My log is like this: Time Event 3/23/22 11:00:00.000 AM Application 'AAA' is running Application 'BBB' is stopped Database 'CCC' is running Database 'DDD' is running 3/23/22 11:10:00.000 AM Application 'AAA' is running Application 'BBB' is running Database 'CCC' is stopped Database 'DDD' is running   I want to extract a table like Time Server Host Status 3/23/22 11:00:00.000 AM Application AAA running 3/23/22 11:00:00.000 AM Application BBB stopped 3/23/22 11:00:00.000 AM Database CCC running 3/23/22 11:00:00.000 AM Database DDD running 3/23/22 11:10:00.000 AM Application AAA running 3/23/22 11:10:00.000 AM Application BBB running 3/23/22 11:10:00.000 AM Database CCC stopped 3/23/22 11:10:00.000 AM Database DDD running   How to do this? If anyone has idea?

Dear Splunk Experts and Community, We are interested in receiving notifications as often as possible when an event is received into Splunk.  We have currently set up a Saved Search that has an action of Webhook to send us alerts every few minutes which is working ok for us. However, as we are new to this system we aren't sure if there is a better way to implement a feed from Splunk to our API. Any additional suggestions? Thanks!    

IHAC who are using SH/IDX on AWS and they want to enable encryption the volume (SSD Disk) which Splunk installed on running mode. but customer wonder if it will impact current system.  the volume include indexed data and installed files.  Do we have any side impact  or condition to enable encryption the disk volume on running mode ?Thank you,

Hello. I would like to know if there any command from the dashboard code or from the address bar (chrome URL bar) to be able to automatically put a dashboard in full screen. I saw a command for a shortcut in chrome but it does not show me the dashboard in full screen, I would like to avoid hitting the button every time I open the dashboard. Thanks.

Cannot be retrieved after field extraction- If field extraction is classified as ` no search is performed after field extraction. However, if you classify | ,  in the same way, extraction and search will work normally. Is there any problem? _raw  field1`field2`field3`field4`field5` ex) (?P<field_name>[^\`]*)`(?P<field_name2>[^\`]*)`(?P<field_name3>[^\`]*)`(?P<field_name4>[^\`]*)`(?P<field_name5>[^\`]*)`  

I'm trying to setup the Splunk IT Essentials Work app in a single instance environment, and when I open up the app it says it is unable to retrieve subscription data. None of the documentation mentions anything related to a subscription. I was under the impression that I just needed to download and install this app, what subscription is it looking for?

Hi, I am trying to create a simple app to onboard data from THOR application. First I deployed the UF in my W10 and I see the client in the forwarder management console. phone home 1 second ago. After I create a new app (barebones) and I create a simple inputs.conf in the local folder. Then, that I moved the folder from apps folder to deployment-apps folder. finally I created a server class containing only my computer and assigned the new app. The final result is that the application is never deployed. the UI shows a deployment error but not other information is shown. Another weird issue is that I dont find the UF service on my workstation, I have the path and I can open a CMD and restart splunk but for some reason there is no visible service in the services console. Could be that both issues are related? Could someone tell me what could be the reason? Thanks a lot.  

