Hi team I am trying to create a query in order to get average of all max values in a period of 10 mins for any selected time range. (7 days) per host. There are multiple hosts and searching a log text in splunk. Then using the log events count I am trying to figure out how many times did the event occurred/ host was called.  For my query I want to take average of all the max values  per 10 min period over the selected time-range per host. (AVG(MAX PER 10 MIN) FOR SELECTED TIME RANGE) BY HOST

Hi, I have customers running Splunk on Windows on Nutanix. I'd like to take advantage of Smart Store, which requires a Linux indexer. Can I add a Linux indexer as a search peer to a Windows search head? Is this a supported configuration? This would probably be a short term solution while the environment is migrated from Windows to Linux over several months. The Windows indexer would be kept online until the old data aged out, rather than doing a data migration. Cheers,  

running the configuration wizard and trying to build the lookups AD_Obj_Domain and AD_Obj_Admin_Audit work but the rest say: Warning: No  admon events found - Change Sync Time Period I followed the suggestions in Review - Recollecting the admon baseline data but it hasn't helped. any ideas?    

I am trying to configure a new input in the Splunk Add-on for Microsoft Office 365.  I am receiving errors which I have not been able to fix.  Assistance would be greatly appreciated. Input Name: AuditLogs.Signins Input Type: Graph API   2022-03-22 12:24:38,005 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=utils.py:wrapper:72 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/graph_api.py", line 235, in run 2022-03-22 12:24:38,004 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:118 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Error retrieving Cloud Application Security messages." exception='NoneType' object is not iterable 2022-03-22 12:24:37,999 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:476 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="There was an exception processing the response from Microsoft Graph API" exception=401:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-03-22T16:24:37","request-id":"","client-request-id":""}}} Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 467, in get raise O365PortalError(response) splunk_ta_o365.common.portal.O365PortalError: 401:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-03-22T16:24:37","request-id":"","client-request-id":""}}} 2022-03-22 12:24:37,814 level=INFO pid=3126388 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:462 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Calling Microsoft Graph API." url=b'https://graph.microsoft.us/v1.0/auditLogs/signIns' params=None  

Hello everyone,  We have several reports scheduled in a SHC, one of the actions is send an email with a PDF report, nevertheless when the alert action is trigered we found this error (status=400) pdfgen GET is deprecated. Please use POST instead. I have been searching for some answers but looks like this error is not documented anywhere.    Any suggestions?

Hello, Working with a team that is sending some custom paramters via metrics data. They are trying to include a dimension that contains a data, but Splunk is not accepting of the date. release:1,component:test,team:TestTeam,repo_branch:master,version:3,eventTimestamp:2022-03-22T14:46:41.048881800 My guess is that Splunk doesn't like the colon's in the timestamp but a bit unsure. The team wants to be able to send time within the metrics for later analysis using eval commands after indexing. Is there a best practice for including a time dimension/value within metrics data? (i.e epoch/UNIX time)

Hi All , The requirement is to get all usernames , username created date and email associated to it as below username             username_created_date                 email_associated testnoob                         03/22/2022                                testnoob@xxyy.com how can i achieve this ? can you please help me 

We have locally created users and have just enabled Azure AD SAML auth. Is there a way to map SAML authenticated accounts (Azure AD) to existing local accounts? Or enable SSO for existing local accounts?

Hello, I have 2 Python scripts need to be run inside (hfscritps-1.py and hfscritps-2.py ) SPLUNK HF everyday at 5am ET. Scripts are required to import modules (import os and from datetime import date); how would I configure my SPLUNK  HF (or Python Scripts) to perform these tasks. Any help/recommendation will be highly appreciated. Thank you.  

Hi Folks, I'm new to Spunk and I was working on creating a dashboard for one of my Application. Dashboard is built but when I want to populate the data for last 30 days, its giving result for only few day ( 7 to 8 days) and other days are populated as 0. When I look into that particular day, I can notice events are there. Can someone please help here? My Query format is as below, Main Query [search <subquery> ] | timechart span=1d count as total | sort by "_time" desc My Output is as below, 2022-03-22 647 2022-03-21 988 2022-03-20 279 2022-03-19 100 2022-03-18 879 2022-03-17 1169 2022-03-16 15 2022-03-15 0 2022-03-14 0 2022-03-13 0 2022-03-12 0 2022-03-11 0 2022-03-10 0 2022-03-09 0 2022-03-08 0 2022-03-07 0 2022-03-06 0 2022-03-05 0 2022-03-04 0 2022-03-03 0 2022-03-02 0 2022-03-01 0 2022-02-28 0   Before 15th March, I see data is populated as 0 but when the same query is ran for 15th March alone I noticed events are getting populated. For eg, I selected time range as 14th March 00:00 to 15th March 24:00 for the same query, I got result as below. But this value not getting populated when last 30days time period is selected. 2022-03-15 587 2022-03-14 654   Kindly need help on this.   Thanks in Advance.  

What do I need to add to this search, to make this search  | where Need >= 60min | tstats max(_indextime) AS Late where earliest=-24h latest=now (index=bluff) by sourcetype | eval CurrentTime=now() | eval Need = CurrentTime - Late, LastIngestionTime=strftime(Late,"%Y/%m/%d %H:%M:%S %Z"), CurrentTime =strftime(CurrentTime,"%Y/%m/%d %H:%M:%S %Z") | table sourcetype, LastIngestionTime, CurrentTime, Need | rename LastIngestionTime as "Last", CurrentTime AS "Search time", Need AS "Latency in Minutes"  

Hi, I currently have Windows Event Logs ingesting, they are all being rendered as XML. Logs are being parsed at the indexer, no HF involvement. I have Windows TA 8.4.0 installed and pushed to all indexers, and this I know comes with default SEDCMD commands in the default props.conf file. What I am trying to acheive is to entirely overwrite the 'Message' field of XmlWinEventLog:Security logs with a blank field. This is to reduce license consumption, as the majority of the content within the message field is already denoted previously in the same log and is essentially just duplicating content. Anyway, have transferred the relevant SEDCMD lins to a local props.conf file however the filters did not work, even after pushing. I believe this is because the logs are in an XML format and not the native format, however I am happy to be corrected there if I am wrong. The current config file I am running in local/props.conf is as follows:       [source::WinEventLog:Security] SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ SEDCMD-remove_ffff = s/::ffff://g SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g #For XmlWinEventLog:Security SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/ SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/ SEDCMD-cleanxmlseclogs = s/<Message>[\S\s\r\n]+<\/Message>/<Message></Message>       I have left some of the default lines in for WinEventLog:Security for no other reason that just to test. I have added the cleanxmlseclogs line at the end. It is here I am trying to detect the whole Message field and then overwrite with just the headers, so that the content of the field gets dropped. Can anyone assist with where I am going wrong here?