All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @shai have you also tried using cron job? Yes we need to define modinput on the inputs.conf.spec to get that populated on UI. Can you also try with local/inputs.conf?  What version of splunk a... See more...
Hello @shai have you also tried using cron job? Yes we need to define modinput on the inputs.conf.spec to get that populated on UI. Can you also try with local/inputs.conf?  What version of splunk are  you running? I don't recall this must be an old known issue for windows. I recommend reaching out to support if your are stuck. If this Helps, Please Upvote.
Each Windows computer gathers security events pertaining to this particular computer. So domain controllers log in all activity that occurs on them - domain log ins, domain log outs and so on. Workst... See more...
Each Windows computer gathers security events pertaining to this particular computer. So domain controllers log in all activity that occurs on them - domain log ins, domain log outs and so on. Workstations log into their own Security Eventlog events which occur on them - like local log ins and log outs. So there is no way to get local events from those workstations by looking in the domain controllers' event logs. These are two separate things. You need to ingest Security eventlogs from those workstations. You can get them either by installing UF on each of them and ingest local eventlog from each of those workstations or by setting up a WEF collector and setting up a forwarding policy so that you gather logs centrally. And from this central collector you'd pull them with a UF. There are also additional ways but these are the only two reasonable ones.
Your line breaker will consume the matched data. You'd need to do a non-capturing group. But it's tricky since a line breaker here would need to match two different strings preceeded or followed by t... See more...
Your line breaker will consume the matched data. You'd need to do a non-capturing group. But it's tricky since a line breaker here would need to match two different strings preceeded or followed by two different things. It might be doable, but it's gonna be difficult and ugly. But there is another issue here of whic h@arunsoni should be aware of. If you even manage to break your events this way - one of your events will contain a timestamp, the other will not. One will be a valid (I assume) json, the other will be not. Your data will be inconsistent.
How about something like this to start with? index=_internal sourcetype=splunkd log_level=WARN host=sh* component=DispatchManager "QUEUED" | stats count by host  
Hi @arunsoni , You can try below props; [your_sourcetype] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z\s\[\w+\]\s\w+\s)\{ TRUNCATE=20000 ... See more...
Hi @arunsoni , You can try below props; [your_sourcetype] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z\s\[\w+\]\s\w+\s)\{ TRUNCATE=20000  
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet... See more...
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet core in containers i couldn't find any refrence for environment which i can set for in docker image, is ther any way i use secure credentials like java agent?
Hi @gcusello    What stanza should I insert in inputs .conf to monitor all the client accesses to the DC? and what do you mean by local events?
Hi @hazem , having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server. To have local events, you have to install U... See more...
Hi @hazem , having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server. To have local events, you have to install UF on each client. Ciao. Giuseppe
Hi @Nawab , it's normal: alert runs are distributed between the three Search Heads. Ciao. Giuseppe
Hi @hazem , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I want my customer to be able to set the "interval" and control how frequent the module runs. I started with this: default/inputs.conf   [app_name] interval = 43200   and it worked as a default... See more...
I want my customer to be able to set the "interval" and control how frequent the module runs. I started with this: default/inputs.conf   [app_name] interval = 43200   and it worked as a default fallback, but once I added it to inputs.conf.spec, things started to break [app_name://<name>] interval = <integer>   The value was ignored. I tried 30 for every 30 seconds and tracked logs. further more I had this log message in my server: Ignoring parameter "interval" for modular input "app_name" when scheduling the runtime for script="/opt/splunk/etc/apps/app_name/bin/script_name.py". This means potentially Splunk won't be restarting it in case it gets terminated.   What is the way to expose "interval" to end user? (Ideally in "more options" at the Add Input UI. )      
Hello, Below is my log file and I want to break as two log events in splunk using props.conf(regex)   2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","... See more...
Hello, Below is my log file and I want to break as two log events in splunk using props.conf(regex)   2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"404":0,"200":0},"codeCategory":{"6":0,"0":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1208","msecBins":{"50":8,"100":0,"500":2,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"504":0,"200":10},"codeCategory":{"19":0,"0":10,"5":0}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"201","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":12,"100":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":2984280751}} 2024-07-31T01:38:09.931Z [INFO] ContentGenerator {"recordType":"CGHealth","ContentGenerator":{"KnownSessions":1,"WaitingForResponse":0,"PendingDeleteSessions":0,"UnderRecovery":0,"jobQueue":0,"JobsEnqueued":5221688,"JobsDequeued":5221688,"AllocatedSessions":1,"CGStatsSessions":1,"HPIReqs":8,"ManifestCacheObjs":83,"SavedState":29159,"HlsCount":1,"DashCount":0,"HpiReq":346395,"HpiCancel":0,"GitRef":"41d2f857114d10689016ff5074144a580b1ba544","Status":200},"DecisionQueue":{"adReqQueue":{"queuedJobs":658,"dequeuedJobs":658,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":1,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500},"boReqQueue":{"queuedJobs":0,"dequeuedJobs":0,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":0,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500}},"MQMessages":{"Messages":{"1511":2,"1508":22,"1514":352,"704":359,"706":6,"1044":658,"709":372,"9":4693470}}} 