new splunk user i installed my splunk on my windows machine and i want to receive logs and how to find a logon event? in the search index there is only default index=internal and audit, so these logs are the same received login event logs?. Is it detected logon event if the user accesses this windows machine? Do I need to install any third party application to get logs? because splunk forwarder is a remote way to send logs so on local machine how can i do that? i want to check user login event in splunk Example: if user access this windows machine then SIEM splunk job is check logon event log details like if people with valid IP only access this windows machine or not

I have 2 searches from two individual log files with Txid in common (could be outerjoin):  The first search I get the Txid from source file A and get the duration of that transaction. The second search (I used Drilldown Editor to create a click event -->   Set TxnId=$click.value$) is to retrieve appname, columns from a SQL statement,  host and by the selected Txnid. I'd like to make these two outputs as one result.  How do I do it?  The exact syntaxes I used are as follows: index="IDX"   (host="PRhosts")  source="WS.webapi.log"   "Controller.Post" "- End" | rex field=_raw "s/^.* {/{/" mode=sed  | spath output=status path=stat  |rex field=_raw "\s+T+\s(?<txid>.*?)\s+Controller\\.Post\s\\-\s(?<duration>.*?)\s\\-\s+End" |sort - duration |table txid duration index="IDX"  (host="PRhosts") source="*WS.Business.Milestones.log" |rex field=_raw "s/^.* {/{/" mode=sed |spath output=nv path=flds{}.nv |spath output=status path=stat |spath output=tid path=tid |spath output=fn path=flds{}.fn | search tid=$Txnid$ | table fn nv host status tid WS.Webapi.log raw date looks like one line below (and you can guess there is a - Begin somewhere above but there is no duration recorded): 08/10/22 19:21:18.33 p06712 [00017] T M2kYTm7ywE6RFEnqc9m_1g Controller.Post - 00:00:00:270 - End WS.Business.Milestones.log  raw data look like the following: 08/10/22 19:26:03.44 p08604 [00106] T {"tid":"H2R2JPpkiECRHW5hEszG3Q","sid":"T1-COOLSECURITY:CSAPPAUTH-{E7690AF7-D1F0-4A84-A612-7E47C9F07679}","stat":"Success","sf":"EmployeeLogic","sm":"GetAsync","dt":"2022-08-10T23:26:03.4462133Z","flds":[{"fn":"username","nv":"HostedRedirGlobalEmployeeWS_PR"},{"fn":"dbQueries","nv":"SQL_QUERIES=SELECT emp.EMP_ID, emp.REPORTS_TO_SCID, emp.DEPT_CODE , emp.EMP_ID\n FROM coolemp.SHIPS_COOL2 emp\n WHERE ((UPPER(emp.SYSTEM_PERSON_TYPE) != UPPER('Pending Worker'))) AND ((UPPER(emp.USER_SID) = UPPER(:emp_userSid)))"}]}   So I'd like to know how to join the above 2 results into one so I can show the duration, with fn and nv values that has the SQL field "emp.Last_Updated_Date".

Is there a way to rename subfields based on a condition? Some of our applications log into fields, say message.message.A, message.message.B, etc, and some apps log the same fields in message.message.log.A, message.message.log.B, etc. Currently in my query, if I have to search for both, I use this: index=* NOT message.message.log.A | rename message.message.* AS * | append [search index=* message.message.log.A=* | rename message.message.log.* AS *] <more commands here> Somehow when I use this it doesnt produce the expected number of events: index=* | rename message.message.* AS * | rename log.* AS * <more commands here> There are about 20 of those similarly named subfields that either in message.message.* OR message.message.log.* What is a better (or best) alternative than append?

For some reason there are entries that are not grouped together, but obviously look like they should be. In the following table, 2 rows with serviceTicketId = 00dcfe68-25d8-4c58-9228-5fc8f7ddb9d1 are on separate rows, other serviceTicketIds such as 00c093f4fc527e5ff7006566b1a0fd90 have one row, but multiple event times. Here is my query: (index=k8s_main "*Published successfully event=[com.nordstrom.customer.event.OrderLineReturnReceived*") OR (index="k8s_main" cluster="nsk-oak-prod" "namespace"=app04096 "*doPost - RequestId*") OR (index=k8s_main container_name=fraud-single-proxy-listener message="Successfully sent payload to kafka topic=order-events-avro*" contextMap.eventType="OrderLineReturnReceived") | rename contextMap.orderId AS nefiOrderId contextMap.serviceTicketId AS nefiServiceTicketId | rex field=eventKey "\[(?<omsOrderId>.*)\]" | rex field=serviceTicketId "\[(?<omsServiceTicketId>.*)\]" | rex "RequestId:(?<omniServiceTicketId>.*? )" | rex "\"orderNumber\":\"(?<omniOrderId>.*?)\"" | eval appId = mvappend(container_name, app) | eval orderId = mvappend(nefiOrderId, omsOrderId, omniOrderId) | eval serviceTicketId = mvappend(nefiServiceTicketId, omsServiceTicketId, omniServiceTicketId) | stats dc(_time) AS eventCount values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId | eval timeElapsed = now() - eventTime  

Hello, I've encountered a problem while trying to download Splunk Enterprise. I login into my account, and reach this page: https://www.splunk.com/en_us/download/splunk-enterprise.html Press the download button, a little loading circle appears and then a 401 status is received from this URL: https://eula.splunk.com/api/v1/session/callback I also added a screenshot for clarification. What's wrong with my account? I've been using it for the past year without any problems. I've tried multiple browsers and devices. Screenshot:  

I'm having trouble extracting some dates from a date field. Certain assets were provided with a generic date, and I can't seem to extract the date for these events. Sample data: lastscan newdate 2022-08-10T06:51:33.874Z 2022-08-10 2022-08-10T00:06:19.920Z 2022-08-10 1969-12-31T23:59:59.999Z     SPL: | eval newdate=strptime(lastscan,"%Y-%m-%d") | eval newdate=strftime(newdate,"%Y-%m-%d") As you can see, the events with the 1969 date are not extracting as expected and I'm getting no results for the "newdate" field.  Any thoughts on how I can extract the date from the 1969 events?

My customers certificates expired and they followed the procedures for submitting and requesting a third party certificate.  The CA returned a CA certificate that was already combined. So the customer did not have to combine their certificates. When trying to start splunk, it will not start. When comparing all the certificates from previous ones, one thing we noticed was the private key had a heading "--BEGIN RSA PRIVATE KEY -- ", instead of "--BEGIN PRIVATE KEY--" and two new lines after, stating "Proc-Type" and "DEK-Info".  The customer is on Splunk v8.2.7, Windows 64bit.  The keys are DoD CA60 I am wondering if the private key is not in the correct format.  Should the customer re-submit a request to generate a new key from the CA?