All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Chart by Duration (D+HH:MM:SS) which is in string format?

by in Splunk Search
‎08-17-2022 12:18 AM
‎08-17-2022 12:18 AM
Hello, I used below to convert seconds into D+HH:MM:SS format which is now in string format. However, I want to create charts based on duration taken to publish the turn around times. eval strSec... See more...
Hello, I used below to convert seconds into D+HH:MM:SS format which is now in string format. However, I want to create charts based on duration taken to publish the turn around times. eval strSecs=tostring(secs,"duration")  How can I use these strings to create chart or is there any way to convert seconds to HH:MM:SS format which is quantifiable and not a string?   Thanks, Deovrat
Labels

Help with Spath for Nested Json

by in Splunk Search
‎08-17-2022 12:05 AM
‎08-17-2022 12:05 AM
Hi All, Can someone pls assist me in extracting the different Recipients out this nested Json ?  This is from O365 logs.    I have followed https://community.splunk.com/t5/Getting-Data-In/Extract-nes... See more...
Hi All, Can someone pls assist me in extracting the different Recipients out this nested Json ?  This is from O365 logs.    I have followed https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496227#M84641  but unable to get it work against my data. Raw events:     OperationProperties: [ [-] { [+] } { [-] Name: RuleId Value: 3623734839020093442 } { [-] Name: RuleName Value: ForwardingRule01 } { [+] } { [-] Name: RuleActions Value: [{"ActionType":"Forward","Recipients":["WADRIANL@domain.com","WENDYLIM@domain.com", Forward Flags":"None"}] } ]     Note, Splunk is able to extract the field OperationProperties{}.Value as shown below but how to further extract the list of Recipients within it ? I am trying below searches but no luck      | spath output=Recipients path=OperationProperties{}.Value.Recipients OR | spath output=Recipients path=OperationProperties{}.Value{}.Recipients{}     i am +ve i am making a mistake in the path variable above.  Thanks in advance  
Labels

How to use SSL validation with HEC?

by in Getting Data In
‎08-16-2022 11:47 PM
‎08-16-2022 11:47 PM
Hi all, I'm very new to Splunk, so apologies if the question is common knowledge. I've found a lot of different posts describing the issue - but basically none which actually offers a (for me) viab... See more...
Hi all, I'm very new to Splunk, so apologies if the question is common knowledge. I've found a lot of different posts describing the issue - but basically none which actually offers a (for me) viable solution. So I hope you can help me out. Basically we have a webhook setup which can POST data upon different events in our software. This setup is serving a lot of different customers for various needs - not just one customers' Splunk setup. I've set up a HTTP Event Collector endpoint in my Splunk Cloud to receive the data, and created a webhook to send data to my Splunk HEC endpoint. However - I can't send any data to the endpoint without disabling SSL validation, because Splunk uses self-signed certificates. I've seen a lot of different posts on how you just need to disable SSL validation, but that's not a great option in a production environment with a lot of different customers. So my question is:  - How would I setup Splunk so that we can send HTTPS requests to our different customers Splunk endpoints without disabling SSL validation? As we serve a lot of different customers, we can't have a per-customer certificate setup. We basically just need to be able to call the public HTTPS endpoint in splunk - preferably with SSL validation intact. I really hope someone can help me shed a light on this. The only answer I seem to be able to find is either to install certificates (not an option in a SaaS solution) or to disable SSL validation, which I'm very hesitant to do. Thanks a lot guys
Labels

How can we find dns long sessions?

by in Splunk Search
‎08-16-2022 11:00 PM
‎08-16-2022 11:00 PM
Hi, Can someone please help me with a query to find Long DNS sessions?   