2024-07-31T01:39:09.058Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0},"codeCategory":{"0":0,"6":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1305","msecBins":{"500":0,"1000":2,"5000":0,"15000":0,"above":0,"50":8,"100":0},"errors":0,"codes":{"504":0,"200":10,"404":0},"codeCategory":{"5":0,"19":0,"0":10}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"287","msecBins":{"50":12,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0},"restoreMsecSum":"0","restoreMsecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":1982904320}}2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"404":0,"200":0},"codeCategory":{"6":0,"0":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1208","msecBins":{"50":8,"100":0,"500":2,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"504":0,"200":10},"codeCategory":{"19":0,"0":10,"5":0}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"201","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":12,"100":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":2984280751}} 2024-07-31T01:38:09.931Z [INFO] ContentGenerator {"recordType":"CGHealth","ContentGenerator":{"KnownSessions":1,"WaitingForResponse":0,"PendingDeleteSessions":0,"UnderRecovery":0,"jobQueue":0,"JobsEnqueued":5221688,"JobsDequeued":5221688,"AllocatedSessions":1,"CGStatsSessions":1,"HPIReqs":8,"ManifestCacheObjs":83,"SavedState":29159,"HlsCount":1,"DashCount":0,"HpiReq":346395,"HpiCancel":0,"GitRef":"41d2f857114d10689016ff5074144a580b1ba544","Status":200},"DecisionQueue":{"adReqQueue":{"queuedJobs":658,"dequeuedJobs":658,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":1,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500},"boReqQueue":{"queuedJobs":0,"dequeuedJobs":0,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":0,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500}},"MQMessages":{"Messages":{"1511":2,"1508":22,"1514":352,"704":359,"706":6,"1044":658,"709":372,"9":4693470}}} 2024-07-31T01:39:09.058Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0},"codeCategory":{"0":0,"6":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1305","msecBins":{"500":0,"1000":2,"5000":0,"15000":0,"above":0,"50":8,"100":0},"errors":0,"codes":{"504":0,"200":10,"404":0},"codeCategory":{"5":0,"19":0,"0":10}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"287","msecBins":{"50":12,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0},"restoreMsecSum":"0","restoreMsecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":1982904320}}     Expectation: Event1 : 2024-07-31T01:38:09.930Z [INFO] ContentGenerator Event 2 : complete json   
We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations fro... See more...
We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations from the Universal Forwarder installed on the Active Directory server?
| eval request_time=if(isnotnull(transactionID) AND isnotnull(customerID), time, null()) | eval response_time=if(isnotnull(transactionID) AND isnull(customerID), time, null()) | eventstats values(req... See more...
| eval request_time=if(isnotnull(transactionID) AND isnotnull(customerID), time, null()) | eval response_time=if(isnotnull(transactionID) AND isnull(customerID), time, null()) | eventstats values(request_time) as request_time values(response_time) as response_time values(customerID) as customerID by transactionID | eventstats values(type) as type by customerID | stats values(request_time) as request_time values(response_time) as response_time values(status) as status values(type) as type by customerID transactionID
You could try something like this | eval _raw=body | multikv forceheader=1 Although you may need to rename the fields afterwards
index="index0" ``` Assuming you are actually searching _raw and that date has already been extracted ``` | rex "(?<vmbus>vmbus)" | eventstats values(vmbus) as vmbus by date | where vmbus="vmbus" | s... See more...
index="index0" ``` Assuming you are actually searching _raw and that date has already been extracted ``` | rex "(?<vmbus>vmbus)" | eventstats values(vmbus) as vmbus by date | where vmbus="vmbus" | search "dot" | rex field=msg "VF\s+dot\s+(?<dot_number>\d+)" | dedup msg | sort _time,host | stats range(_time) as n1 by host,dum_number" If this doesn't work for you, please share some actual (anonymised) events so we can see what you are actually dealing with rather than a confusing set of pseudo events.
So now the issue is, Some alarms triggered in 1 sh and others trigger in 2nd sh
@PickleRick , @jawahir007  Thank you for your responses; my issue has been resolved.  
I managed to solve this by commenting in web.conf following parameter: mgmtHostPort = xxx.xxx.xxx.xxx:8089
Hi All,   I have a requirement where I need to filter the virtual machine outage occurrence from the kernel logs.   I have sent kernel logs to splunk based on some pattern. Now I have a issue... See more...
Hi All,   I have a requirement where I need to filter the virtual machine outage occurrence from the kernel logs.   I have sent kernel logs to splunk based on some pattern. Now I have a issue for filtering those values in splunk. Here the requirement is, I need to filter the data only if one "string" has appeared in logs on same day.   example: I have following logs in splunk date1: hv_vmbus: registering driver hv_netvsc date1:hv_netvsc 000d3 eth0: VF dot 1 added date1:hv_netvsc 000d3 eth0: VF dot 2 added date1:hv_netvsc 000d3 eth0: VF dot 2 removed date1:hv_netvsc 000d3 eth0: VF dot 1 removed date2:hv_netvsc 000d3 eth0: VF dot 1 added date2:hv_netvsc 000d3 eth0: VF dot 2 added date2:hv_netvsc 000d3 eth0: VF dot 2 removed date2:hv_netvsc 000d3 eth0: VF dot 1 removed   I need to fetch  the data for "dot" only if "hv_vmbus" pattern occured on same date. here I need only data in date1   I tried following query but it isn't working for me. "index="index0" | search "dot" | rex field=msg "VF\s+dot\s+(?<dot_number>\d+)" | dedup msg | sort _time,host | stats range(_time) as n1 by host,dum_number"   Requesting help for achieving this requirement.   Thanks, Veeresh Shenoy