Hello, Using Splunk Enterprise 8.2.6 and ITSI Version 4.11.5 I am defining entity types and I need to set CPU usage thresholds as follows: >=95 warning >=98 critical The interface only lets me set "greater than" or "less than": I figured that if I set values to 97.9 and 94.9 then I can configure the thresholds correctly.  Only problem is that this is not permitted even though the metrics themselves are displayed with decimals! This is very problematic oversight because I won't be able to set and monitor any thresholds 100% reliably How can I get around this issue? Thanks! Andrew

Hi I want to filter wineventlogs on universal forwarder with blacklist config. But It doesn't work as described in the document. Why is this not working_?       [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=false index=wineventlog blacklist7 = EventCode="4624|4625|4634" User="\w+\$"       I just want to filter out usernames endswith $. Happy splunking. 

Hello, What is the procedure for migrating a deployer to a new server? We are running on Linux and are on version 8.1.6 on deployer and search head cluster and we cannot reuse IP-addresses or hostnames. I have read https://docs.splunk.com/Documentation/Splunk/8.1.6/DistSearch/BackuprestoreSHC but it's not crystal clear since we are only migrating the deployer and the search head cluster will remain the same. Thanks!

Hi All, Our Search heads are with Splunk Cloud version 8.2.2203.2 and there is a requirement from our application team to use Stream Processor Service that is part of Splunk offering (Ref: https://docs.splunk.com/Documentation/StreamProcessor/standard/Admin/About) for Wineventlog and IIS logs. Is it something specific we need to purchase as a license? Or will it come with my Splunk Cloud subscription? So when I checked the document it is mentioned as Get access to a tenant and the Stream Processor Service https://docs.splunk.com/Documentation/StreamProcessor/standard/Admin/About#:~:text=Log%20in%20with%20your%20splunk,for%20the%20Stream%20Processor%20Service. So kindly let  me know who will be the Stream Processor Service team? And also it has been mentioned to configure templates and other stuffs so kindly let me know how to proceed further.    

Hi Splunkers, I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better. Customer asked us to modify the field  action on Data Model Email: if the sourcetype is a particular one, let's say xxx, action must be equal to another field called  final_action Otherwise, the normal behaivor is fine. Now, in the Email Data Model the field action is a calculated one with the following eval expression: if(isnull(action) OR action="","unknown",action) So, I thought to simply modify it in a case expression, adding the check on the sourcetype; based on this, I tested the following search: | from datamodel:"Email" | eval action = case(isnull(action) OR action="","unknown", sourcetype="xxx", final_action, 1=1, action) | stats count values(action) as action by sourcetype  But it does not works; I mean, the field action is correctly filled for all other sourcetypes we have, but the action output field, for sourcetype xxx is empty. My first doubt was: does the problem exists because I used different fields in case function, not equal between them? So I used this search: | from datamodel:"Email" | eval action = if(isnull(action) OR action="","unknown", action) | eval action = if(sourcetype="xxx", final_action, action) | stats count values(action) as action by sourcetype But the action output for sourcetype xxx is still empty. I'm sure that the field is correct and populated because if I use a search without datamodel, comparing 2 different sourcetype we have for mails, the search work fine. For example, if I use: index=* sourcetype IN (xxx, yyy) | eval action=if(sourcetype="xxx", final_action, action) | stats count values(action) as action by sourcetype The outoput is the desiderd one: the action field for yyy is the already exiting one, while for xxx is overwritten with final_action values.

Hi, We are looking for some help on GR (Geo Redundant) Splunk setup. Has anyone already have such an architecture implemented in your/customer environment. Did we follow any reference architectures published by SPLUNK.  Appreciate if you can share some ideas. Thanks in Advance.

Hi Team,   We got an requirement to use the "Splunk Secure Gateway" app in our ES- Search Head and our Search head is in Splunk Cloud. Splunk Secure Gateway version is 3.0.9 Splunk Cloud version 8.2.2203.2 We have already provided the Authentication to the Search Head via SAML (Azure) and we have created few groups ess_admin, ess_analyst, ess_user etc and provided authentication to the users and the users are logging into SH via SAML.   So when I navigated to the App" Splunk Secure Gateway" in the Search head it says a message as "SAML needs to be set up for Connected Experiences before devices can be registered" i.e. To configure SAML. Then when i clicked Configure SAML it navigates to the next page and here when I clicked "Connect to a SAML IdP" (Mentioned as Needs Action) so when i clicked the Take Action under Okta or Azure option it has navigated to SAML Groups page. And after which I am not sure what should i need to do and moreover when I tried to create authentication token i am getting an error as below "Token creation failed because: Cannot use tokens for SAML user xxx because neither attribute query requests (AQR) nor scripted auth are supported."   So kindly help me on how to use the app "Splunk Secure Gateway" in our Splunk Cloud Search head.     