Why does VA scan identify that Splunk uses default certificate on port 8089?

by in Security
‎08-16-2022 10:56 PM
‎08-16-2022 10:56 PM
Hello folks,   Our Nessus scanner detects that Splunk servers are using default certificate on port 8089. Basically it tells the SSL certificate for this service is for a different host. I have... See more...
Hello folks,   Our Nessus scanner detects that Splunk servers are using default certificate on port 8089. Basically it tells the SSL certificate for this service is for a different host. I have tried to update server.conf file with proper SSL certificate, but it still the same.   Have anyone come across this and have a workaround available for this issue?
Labels

How to filter multiple values in a given field?

by in Splunk Search
‎08-16-2022 10:19 PM
‎08-16-2022 10:19 PM
Hi all, I am new at Splunk and trying to evaluate this query.  I have some accounts, dates(week starting) and number of browsers used  by the account for that date. I have grouped the dates and n... See more...
Hi all, I am new at Splunk and trying to evaluate this query.  I have some accounts, dates(week starting) and number of browsers used  by the account for that date. I have grouped the dates and number_of_browsers. there is 1 account but multiple dates and multiple  or single values for browser_types. My query: index="a" source type="ab"| rename Week Starting AS Date | stats sum(browser_ types) AS New_BrowserTypes by AccountID TotalUsers Date | eval New_BrowserTypes= round(New_BrowserTypes/TotalUsers,2) | stats MAX(New_BrowserTypes) as logins by AccountID Date | stats values(Date) values(logins) by AccountID which gives an output something like this: AccountID values(date) values(logins) 502 2020-07-20 20.00 102 2020-07-20 15.00   2020-08-25 18.00 304 2020-07-20 24.00   2020-08-25 18.00   2021-07-20 25.00   2021-08-25 15.00   For the final result, I want to use AccountID's where values(logins) are >1. So I want to use only those accounts where, logins are 2 or more. how do I achieve this? thank you in advance.  Please not this is only an example, my actual AccountID's are more than 500.    
Labels

Help with Search != litsearch --- In 'litsearch' there are extra unwanted key=value statements

by in Splunk Search
‎08-16-2022 09:46 PM
‎08-16-2022 09:46 PM
We are spending a tremendous amount of time tuning our search structures lately. One thing we have run across in our Enterprise Security environment is an unwanted key=value in litsearch when reviewi... See more...
We are spending a tremendous amount of time tuning our search structures lately. One thing we have run across in our Enterprise Security environment is an unwanted key=value in litsearch when reviewing the job board. SPL index=any-index-value sourcetype=any-sourcetype-value litsearch (index=any-index-value (sourcetype=any-sourcetype-value OR sourcetype=never-mentioned-value)) This 'never-mentioned-value' is always the same regardless of index or sourcetype we place in the SPL.  Things I have checked for: - props-lookups: No 'sourcetype as x' on input side OR 'x as sourcetype' on output side - props-EVAL-sourcetype = case(x,never-mentioned-value), this exists in our prod but same config in lower environment did not trigger the same action (will be removing this shortly after next push cause I just don't like it) - TRANSFORMS - can not find any items of interest here   I have tried the following alternative searches index=any-index-value OR index=any-index-value sourcetype::any-sourcetype-value In both of the above SPL the 'extra' sourcetype key=value does not appear in the litsearch.  I do understand the differences in indexed fields and how the searches above are not triggering the addition key=value.   What I need help/direction/input is how do I track down the errant conf edit that is resulting in additional litsearch values when the SPL contains 'sourcetype='.

RBAC for Notable events?

by in Splunk Enterprise Security
‎08-16-2022 09:04 PM
‎08-16-2022 09:04 PM
Hi,   Imagine the role `A` has access to index=foobar, but roles 'B' and 'C' do not. Imagine Splunk Enterprise Security creates a notable event / alert based on data in index=foobar. Is it possible... See more...
Hi,   Imagine the role `A` has access to index=foobar, but roles 'B' and 'C' do not. Imagine Splunk Enterprise Security creates a notable event / alert based on data in index=foobar. Is it possible to ensure only members in 'A' can see the alert, and 'B' and 'C' cannot? How? More broadly, is this possible outside of Enterprise Security too? How? Appreciate any help!    
Labels

Failed to execute button | ModalView | javascript | Why is popup.js file unable to see selected_values_array variable?

