Hi,  I have installed universal forwarder in a cloud instance(linux),  then I installed splunk enterprise in my local machine(laptop) which is running win 10. I want to forward logs from linux machine to my laptop's splunk's indexer. The problem is , what server IP should I be given in Linux universal forwarder/etc/system/local/outputs.conf [tcpout:example] server=????? I tried giving my IP ***.***.**.*** :9997, but there is no use. In my laptop, the splunk is running at localhost:8000. Please help me with this. Thanks.

Hi all,   I have a table called active_services.csv. One of the fields is called Report_Date Date value is in the following format 20220124. The CSV file is automatically updated weekly but sometimes fails and requires manual intervention. I need help with a query so I can setup an alert to notify me when the report date value is older than X amount of days. Please help. Thank you for your help in advance.

How would I find sAMAccountName(s) - more than one. I have tried boolean operators and(&) or(|) to no avail. Currently only one works.  | ldapsearch domain=xxxx basedn="DC=xxxx,DC=xxxx" search="(&(objectClass=user)(sAMAccountName=specificuser))"

Hi. I've got a search looking for times and dates with "index=main host=web1 "/blarg=foo"| table _time" how can I use the results to to search with "index=main host=app1 blarg" during the times from the first search?

What is the best way to trim a timestamp formatted like 2022-01-06 01:51:23 UTC so that it only reflects the date and hour, like this  2022-01-06 01? I need to be able to search for events by just the date and hour.

Hello, I want to calculate a ratio between two fields (i know it suppose to be an easy one but looks like im missing something) i want to count all the Totals and then check where Total > 200  as latency and count them all  after i have both of them i want to check if the ration between them is > 0.3   sourcetype="*user-program*" | rename AdditionalData.Total as Total | eval Latency=if(Total>200,Total,null()) |eval Ratio = Total/Latency   this one returning no results

Hello, Any changes happened on SAML SSO configuration in the new Splunk v8.2.4 ? We have an IdP configured to use SSO and it is working in the Splunk v8.1.1. We recently upgraded to v8.2.4 we copied the same authentication.conf from v8.1.1.  Seeing the below error in the Splunkd.log   relaystate is empty RelayState may be missing due to IDP-intiated SAML workflow. User=<user>@<DOMAIN1.DOMAIN.COM> domain= does not match default domain. Contact your syste administrator for more information about the default domain=saml for this system   Any idea how to fix this error?    

After the upgrade of Splunk Enterprise to 8.2.4, several triggered alerts with tokens are no longer sending out emails.    Looking at splunkd.log, there is a warning message concerning the alert 02-10-2022 10:02:28.244 -0600 WARN Pathname [15448 AlertNotifierWorker-0] - Pathname 'E:\Splunk\bin\Python3.exe E:\Splunk\etc\apps\search\bin\sendemail.py "results_link= "ssname=Password Reset Reminder" "graceful=True" "trigger_time=1644508948" results_file="E:\Splunk\var\run\splunk\dispatch\scheduler__srunyonadm__search__RMD5c5f30383081059ef_at_1644508800_24883\results.csv.gz" "is_stream_malert=False"' larger than MAX_PATH, callers: call_sites=[0xd4d290, 0xd4f001, 0x15d1632, 0x15ce217, 0x1439f53, 0x13c8176, 0x71f406, 0x71ea9e, 0x71e899, 0x6eaeeb, 0x70c3c5] I am concerned with the "larger thanMAX_PATH" message because Splunk doc states -  "The Windows API has a path limitation of MAX_PATH which Microsoft defines as 260 characters including the drive letter, colon, backslash, 256-characters for the path, and a null terminating character. Windows cannot address a file path that is longer than this, and if Splunk software creates a file with a path length that is longer than MAX_PATH, it cannot retrieve the file later. There is no way to change this configuration." What can be done to get this working again? Regards, Scott Runyon

Hi. So I'm reading about this Add-on and the instructions seem to be pretty straightforward about getting the Add-on installed on my search head and indexer. What I have are Domain Controllers on a network that is not local. I have a universal forwarder (Ubuntu) on site there which is forwarding Palo Alto logs via syslog-ng.  My question is this. What do I need to install on a Domain Controller on the remote network to get it to gather Active Directory and forward to the indexer either directly or via the universal forwarder? 

Is there a list of what metrics are and are not available in Dash Studio. Currently it looks like custom metrics, service endpoints and information points are not available. Documenting this in a central place would be helpful instead of getting half way thru building a dashboard only to find out a metric isn't available.