I've noticed an issue with the documentation and configuration for DA-ITSI-OS. https://docs.splunk.com/Documentation/ITSI/4.13.1/IModules/OSmoduleconfiguration Firstly, the documentation suggests that If using Splunk_TA_nix, I should enable metrics inputs with the following: [script://./bin/vmstat.sh] interval = 60 sourcetype = vmstat source = vmstat # index = os disabled = 0 [script://./bin/iostat.sh] interval = 60 sourcetype = iostat source = iostat # index = os disabled = 0 [script://./bin/nfsiostat.sh] interval = 60 sourcetype = nfsiostat source = nfsiostat # index = os disabled = 0 [script://./bin/ps.sh] interval = 30 sourcetype = ps source = ps # index = os disabled = 0 [script://./bin/bandwidth.sh] interval = 60 sourcetype = bandwidth source = bandwidth # index = os disabled = 0 [script://./bin/df.sh] interval = 300 sourcetype = df source = df # index = os disabled = 0 [script://./bin/cpu.sh] sourcetype = cpu source = cpu interval = 30 # index = os disabled = 0 [script://./bin/hardware.sh] sourcetype = hardware source = hardware interval = 36000 # index = os disabled = 0 [script://./bin/version.sh] disabled = false # index = os interval = 86400 source = Unix:Version sourcetype = Unix:Version The problem is, that these are inputs for event metrics and everything else is set up for metrics! In the actual Splunk_TA_nix, the inputs for metrics versions of those scripts have a different stanza, such as cpu_metric df_metric interfaces_metric iostat_metric ps_metric vmstat_metric If I simply change the sourcetype, it breaks the input, so by default, all those metrics based scripts output with the metric name using the _metric suffix. Unfortunately, ALL the ITSI OS module searches are looking for the un suffixed metric names, E.G. cpu, ps, vmstat! If I alter the searches to look for the updated suffixed metric names, I don't get the OS Host Information panel appearing on the entity within the deep dive or entity view. So I don't know how, under the configured searches, any of this will work unless heavily modified, or why the documentation points to event log collection scripts  but the module requires metrics indexes given the use of mstats to search. What am I missing here?

I have syslog-ng configuration that started duplicating the events after the Linux box reboot  is there any way to avoid it  ? the are 2 heavy forwarders defined for the same load balancer and only 1 is duplicating the events in the syslog files created    [root@ilissplfwd07 syslog-ng]# cat syslog-ng.conf @version:3.5 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); owner("splunk"); group("splunk"); dir-owner("splunk"); dir-group("splunk"); create_dirs (yes); keep_hostname (yes); };     ## add Default 514 udp/tcp & Filtered based don't modify below line ############################################# # Syslog 514 #source s_syslog { udp(port(514)); tcp(port(514) keep-alive(yes)); }; source s_syslog518 { udp(port(518)); }; source s_syslog1513 { tcp(port(1513) keep-alive(yes)); }; source s_syslog1514 { tcp(port(1514) keep-alive(yes)); }; source s_syslog1515 { tcp(port(1515) keep-alive(yes)); }; source s_syslog1516 { tcp(port(1516) keep-alive(yes)); }; destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");}; log { source(s_syslog1513); destination(d_1513); };   destination d_1514 { file("/splunksyslog/port1514/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");}; log { source(s_syslog1514); destination(d_1514); };   destination d_1515 { file("/splunksyslog/port1515/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");}; log { source(s_syslog1515); destination(d_1515); };   destination d_1516 { file("/splunksyslog/port1516/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");}; log { source(s_syslog1516); destination(d_1516); };   # destination d_catch { file("/splunksyslog/catch/$HOST/$YEAR-$MONTH-$DAY-$HOUR-catch.log");}; # log { source(s_syslog); destination(d_catch); };   destination d_518 { file("/splunksyslog/port518/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");}; log { source(s_syslog518); destination(d_518); }; @include "/etc/syslog-ng/conf.d/*.conf"  

Hi Team,                     I need some information on Victoria experience (if possible advantages and disadvantages) to send a clear report to my client providing the all the details why we need to upgrade to Victoria experience from classic experience. I have already gone through the Splunk docs on this. https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/Experience                           But not getting enough solid points where I can add in the report and showcase to client. If anyone has any hands-on experience about the Victoria and classic. Please provide me with your inputs. It will help me alot. Thanks in advance.

Hi, We've setup our Splunk instances to use SAML for signon, but are having difficulty setting a time an automatic inactivity logout. I've configured it to be 5m in both web.conf and server.conf but still don't get an automatic logout. It does seem to logout automatically every 24hours (not consistently), but when this happens Splunk redirects to the IDP which then redirects back to Splunk with a new SAML token. This happens without the IDP even asking for login details from the user.   Any help would be appreciated 

Hi Team, I am ingesting job logs to SPlunk and below is one of the job log (job ran on 27th June) which was ingested with wrong _time value to SPlunk. Job log: (14.2) 06-27-22 10:31:03 (35312:24804) PRINTFN: 2022.06.25 (14.2) 06-27-22 10:31:10 (35312:24804) JOB: Job <ALERTS_MORNING> is completed successfully. As the job ran on 27th June, the _time value in Splunk is showing as 25th June (hope it is derived from printfn in the logs). The date_mday field under _time is showing as 25 instead of 27. Can someone help in how _time is derived (it is the ingested timestamp, but in this case it was calculated wrongly) and how to dervie correct ingested timestamp. Regards, Karthikeyan.SV