by in Dashboards & Visualizations
‎08-16-2022 09:00 PM
‎08-16-2022 09:00 PM
Hey guys, good night, how are you? I have a big problem I created an app with the integration of a checkbox with ModalView I need to send the data shown in the modal to a lookup, but the popup.... See more...
Hey guys, good night, how are you? I have a big problem I created an app with the integration of a checkbox with ModalView I need to send the data shown in the modal to a lookup, but the popup.js file is unable to see the selected_values_array variable from the checkbox.js file Have you ever been through this? Can you help me? Thanks   checkbox.js       require([ 'underscore', 'jquery', 'backbone', '../app/meuapp/popup', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, Backbone, ModalView, mvc, TableView, SearchManager) { // Access the "default" token model var tokens = mvc.Components.get("default"); var selected_values_array = []; var submittedTokens = mvc.Components.get('submitted'); var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return _(['teste']).contains(cell.field); }, render: function ($td, cell) { var a = $('<div>').attr({ "id": "chk-URL" + cell.value, "value": cell.value }).addClass('checkbox').click(function () { // console.log("checked",$(this).attr('class')); // console.log("checked",$(this).attr('value')); if ($(this).attr('class') === "checkbox") { selected_values_array.push($(this).attr('value')); $(this).removeClass(); $(this).addClass("checkbox checked"); } else { $(this).removeClass(); $(this).addClass("checkbox"); var i = selected_values_array.indexOf($(this).attr('value')); if (i != -1) { selected_values_array.splice(i, 1); } // Change the value of a token $mytoken$ } console.log(selected_values_array); }).appendTo($td); console.log(selected_values_array); } }); var detailSearch = new SearchManager({ id: "detailSearch", earliest_time: "$time$", latest_time: "$time$", preview: true, cache: false, search: "| makeresults | eval myvalue=\"$mytoken$\" | makemv delim=\",\" myvalue | stats count by myvalue | table myvalue" }, { tokens: true, tokenNamespace: "submitted" }); //List of table IDs var tableIDs = ["myTable"]; for (i = 0; i < tableIDs.length; i++) { var sh = mvc.Components.get(tableIDs[i]); if (typeof (sh) != "undefined") { sh.getVisualization(function (tableView) { // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRangeRenderer()); tableView.table.render(); }); } }; $(document).ready(function () { $("#mybutton").on("click", function (e) { e.preventDefault(); tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); var modal = new ModalView({ title: "ModalView Window", search: detailSearch }); modal.show(); console.log(tokens); console.log(selected_values_array + " selected_values_array"); console.log(modal + " modal"); //console.log(render); }); }); });             popup.js       define([ 'underscore', 'backbone', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/simplexml/element/table', ], function(_, Backbone, $, mvc, SearchManager, TableElement) { var modalTemplate = "<div id=\"pivotModal\" class=\"modal\">" + "<div class=\"modal-header\"><h3><%- title %></h3><button class=\"close\">Close</button></div>" + "<div class=\"modal-body\"></div>" + "<div class=\"modal-footer\"><button type=\"button\" id=\"teste\" class=\"confirm\">Confirmar</button></div>" + "</div>" + "<div class=\"modal-backdrop\"></div>"; var ModalView = Backbone.View.extend({ defaults: { title: 'Not set' }, initialize: function(options) { this.options = options; this.options = _.extend({}, this.defaults, this.options); this.childViews = []; console.log('Hello from the modal window: ', this.options.title); this.template = _.template(modalTemplate); }, events: { 'click .close': 'close', 'click .modal-backdrop': 'close', 'click .confirm': 'confirm', }, render: function() { var data = { title : this.options.title }; this.$el.html(this.template(data)); return this; }, show: function() { $(document.body).append(this.render().el); $(this.el).find('.modal-body').append('<div id="modalVizualization"/>'); $(this.el).find('.modal').css({ width:'90%', height:'auto', left: '5%', 'margin-left': '0', 'max-height':'100%' }); var search = mvc.Components.get(this.options.search.id); var detailTable = new TableElement({ id: "detailTable", managerid: search.name, pageSize: "5", el: $('#modalVizualization') }).render(); this.childViews.push(detailTable); search.startSearch(); }, close: function() { this.unbind(); this.remove(); _.each(this.childViews, function(childView) { childView.unbind(); childView.remove(); }); }, confirm: function(selected_values_array) { tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); new SearchManager({ id: "envSearch", earliest_time: "$time$", latest_time: "$time$", preview: true, cache: false, search: "| makeresults | eval myvalue=\"$mytoken$\" | makemv delim=\",\" myvalue | rename myvalue as URL | stats count by URL | table URL | outputlookup append=t dev-tk" }); } }); return ModalView; });         chexkbox.css       /* The standalone checkbox square*/ .checkbox { width:20px; height:20px; border: 1px solid #000; display: inline-block; } /* This is what simulates a checkmark icon */ .checkbox.checked:after { content: ''; display: block; width: 4px; height: 7px; /* "Center" the checkmark */ position:relative; top:4px; left:7px; border: solid #000; border-width: 0 2px 2px 0; transform: rotate(45deg);         dash.xml       <dashboard script="checkbox.js" stylesheet="checkbox.css"> <label>Teste </label> <row> <panel> <table id="myTable"> <title>My Table</title> <search> <query>index=_internal | stats count by sourcetype | eval teste=sourcetype</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <condition field="*"></condition> </drilldown> </table> </panel> </row> <row> <panel> <html> <div> <input type="button" id="mybutton" value="My Button"/> </div> </html> </panel> </row> </dashboard>            
Labels

