Hi All, We have a universal forwarder running on Windows Server which is sending data to our Splunk Instance in Cloud. Below are some details of .conf files and logs: inputs.conf [default] host = DB_DATA [monitor://D:\ABC\DB_Monitoring\Cust] disabled=0 index=rjsql sourcetype = csv crcSalt = <SOURCE> time_before_close = 60 props.conf [default] NO_BINARY_CHECK=true CHARSET=AUTO [source::D:\ABC\DB_Monitoring\Cust\*.csv] CHECK_METHOD = modtime There are some files which are either 1) no being indexed at all 2) only headers are indexed - this doesn't happen with all the files, only some of them. Logs from _internal (for file which has got only header indexed) Tailing processer file status btool output: Can you please suggest what else I could check here and resolve this intermittent issue? Thank you.

Hello. I am trying to use a drop down selector (as opposed to the time selector) in my dashboard to create a token with an @d value in %e-%b-%Y %T.%L. In other words, I want to provide users an option for "Today, Yesterday, This Week" and have that populate tokens with earliest (@d) & latest (@d+86399) value of that day. Ex: Input: User selects TODAY Token.start:  16-jun-2022 00:00:00.000 Token.end: 16-jun-2022 23:59:59.999 This should be straight forward, but for some reason, I am racking my brain trying to get this.

Hi, I'm trying to remove blanks in a field when adding a csv file.  In heavy-forwarder I have tried to use a regex in props.conf and transforms.conf but the data continues to be entered with the blank spaces in the fields. props.conf:     [blacklist] CHARSET=UTF-8 DATETIME_CONFIG=CURRENT INDEXED_EXTRACTIONS = csv KV_MODE = auto KV_TRIM_SPACES = true SEDCMD-blacklist = s/(^|\s)($|\s)//g TRANSFORMS-blacklist = blacklist_name NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom description = sourcetype para incorporar los datos de listas negras al índice disabled = false pulldown_type = true FIELD_DELIMITER = ;     Transforms.conf:     [blacklist_name] SOURCE_KEY = field:mltf_blacklist_name REGEX = ^\s*(\w+)(.*)\s FORMAT = $1 WRITE_META = true     I've been going through the documentation and I'm a bit lost with the splunk configurations. Any help will be appreciated. Thanks.

Current one that is working is: [fschange:F:\bau\box\quest] Need to specify it to: [fschange:F:\bau\box\quest\...\arch] Where quest has 5 folders, inside of each has a folder \arch But seems not working using \ ... \ or \*\ It is a forwarder and already restarted it as well.

Hello I'm running this query:   | union [ search host="puppet-01" OR host="jenkins-01" OR host="ANSIBLE-01" sourcetype=ProductionDeploy NOT Permisson_Job_Name=*_permission Environment=PRODUCTION | table _time, App_Name, User, Change_Log_Description, Environment, Version] [ search sourcetype=mscs:storage:blob:json | rex field=_raw "Details\":\"(?<Details>.*?)\"," | rex field=_raw "ProjectName\":\"(?<ProjectName>.*?)\"," | rex field=_raw "ScopeDisplayName\":\"(?<ScopeDisplayName>.*?)\"," | rex field=_raw "releaseName\":\"(?<releaseName>.*?)\"}" | rex field=_raw "ActionId\":\"(?<ActionId>Release.ReleaseCreated)\"," | rex field=_raw "ActorUPN\":\"(?<ActorUPN>.*?)\"," | rex field=_raw "DeploymentResult\":\"(?<DeploymentResult>.*?)\"," | rex field=_raw "PipelineName\":\"(?<PipelineName>.*?)\"," | where releaseName != null AND PipelineName like "%Production" | rename ProjectName AS App_Name | rename ActorUPN AS User | rename releaseName AS Change_Log_Description | rename PipelineName AS Environment | rename DeploymentResult AS status | table _time, App_Name, User, Change_Log_Description, Environment, Version,status] | sort -_time asc   and im trying to get the status at the first search i don't have this value but i do have it at the second one i don't see status column at my results. can someone explain me why ? thanks

Hi Team, I am looking for how to pull license usage report for User Seat, Per Uptime and Per API Runs license metric either from CLI command or from Dashboard. Products for which I need to check license usage reports: Splunk Threat Research Splunk Mission Control Splunk SOAR (Cloud)  Splunk On-Call Splunk User Behavior Analytics Splunk Real User Monitoring Splunk Synthetic Monitoring I am unable to find any documentation or commands to fetch reports for the products license usage. Can anyone please help me with this. Thanks, Avinash Kumar

Hello,  I have that limit of license indexation per day. So i wanted to limit data to be indexed from a specific Equipment. I received a great amount of logs from a source equipement using syslog (i can't change which types of logs to be sent to splunk). So, to limit the amount of data being indexed. i filtered data in the indexation phase using splunk. I added a regex in splunk so that splunk only indexes the wanted types of logs and ignore other received sylog logs from that specific equipment. I did this using TRANSFORMS-set in props.conf and using the regex expression in transforms.conf file.  As a result, i had the following errors in splunk health that i couldn't fix:  Ingestion Latency Events from tracker.log have not been seen for the last 2940 seconds, which is more than the red threshold (210 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked.  TailReader-0       The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate indexing or forwarding rate, or a sudden burst of incoming data. Whenever i remove the regex expression the problem is solved => meaning that the regex is the only source of this problem/error.   Thank you in advance for help.

Hi Team, i have observed a strange behavior. Actually we had 'Splunk add-on for AWS' installed in IDM cloud node and indexers. Recently we asked Splunk cloud team to get the add-on installed on Search Heads as well. Post installation on SHs, we didn't get any alert/notable triggered for AWS which was there. We simply disable that add-on on SH and it started working. What could be the possible issue?   Thanks  

I have the event that looks like below    2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>" and I would like to remove below xml element with attribute from data fields , How can I do that ? <InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> Results I want is  2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>"

Current one that is working is: [fschange:F:\bau\box\quest] Need to specify it to: [fschange:F:\bau\box\quest\...\arch] Where quest has 5 folders, inside of each has a folder \arch But seems not working using \ ... \ or \*\ It is a forwarder and already restarted it as well.

I am trying to pull up the Risk Event Timeline for a Risk Notable in my Incident Review Dashboard.   Every time I click the link, it gives me an error saying "Risk event has missing or invalid fields".   I know that Risk Event Timeline only works for the risk_object field on Risk Notables. We have noticed a couple of issues that were related to Search-Driven lookups being disabled.  Might there be a lookup table that is referenced here that might be in the same boat? Is there somewhere that defines what fields are required in the Risk Notable? Any way to troubleshoot what is missing or incorrect?

How can I write the following to get past the join limitation?     index=aws eventName=TerminateInstances | Rename "requestParameters.instancesSet.items{}.instanceId" AS vm_id | join vm_id type=left max=0 [ search index=aws source="us-west-1:ec2_instances" sourcetype="aws:description" ] | dedup vm_id | table _time, action, vm_id, tags.Name, userName