We have an on-prem Splunk Enterprise instance using a Deployment server, indexers, search head, etc.  The environment sits on Windows 2019 and Splunk is version 8.2.3. We have recently setup a HTTP Event Collector token for HEC Collection.  It is working correctly from Curl both in Health check and absorbing the manual calls from curl and postman, such as: curl -k http://deploymentserver.local:8088/services/collector/raw -H "Authorization:Splunk 1920123a-f2b1-4c46-b848-6fba456789fe7" -d '{"Sourcetype":"log4j","event":"test"}' These particular calls are ingested and searchable within Splunk.  We have opened a ticket with Splunk, but has been less than helpful as the are just directing us to the token setup which as noted above is working. The issue, it is not ingesting any of our actual application logs.  There are no errors, it has the correct token, it's like it's not getting there or rejected.    We've made changes to the sourcetype so there is no criteria as well as set for json, no difference either way.  So we suspect the formatting of our json is incorrect.  Are there any good samples out there? This is what the json looks like:     <?xml version="1.0" encoding="utf-8"?> <Configuration status="INFO" name="cloudhub" packages="com.appforsplunk.ch.logging.appender, com.splunk.logging ,org.apache.logging.log4j"> <Appenders> <Console name="Console" target="SYSTEM_OUT"> <PatternLayout pattern="%-5p %d [%t] [event: %X{correlationId}] %c: %m%n" /> </Console> <Console name="ConsoleLogUtil" target="SYSTEM_OUT"> <PatternLayout pattern="%m%n" /> </Console> <RollingFile name="file" fileName="${sys:splunkapp.home}${sys:file.separator}logs${sys:file.separator}splunkapp-custom-logging-api.log" filePattern="${sys:splunkapp.home}${sys:file.separator}logs${sys:file.separator}splunkapp-custom-logging-api-%i.log"> <PatternLayout pattern="%-5p %d [%t] [processor: %X{processorPath}; event: %X{correlationId}] %c: %m%n" /> <SizeBasedTriggeringPolicy size="10 MB" /> <DefaultRolloverStrategy max="10"/> </RollingFile> <SplunkHttp name="splunk" url="http://deploymentserver.local:8088/services/collector/raw" token="Splunk 50817720-52e2-4481-a2cf-eb519716354c" disableCertificateValidation="true"> <PatternLayout pattern="%-5p %d [%t] [event: %X{correlationId}] %c: %m%n"/> </SplunkHttp> <Log4J2CloudhubLogAppender name="CLOUDHUB" addressProvider="com.appforsplunk.ch.logging.DefaultAggregatorAddressProvider" applicationContext="com.appforsplunk.ch.logging.DefaultApplicationContext" appendRetryIntervalMs="${sys:logging.appendRetryInterval}" appendMaxAttempts="${sys:logging.appendMaxAttempts}" batchSendIntervalMs="${sys:logging.batchSendInterval}" batchMaxRecords="${sys:logging.batchMaxRecords}" memBufferMaxSize="${sys:logging.memBufferMaxSize}" journalMaxWriteBatchSize="${sys:logging.journalMaxBatchSize}" journalMaxFileSize="${sys:logging.journalMaxFileSize}" clientMaxPacketSize="${sys:logging.clientMaxPacketSize}" clientConnectTimeoutMs="${sys:logging.clientConnectTimeout}" clientSocketTimeoutMs="${sys:logging.clientSocketTimeout}" serverAddressPollIntervalMs="${sys:logging.serverAddressPollInterval}" serverHeartbeatSendIntervalMs="${sys:logging.serverHeartbeatSendIntervalMs}" statisticsPrintIntervalMs="${sys:logging.statisticsPrintIntervalMs}"> <PatternLayout pattern="[%d{MM-dd HH:mm:ss}] %-5p %c{1} [%t]: %m%n" /> </Log4J2CloudhubLogAppender> </Appenders> <Loggers> <AsyncLogger name="org.splunkapp.service.http" level="WARN"/> <AsyncLogger name="org.splunkapp.extension.http" level="WARN"/> <!-- splunkapp logger --> <AsyncLogger name="org.splunkapp.runtime.core.internal.processor.LoggerMessageProcessor" level="INFO"/> <AsyncRoot level="INFO"> <AppenderRef ref="splunk" /> <AppenderRef ref="CLOUDHUB" /> <AppenderRef ref="Console"/> <AppenderRef ref="file" /> </AsyncRoot> </Loggers> </Configuration>         Thanks in advance.

Hello all, It would seem a swift migration to Splunk Add-on for Microsoft Security is highly recommended: "Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation." I haven't been able to get this app to work with GCC, has anyone else? Anyone know when that support is coming?