Is it possible to enable correlated search in ES by editing savedsearch.conf directly in the CLI without Web UI?

by in Deployment Architecture
‎08-16-2022 08:50 PM
‎08-16-2022 08:50 PM
Hi,  There are many app and correlation searches in each app in Enterprise Security. I understand that I can enable/disable correlation search using ES Web Interface, but I want to manage using CLI... See more...
Hi,  There are many app and correlation searches in each app in Enterprise Security. I understand that I can enable/disable correlation search using ES Web Interface, but I want to manage using CLI about enabling/disabling correlation search. I mean, I just want to change many rules and many apps to  "disabled = 0" or "disabled =1" in savedsearch.conf using CLI(like shell). I already tried the below test after savedsearch.conf from CLI access to : https://ip:8000/en-US/debug/refresh access to : https://ip:8000/en-US/_bump However, the disable/enable changes are not reflected when I look at the web for purpose of checking. Does anyone know how to make changes to ES correlation rules(savedsearch.conf) in the CLI and update searches without rebooting Splunk?
Labels

What is accelerate_search vs search in _audit index?

by in Splunk Search
‎08-16-2022 08:05 PM
‎08-16-2022 08:05 PM
Hello, When I ran       index=_audit NOT user="splunk-system-user" |stats count by action       I find that accelerate_search and search is fairy high. So I was wandering which is... See more...
Hello, When I ran       index=_audit NOT user="splunk-system-user" |stats count by action       I find that accelerate_search and search is fairy high. So I was wandering which is panel search and which is adhoc search, which is adhoc search, which is alert (schedule_search). We need to create a report about performance.
Labels

Field values from look up to query?

by in Splunk Search
‎08-16-2022 07:56 PM
‎08-16-2022 07:56 PM
Hi All,  I have one dashboard in that I am fetching the results from a input look up file. I am getting the results but result are getting combined (multiple field values into single event) But I... See more...
Hi All,  I have one dashboard in that I am fetching the results from a input look up file. I am getting the results but result are getting combined (multiple field values into single event) But I want them separately like how we have updated in our look up file In the same way I want to see in splunk. Lookup file data: Storage_name     type.     Quality  Abcd.                       Fty.         100 Efgd.                          Iju.          2000 Ghyu.                         Thu.       3455 Gfhbv.                        Uyhgt.      4556   Any suggestions         
Labels

How to resolve this error: splunk service restart due to Checking max_mem_usage_mb resultsSize?

