Hello, After setting up a brand new standalone server (v 8.2.6) and migrating our data from another server, it seems as we don't see any events in both _internal and _audit indexes... I've checked file permissions, and a whole lot of config files and could not manage to get this fixed. Can someone please provide some pointers on what might be the issue? EDIT: Forgot to mention that the old server was running the same version and that both of those indexes were working just fine. Thanks!

Hi, I have a CS, which runs every 6mins looking back -65m and -5m.. It triggered a notable alert, where for the same dest value, it triggered ten notables in the same time 11.46pm........................... How much throttle time should I set to avoid this? Thankyou!

Hi all, I have a some dashboards which are placed as different tabs using user interface. All the dashboards have same front page which is selection from the dropdowns.  Is it possible to pass values selected in the dropdown of first dashboard to the other dsahboards in the other tabs? This is how the dashboards look. Instead of selecting those values again in the second dashboard. Is it possible to pass the already selected values?

Hi All,   I have a splunk query which i cannot get to work for the life of me:  This is the search |inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1 |append [search index=main sourcetype="feeds" source="/opt/splunkforwarder/bin/scripts/stats.sh" type=feed |rename dn as "Threat Feed" customerID as companyId |table "Threat Feed" companyId | join companyId [| dbxquery query="mysql query" ] |eval observed = 0] |stats min(observed) as observed values(customerId) as cs by "Threat Feed" | where observed =1 Current Result: Threat Feed (column name) Feed55 <<< Correct feed that should not exist in any of the customers The csv file only has a column named Threat Feed, there are five rows only. The search results are around 25 different feeds per customer (50 customers) I am interested in showing which feeds from the CSV do not exist in the search results i.e from the 25 feeds, i need this by customer so that i can create an alert. At the moment i am getting an output of the 1 feed name that doesnt exist, but i cant link this to the customer as the csv file does not have a customerID field as its a generic file.

Hello Experts, I have a dashboard with a dropdown with the following selection 2022-Mar 2022-Apr 2022-May Based on the selection I choose a source and run various searches and display the dashboard. For example, If user input is 2022-Apr, I use the token to use C:\\test\\data_2022-Apr.csv and run searches and it works fine. However I also have a requirement where I need to Plot a value from all three sources in a single panel. For example, Say I have a data point arrived with various calculations called "total utilization" from each sources in the above list. I need to plot this value for the last 3 months (current + last two months data ) in a single panel. So if the user selects 2022-May, I need to run searches on each of the above file, get the total utilization and display in a single column chart. I have used eval command to work out the past months file names and worked out the search command to get the value as well. However, since I am using different sources, I am only able to get them in different search commands, i.e in a different dashboard panel. So the question is, Is it possible to combine multiple search commands on different sources into one single search and generate a single column graph ? I have looked at subsearch related posts earlier, however they seem to be on different sourcetypes rather than source itself. Would appreciate any inputs. Thanks in advance.

Hi Team, Recently we got an email from Splunk Support stating with the Subject as "Splunk Enterprise Advisories - May 2022" so when checked the email I can able to see around 8 Advisories mentioned for Splunk Enterprise and they have also mentioned that Splunk Cloud wont be impacted and our environment we have 4 Splunk HF servers and 1 Deployment master server which are running with Splunk enterprise instance.   Reference Link: https://www.splunk.com/en_us/product-security.html?lst=Email1&utm_medium=email&utm_source=splunk&utm_campaign=FY23Q2_CSM_GLBL_OTH_PTF_EN_Security_CVE And our servers  are running with Splunk Enterprise with versions Splunk 8.1.2 (build 545206cc9f70) & Splunk 8.1.3 (build 63079c59e632) respectively. So is it mandate to upgrade our HF and DM servers to the latest version i.e. from 8.1.2 or 8.1.3 to 8.2.6? Or do we have any workaround to address the gaps?  Also currently we are running with 8.1.2 or 8.1.3 so can i directly upgrade them to 8.2.6 version will there be any changes? Best recommendations? So if we upgrade them to latest version will it fix all security vulnerability issue?  Also whether it should be upgraded immediately (Our HF and DM servers) or can we perform the upgrade might be in a month or so?   Kindly help on the same.  

I am ingesting some JSON events, and one of the fields is just a massive spammy "//0//0//0//0" repeated 15000+ times. I know my regexes are working fine, and I accomplished this by changing my lookahead in transforms:     [extractMessage] REGEX = "original":([\s\S]*?})}," LOOKAHEAD=100000 DEST_KEY= _raw FORMAT = $1 WRITE_META = true     BUT sedcmd doesnt listen to lookahead as defined in transforms, because it has to be called from props, and props has no lookahead! So looking at my props.conf:     [host::xx] SEDCMD-tst = s/(?:a){20,}/yoink/g     I made a bigass file of the letter "a", and counted how many chars were on each event. Then the sedcmd went in and replaced the "a"s with "yoink". Behold.... SEDCMD stops working at 4105 chars. I NEED MORE. How to expand SEDs reach?  

Hi When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance Second log: of an object.     Please your support.

Hello, everyone! I configured source from my database via splunk db connect app. Events contain field "time" and I want that Splunk _time field be equal to this, because now I have two times real time (field "time" from event) and time when Splunk took event from database (field "_time").

Hi All, i want to finding out all sourcetype which is configured for all report in our splunk. suppose we have configured now 100 reports then i want to see with the help of query which  source type is configured for all this 100 reports this is my question.    Regadrs, Sanket Kaware  

Hi Team, We are using Splunk Enterprise SIEM tool. we want to check all the source type which is configured for all alert/dashboard/report . As we have searched and tried with below query but it is not showing expected result which we want.   index="*" | stats count by source type   We want to check all source type which is configured under the all reports or all dashboards or all alerts. if you can give me 3 different query for this then it is also fine we are not required all this in one query. Could you please suggest and help us for this .   Regards, Sanket Kaware           

Hi, I have following data which I use search to find from last 30 days and save it into lookup:  Customers Old Acquired Product New Acquired Product Jack Product 1 Product 2 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 5 Product 3   Now, I know every day or every few days each customers products are changing as they are acquiring new products. Here is what I want to do: Create saved search  Modifying existing lookup to ensure each customer key value update accordingly: For e.g. next day customer Jack and chris acquired new product. So saved search schedule will pick up the change and update the lookup as follow: Customers Old Acquired Product New Acquired Product Jack Product 2 Product 4 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 3 Product 2 i know i have to use outputlookup and lookup command but i have fear it is going to overwrite it. 

Hi,  I am currently running Splunk 8.1.9 Is it possible to create a role, that will allow a user to access only specific fields in an index? Example: field1, field2, field3, field4, field5 User have access to the index, but can only view data in field1, field4 and field5.   Much thanks.