in settings or in logs i have different siem where i can see ever... See more...
This is the issue when you connect splunk with AD splunk will not store authentication logs locally and you will not be able to find in settings or in logs i have different siem where i can see everything locally as users are local not through AD