by in Splunk Enterprise
‎08-16-2022 07:00 PM
‎08-16-2022 07:00 PM
Hello.  The splunk service is restarting with an error as shown below during report scheduling execution at a specific time period.   search fail log 08-17-2022 06:00:04.164 INFO SearchOperat... See more...
Hello.  The splunk service is restarting with an error as shown below during report scheduling execution at a specific time period.   search fail log 08-17-2022 06:00:04.164 INFO SearchOperator:inputcsv [12673 phase_1] - sid:scheduler__admin__search__RMD52e8470291689a839_at_1660683600_5272 Successfully read lookup file '/opt/splunk/etc/apps/search/lookups/xxx.csv'. 08-17-2022 06:00:04.166 INFO MultiValueProcessor [12673 phase_1] - Checking max_mem_usage_mb resultsSize=100 maxHeapSize=15728640000 memoryUsage=1824925 earlyExit=0 08-17-2022 06:00:04.169 INFO MultiValueProcessor [12673 phase_1] - Checking max_mem_usage_mb resultsSize=200 maxHeapSize=15728640000 memoryUsage=6273048 earlyExit=0 08-17-2022 06:00:04.170 INFO MultiValueProcessor [12673 phase_1] - Checking max_mem_usage_mb resultsSize=300 maxHeapSize=15728640000 memoryUsage=7531940 earlyExit=0 .... 08-17-2022 06:00:06.484 INFO MultiValueProcessor [12673 phase_1] - Checking max_mem_usage_mb resultsSize=25200 maxHeapSize=15728640000 memoryUsage=531030711 earlyExit=0 08-17-2022 06:00:06.485 INFO MultiValueProcessor [12673 phase_1] - Checking max_mem_usage_mb resultsSize=25300 maxHeapSize=15728640000 memoryUsage=531809607 earlyExit=0 08-17-2022 06:00:13.237 FATAL ProcessRunner [9783 ProcessRunner] - Unexpected EOF from process runner child! 08-17-2022 06:00:13.238 FATAL ProcessRunner [9783 ProcessRunner] - Helper process was killed by SIGKILL. Usually this indicates that the kernel's OOM-killer has decided to terminate the daemon process. 08-17-2022 06:00:13.238 FATAL ProcessRunner [9783 ProcessRunner] - Check the kernel log (possibly /var/log/messages) for more info 08-17-2022 06:00:13.238 ERROR ProcessRunner [9783 ProcessRunner] - helper process seems to have died (child killed by signal 9: Killed)!   Splunk config information /opt/splunk/etc/system/local/limit.conf [default] max_mem_usage_mb = 30000   /opt/splunk/etc/apps/search/local/limit.conf [default] max_mem_usage_mb = 10000   Even with the above settings, it seems that the memory is not actually used as much as the settings. Splunk Spec: 16core, 64GB   If anyone knows about this issue, please share.
Labels

EKS Agent: Failed to send agent registration request: Status: 404 Not Found

by in Splunk AppDynamics
‎08-16-2022 06:22 PM
‎08-16-2022 06:22 PM
I'm attempting to get an AWS EKS cluster instrumented with an AppD agent running against a SaaS instance. I have followed the instructions here: https://docs.appdynamics.com/appd/4.5.x/en/infrastruc... See more...
I'm attempting to get an AWS EKS cluster instrumented with an AppD agent running against a SaaS instance. I have followed the instructions here: https://docs.appdynamics.com/appd/4.5.x/en/infrastructure-visibility/monitoring-kubernetes-with-the-cluster-agent/install-the-cluster-agent/deploy-the-cluster-agent-on-kubernetes as well as other guides. The containers are running, but I get this error in the cluster agent logs: [ERROR]: 2022-08-17 01:06:57 - agentregistrationmodule.go:131 - Failed to send agent registration request: Status: 404 Not Found, Body: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Error report</title><style type="text/css"><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Not Found</h1><hr/><p><b>type</b> Status report</p><p><b>message</b>Not Found</p><p><b>description</b>The requested resource is not available.</p><hr/></body></html> I have available Server Visibility licenses so that isn't the issue. What can I do to get this working? 
Labels

What does this mean: Couldn't complete HTTP request: Connection reset by peer?

by in Getting Data In
‎08-16-2022 06:18 PM
‎08-16-2022 06:18 PM
Attempting to have an indexer join a cluser but i get met with this lovely warning;    Couldn't complete HTTP request: Connection reset by peer   . Any body know what it means or have a clue as to ho... See more...
Attempting to have an indexer join a cluser but i get met with this lovely warning;    Couldn't complete HTTP request: Connection reset by peer   . Any body know what it means or have a clue as to how to fix it?
Labels

How do I Display a graph with search?

by in Splunk Search
‎08-16-2022 04:48 PM
‎08-16-2022 04:48 PM
My search looks similar to the one below: index=mock_index source=mock_source.log param1 param2 param3 | rex field=_raw "Latency: (?<latency>[0-9]+)" | timechart span=5m avg(latency)   An e... See more...
My search looks similar to the one below: index=mock_index source=mock_source.log param1 param2 param3 | rex field=_raw "Latency: (?<latency>[0-9]+)" | timechart span=5m avg(latency)   An example event: 2022-08-16 14:04:34,123 INFO [stuff] Latency: 55 [stuff] What have I got wrong in my search that it doesn't draw a graph?
Labels

Join and calculate difference in time using an unique key?

by in Splunk Search
‎08-16-2022 04:45 PM
‎08-16-2022 04:45 PM
I have the following queries      query 1 : index1 .... | table _time uniqueID query 2 : index2 .... | table _time uniqueID   And I am trying to find events where the uniqueID is found i... See more...
I have the following queries      query 1 : index1 .... | table _time uniqueID query 2 : index2 .... | table _time uniqueID   And I am trying to find events where the uniqueID is found in both AND the the subtraction between the time is greater than N milliseconds    Ideally, the output should be something like :    uniqueID System 1 time System 2 time Difference in Millis 123 Time 1 Time 2 500 1234 Time 11 Time 22 60   Could you please help?
Labels

Where are the flags from the Universal forwarder located (config file)

by in Splunk Enterprise
‎08-16-2022 04:19 PM
‎08-16-2022 04:19 PM
Hi folks, I'd like to know in which config file I can locate the flags from my universal forwarder. I mean the flags like these:  SERVICESTARTTYPE=auto and LAUNCHSPLUNK=1 Doc:  https://docs.splun... See more...
Hi folks, I'd like to know in which config file I can locate the flags from my universal forwarder. I mean the flags like these:  SERVICESTARTTYPE=auto and LAUNCHSPLUNK=1 Doc:  https://docs.splunk.com/Documentation/Forwarder/9.0.0/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller#:~:text=SET_ADMIN_USER%3D0%20/quiet-,Supported%20commandline%20flags,-Command%2Dline%20flags Thanks in advance,

Why are Splunk Fields showing 200%?

by in Splunk Search
‎08-16-2022 03:45 PM
‎08-16-2022 03:45 PM
Hi, i am doing a search and noticing that i am getting 200% on the fields i troubleshooted and used this line at the beginning of my search  KV_MODE = none AUTO_KV_JSON = false  however it inst... See more...
Hi, i am doing a search and noticing that i am getting 200% on the fields i troubleshooted and used this line at the beginning of my search  KV_MODE = none AUTO_KV_JSON = false  however it instead returns with no events what so ever and i have the time on all time yet i still get nothing please help 
Labels

How to resolve this Unknown SID Error?

by in Getting Data In
‎08-16-2022 03:09 PM
‎08-16-2022 03:09 PM
I am Learning Splunk the hard way I think, but here are my questions: if I have been able to have logs forwarded and if I can generate information from my host which right now is just the instance th... See more...
I am Learning Splunk the hard way I think, but here are my questions: if I have been able to have logs forwarded and if I can generate information from my host which right now is just the instance that my Splunk is running on how can the error in the picture exist. Seems to me like if I'm getting any kind of data in I should be getting all the data in especially if its simple like running processes.
Labels